[ad_1]
With Amazon Cognito consumer swimming pools, you possibly can add consumer sign-up and sign-in options and management entry to your internet and cellular functions. You’ll be able to allow your customers who have already got accounts with different id suppliers (IdPs) to skip the sign-up step and sign up to your utility through the use of an current account via SAML 2.0 or OpenID Join (OIDC). On this weblog put up, you’ll discover ways to prolong the authorization code grant between Cognito and an exterior OIDC IdP with personal key JSON Net Token (JWT) consumer authentication.
For OIDC, Cognito makes use of the OAuth 2.0 authorization code grant circulation as outlined by the IETF in RFC 6749 Part 1.3.1. This circulation might be damaged down into two steps: consumer authentication and token request. When a consumer must authenticate via an exterior IdP, the Cognito consumer pool forwards the consumer to the IdP’s login endpoint. After profitable authentication, the IdP sends again a response that features an authorization code, which concludes the authentication step. The Cognito consumer pool now makes use of this code, along with a consumer secret for consumer authentication, to retrieve a JWT from the IdP. The JWT consists of an entry token and an id token. Cognito ingests that JWT, creates or updates the consumer within the consumer pool, and returns a JWT it has created for the consumer’s session, to the consumer. Yow will discover a extra detailed description of this circulation within the Amazon Cognito documentation.
Though this circulation sufficiently secures the requests between Cognito and the IdP for many clients, these within the public sector, healthcare, and finance generally have to combine with IdPs that implement further safety measures as a part of their safety necessities. Previously, this has come up in conversations at AWS when our clients wanted to combine Cognito with, for instance, the HelseID (healthcare sector, Norway), login.gov (public sector, USA), or GOV.UK One Login (public sector, UK) IdPs. Prospects who’re utilizing Okta, PingFederate, or comparable IdPs and need further safety measures as a part of their inner safety necessities, may also discover including additional safety necessities fascinating as a part of their very own insurance policies.
The commonest further requirement is to switch the consumer secret with an assertion that consists of a non-public key JWT as a method of consumer authentication throughout token requests. This methodology is outlined via a mix of RFC 7521 and RFC 7523. As an alternative of a symmetric key (the consumer secret), this methodology makes use of an uneven key-pair to signal a JWT with a non-public key. The IdP can then confirm the token request by validating the signature of that JWT utilizing the corresponding public key. This helps to remove the publicity of the consumer secret with each request, thereby decreasing the chance of request forgery, relying on the standard of the important thing materials that was used and the way entry to the personal secret is secured. Moreover, the JWT has an expiry time, which additional constrains the chance of replay assaults to a slender time window.
A Cognito consumer pool doesn’t natively help personal key JWT consumer authentication when integrating with an exterior IdP. Nevertheless, you possibly can nonetheless combine Cognito consumer swimming pools with IdPs that help or require personal key JWT authentication through the use of Amazon API Gateway and AWS Lambda.
This weblog put up presents a high-level overview of how one can implement this resolution. To study extra in regards to the underlying code, how you can configure the included providers, and what the detailed request circulation seems to be like, take a look at the Deploy a demo part later on this put up. Understand that this resolution doesn’t cowl the request circulation between your personal utility and a Cognito consumer pool, however solely the communication between Cognito and the IdP.
Answer overview
Following the technical implementation particulars of the beforehand talked about RFCs, the required request circulation between a Cognito consumer pool and the exterior OIDC IdP might be damaged down into 4 simplified steps, proven in Determine 1.
On this instance, we’re utilizing the Cognito consumer pool hosted UI—as a result of it already offers OAuth 2.0-aligned IdP integration—and increasing it with the personal key JWT. Determine 1 illustrates the next steps:
The hosted UI forwards the consumer consumer to the /authorize endpoint of the exterior OIDC IdP with an HTTP GET request.
After the consumer efficiently logs into the IdP, the IdP‘s response consists of an authorization code.
