Amazon Cognito

This guide covers how to configure Amazon Cognito as a third-party identity provider for Shopify customer accounts, including how to add custom claims to your ID tokens for customer data enrichment.

Anchor to PrerequisitesPrerequisites

A Shopify Plus plan with new customer accounts enabled.
An AWS account with a Cognito User Pool created.
An App Client configured in the User Pool with a client secret generated.

Anchor to Connect Amazon Cognito to ShopifyConnect Amazon Cognito to Shopify

To connect Amazon Cognito as your store's identity provider, you'll add your Cognito credentials to the Shopify admin and configure your Cognito App Client to accept Shopify's callback URL.

Anchor to Step 1: Add your Cognito credentials in the Shopify adminStep 1: Add your Cognito credentials in the Shopify admin

To connect Cognito to Shopify, add your Discovery URL, Client ID, and Client Secret in the Shopify admin under Settings > Customer accounts > Third-party identity provider.

You can find these values in the Amazon Cognito console:

Discovery URL: https://cognito-idp.{region}.amazonaws.com/{user-pool-id}/.well-known/openid-configuration.
Client ID: Found in your App Client settings.
Client Secret: Found in your App Client settings.

For full setup instructions, refer to Connect a third-party identity provider.

Anchor to Step 2: Add your Shopify callback URLStep 2: Add your Shopify callback URL

To complete the connection, add your Shopify callback URL to the Allowed callback URLs field in your App Client settings under Hosted UI. This lets Cognito redirect customers back to your store after they authenticate.

You can find your Shopify callback URL in the Shopify admin on the same Third-party identity provider settings page from Step 1.

For full setup instructions, refer to Connect a third-party identity provider.

Anchor to Standard claimsStandard claims

Cognito includes standard OIDC claims like email and email_verified by default. To include name and phone claims, make sure the corresponding attributes are configured in your User Pool:

In the Cognito console, go to your User Pool > Sign-up experience > Required attributes.
Ensure given_name, family_name, and phone_number are included as user attributes.
In your App Client settings under Hosted UI, add profile and phone to the OpenID Connect scopes.

If users were created before these attributes were added, their existing profiles need to be updated with the missing values.

Anchor to Add custom Shopify claimsAdd custom Shopify claims

To import tags and addresses, you need to add custom claims to the ID token using a Pre Token Generation Lambda trigger.

Anchor to Create a Pre Token Generation triggerCreate a Pre Token Generation trigger

A Pre Token Generation trigger is a Lambda function that Cognito runs every time it creates an ID token. You can use it to add custom Shopify claims to the token:

In the Cognito console, go to your User Pool > User pool properties > Lambda triggers.
Under Pre token generation, select or create a Lambda function.
Set the Trigger event version to Basic features + claim and scope customization (v2_0).

Important

You must use the v2_0 trigger event version. The v1 trigger event only supports overriding existing claims and suppressing claims — it cannot add new custom claims to the ID token.

You can call DynamoDB, an external API, or any other data source from within the Lambda function. The following example reads from custom attributes on the Cognito user profile:

export const handler = async (event) => {

const customClaims = {};

const userAttributes = event.request.userAttributes;

// Tags: comma-separated string

if (userAttributes["custom:shopify_tags"]) {

customClaims["urn:shopify:customer:tags"] = userAttributes["custom:shopify_tags"];

}

// Addresses: parse the JSON string into an array

if (userAttributes["custom:shopify_addresses"]) {

try {

customClaims["urn:shopify:customer:addresses"] =

JSON.parse(userAttributes["custom:shopify_addresses"]);

} catch (e) {

// Log the error but don't block sign-in

console.error("Failed to parse shopify_addresses:", e.message);

}

event.response = {

claimsAndScopeOverrideDetails: {

idTokenGeneration: {

claimsToAddOrOverride: customClaims,

};

return event;

};

For the full list of supported claims and address field formats, refer to the claim import reference.

Anchor to Set up custom user attributesSet up custom user attributes

If you're storing Shopify data in Cognito custom attributes:

In the Cognito console, go to your User Pool > Sign-up experience > Custom attributes.
Add custom attributes such as custom:shopify_tags (String) and custom:shopify_addresses (String).
In your App Client settings, ensure the custom attributes are marked as readable.

Note

Cognito custom attributes have a 2048-character limit. If your address data exceeds this limit, fetch it from an external data source (such as DynamoDB) within the Lambda function instead of storing it as a user attribute.

Anchor to Enable enrichment in ShopifyEnable enrichment in Shopify

After configuring your identity provider to include custom claims, you need to tell Shopify to read and import them. In the Shopify admin under your identity provider settings, enable Sync customer data and configure the update trigger and overwrite rules. For details on these options, refer to claim import configuration.

Anchor to VerifyVerify

After configuring your claims, verify that they're included in the ID token and that Shopify imports them correctly:

Use the Cognito Hosted UI to sign in as a test user and decode the returned ID token at jwt.io to confirm your custom claims are present.
Authenticate on your store through Cognito.
In the Shopify admin, go to Customers and open the customer record to confirm the imported data.

Anchor to TroubleshootingTroubleshooting

Symptom	Cause	Fix
Custom claims not appearing in ID token	Lambda trigger event version set to v1	Change the trigger event version to v2_0 in the User Pool Lambda trigger configuration
Lambda function not invoked	Trigger not assigned to the correct User Pool	Verify the Pre Token Generation trigger is configured under your User Pool's Lambda triggers
`custom:` attribute value is null	Attribute not readable by the App Client	In your App Client settings, ensure the custom attribute has read access
Address data truncated	Cognito custom attribute 2048-character limit	Fetch address data from an external source (DynamoDB, API) in the Lambda instead of storing it as a user attribute
Standard claims (name, phone) not imported	Scopes not configured on App Client	Add `profile` and `phone` to the OpenID Connect scopes in your App Client's Hosted UI settings

Anchor to ResourcesResources

Was this page helpful?