Single Sign on with OIDC Token

[bennypowers]

Let's say I want Twitch users to be able to log in to my cognito userpool from their browsers. I add a "login with Twitch" button to my website, and users can click it to get an OIDC token back from twitch. Once I get that token, is there any way for me to do passwordless login to the user pool? it would look like this:

1. user logs in to twitch from my website
2. twitch redirects to my website with oidc token
3. my website sends request to api gateway with oidc token
4. lambda validates oidc token, gives ok response,
5. client js logs user in

In step 5, I expect to be able to call a method like cognitoUser.authenticateUser() to then log in to the app. Is there such a method for passwordless login?

If not, how else can I arrange a system like this?

• Do i have to send the user back their password over https?
• Is there a way to hash the password on the server side and send the hash to the client to log in with?
• can the server generate a session for the client the same way I would call cognitoUser.getSession() on the client?