Cognito Application Endpoints
When deploying a Cognito Partition, the authentication service must be configured with a set of application endpoint parameters that define where Cognito redirects users during authentication flows.
Note: This document is in progress while Cognito integration with the Front End Application is being completed.
Base URL
Section titled “Base URL”All path parameters below are relative to ardaAppHostBaseUrl — the base URL of the Arda frontend application for the target Environment (e.g., https://dev.alpha002.app.arda.cards).
Endpoint Parameters
Section titled “Endpoint Parameters”| Parameter | Description |
|---|---|
defaultRedirectPath | Default path to redirect users after authentication when no specific redirect URL is provided. Also registered as a callback URL in the Cognito User Pool Client. |
loginPath | Path to initiate the login flow. Unauthenticated users accessing protected resources are redirected here. |
footpath | Path to initiate the logout flow. Authenticated users are redirected here when logging out. |
resetPasswordPath | Path to redirect users when they request a password reset or change. |
defaultLoginRedirectPath | Path to send users after successful authentication when no redirect URL is specified (typically the user’s Dashboard or Home page). In the future, this may be configurable per tenant or per user. |
allowedCallbackPaths | List of additional URL paths allowed as OAuth2 callback destinations. Use a single /redirect path with a forwardTo query parameter to minimize this list. |
logoutRedirectUrl | Full HTTPS URL where users are redirected after successful logout. Must be absolute. |
Redirect Handling Pattern
Section titled “Redirect Handling Pattern”Cognito requires every potential redirect URL to be registered in the User Pool Client (allowedCallbackPaths). To avoid coupling the UI navigation structure to the Cognito configuration, the frontend uses a single registered redirect path:
/redirect?forwardTo=<encoded-target-url>The BFF route at /redirect:
- Receives the
forwardToquery parameter - Validates the URL is a known safe destination within the system
- Redirects the user to the decoded target URL
The forwardTo parameter uses reversible encoding to obfuscate the target URL (encryption is not required; the goal is to reduce casual tampering).
Amplify Configuration
Section titled “Amplify Configuration”Amplify applications integrate directly with Cognito using two CloudFormation exports:
| Config | CloudFormation Export |
|---|---|
| Cognito User Pool ID | <infrastructure>-<partition>-API-UserPoolId |
| Cognito App Client ID | <infrastructure>-<partition>-API-WebClientId |
Copyright: © Arda Systems 2025-2026, All rights reserved