Hello!
I desperately need help understanding AWS Cognito - specifically using it to login to a 3rd party site. My understanding is that once you login with Cognito, it should give you a JWT (JSON Web Token). And it does. And I know how to decode the token and access the info contained inside.

The problem is that I have a legacy webapp, with which I would like to enable the option of logging in with Cognito. For example, if a user has already logged in to Cognito, then when they visit the legacy webapp, I'd like for it to somehow know that they've already logged in and not display a login page. My plan to implement this was to store the Cognito generated JWT in a cookie. BUT - the cookie is generated in a different domain: one used by AWS Cognito that I have no control over. And so web browsers don't show that cookie to my legacy webapp.

I've been looking online for ways to circumvent the "same origin" policy, and it looks like there might be possible work-arounds using iframes... But I feel like I must be missing something really basic, because the "same origin" policy is intended to prevent cross-site scripting attacks, etc. I feel bad hacking my way around it. And I've seen many websites now using features like "login with google, facebook, amazon, etc." In each of these cases, you get redirected to an id provider, and somehow a token is returned that the original website trusts and uses. So what's the secret? How are they getting the JWT transmitted back to the original website?

The legacy app is written in perl, as is all my JWT decoding logic, etc.

Thanks!