Skip to main content
All Docs
FeaturesmyProp (AgentOS People Portal)Updated April 3, 2026

Cognito OIDC Provider Integration

Cognito OIDC Provider Integration

Introduced in v0.1.8

As of v0.1.8, myProp uses AWS Cognito as its primary, permanent authentication provider via the NextAuth OIDC integration. This establishes a centralised identity layer shared across all portal client types — landlords, tenants, buyers, vendors, and contractors.

Overview

Previously, myProp relied on a temporary or placeholder auth mechanism during early development. v0.1.8 replaces that with a production-grade setup that handles the full authentication lifecycle through AWS Cognito.

The integration covers three core responsibilities:

  1. Token Validation — Tokens issued by Cognito are validated according to the OIDC specification before a session is established.
  2. Session Management — NextAuth manages user sessions (creation, renewal, and expiry) backed by the Cognito identity provider.
  3. Account Lookup — The user's email attribute is extracted from the validated Cognito token and used to look up the corresponding account in the AgentOS platform.

How It Works

User logs in
     │
     ▼
Cognito OIDC flow (hosted UI or federated IdP)
     │
     ▼
Cognito issues ID token + access token
     │
     ▼
NextAuth validates token (OIDC standard)
     │
     ▼
Email claim extracted from token payload
     │
     ▼
AgentOS account lookup by email
     │
     ▼
User session established in myProp portal

Configuration

The Cognito provider is registered as the primary NextAuth provider. The following environment variables are required:

VariableDescription
COGNITO_CLIENT_IDThe app client ID from your Cognito User Pool
COGNITO_CLIENT_SECRETThe app client secret from your Cognito User Pool
COGNITO_ISSUERThe Cognito User Pool issuer URL (e.g. https://cognito-idp.<region>.amazonaws.com/<userPoolId>)
NEXTAUTH_SECRETSecret used by NextAuth to sign session tokens
NEXTAUTH_URLThe canonical URL of the myProp deployment

Refer to the AWS Cognito documentation and the NextAuth OIDC provider docs for setup details.

Token & Session Behaviour

  • Token validation follows the standard OIDC flow. NextAuth verifies the token signature against the Cognito JWKS endpoint automatically.
  • Sessions are managed by NextAuth and respect the token expiry set in your Cognito User Pool configuration.
  • Email extraction — the email claim in the Cognito ID token is used to perform the AgentOS account lookup. Ensure the Cognito User Pool is configured to include email as a standard attribute and that it is exposed in the ID token.

Scope

This integration provides the identity layer for all portal client types:

  • Landlords
  • Tenants
  • Buyers
  • Vendors
  • Contractors

All users authenticate through the same Cognito User Pool, with their role and agency association resolved post-login via the AgentOS account lookup.

Notes

  • This release is backend/configuration only. No changes were made to the end-user login UI.
  • The Cognito provider is designated as the permanent provider — it supersedes any temporary auth configuration used in earlier development builds.