The hosted UI sends this code in an HTTP POST request to the IdP’s /token endpoint. By default, the hosted UI additionally provides a consumer secret for consumer authentication. To align with the personal key JWT authentication methodology, it is advisable exchange the consumer secret with a consumer assertion and specify the consumer assertion sort, as highlighted within the diagram and additional described later.
The IdP validates the consumer assertion through the use of a pre-shared public key.
The IdP points the consumer’s JWT, which Cognito ingests to create or replace the consumer within the consumer pool.
As talked about earlier, token requests between a Cognito consumer pool and an exterior IdP don’t natively help the required consumer assertion. Nevertheless, you possibly can redirect the token requests to, for instance, an Amazon API Gateway, which invokes a Lambda operate to increase the request with the brand new parameters. As a result of it is advisable signal the consumer assertion with a non-public key, you additionally want a safe location to retailer this key. For this, you should use AWS Secrets and techniques Supervisor, which lets you safe the important thing from unauthorized use. With the required circulation and extra providers in thoughts, you possibly can create the next structure.
Let’s have a better take a look at the person parts and the request circulation which can be proven in Determine 2.
When including an OIDC IdP to a Cognito consumer pool, you configure endpoints for Authorization, UserInfo, Jwks_uri, and Token. As a result of the personal secret is required just for the token request circulation, you possibly can configure sources to redirect and course of requests, as follows (the step numbers correspond to the step numbering in Determine 2):
Configure the endpoints for Authorization, UserInfo, and Jwks_Uri with those from the IdP.
Create an API Gateway with a devoted route for token requests (for instance, /token) and add it because the Token endpoint within the IdP configuration in Cognito.
Combine this route with a Lambda operate: When Cognito calls the API endpoint, it should robotically invoke the operate.
Along with the unique request parameters, which embody the authorization code, this operate does the next:
Retrieves the personal key from Secrets and techniques Supervisor.
Creates and indicators the consumer assertion.
Makes the token request to the IdP token endpoint.
Receives the response from the IdP.
Returns the response to the Cognito IdP response endpoint.
The small print of the operate logic might be damaged down into the next:
Decode the physique of the unique request—this consists of the authorization code that was acquired throughout the authorize circulation.
Retrieve the personal key from Secrets and techniques Supervisor through the use of the GetSecretValue API or SDK equal or through the use of the AWS Parameters and Secrets and techniques Lambda Extension.
Create and signal the JWT.
Modify the unique physique and make the token request, together with the unique parameters for grant_type, code, and client_id, with added client_assertion_type and the client_assertion. (The next instance HTTP request has line breaks and placeholders in angle brackets for higher readability.)
Return the IdP’ s response.
Be aware that there isn’t any consumer secret wanted on this request. As an alternative, you add a consumer assertion sort as urn:ietf:params:oauth:client-assertion-type:jwt-bearer, and the consumer assertion with the signed JWT.
If the request is profitable, the IdP’s response features a JWT with the entry token and id token. On returning the response by way of the Lambda operate, Cognito ingests the JWT and creates or updates the consumer within the consumer pool. It then responds to the unique authorize request of the consumer consumer by sending its personal authorization code, which might be exchanged for a Cognito issued JWT in your personal utility.
Deploy a demo
To deploy an instance of this resolution, see our GitHub repository. You will see that the conditions and deployment steps there, in addition to further in-depth data.
Extra issues
To additional optimize this resolution, it is best to contemplate checking the occasion particulars within the Lambda operate earlier than totally processing the requests. This manner, you possibly can, for instance, test that each one required parameters are current and legitimate. One choice to do this, is to outline a consumer secret while you create the IdP integration for the consumer pool. When Cognito sends the token request, it provides the consumer secret within the encoded physique, so you possibly can retrieve it and validate its worth. If the validation fails, requests might be dropped early to enhance exception dealing with and to stop invalid requests from inflicting pointless operate costs.
On this instance, we used Secrets and techniques Supervisor to retailer the personal key. You’ll be able to discover different options, like AWS Methods Supervisor Parameter Retailer or AWS Key Administration Service (AWS KMS). To retrieve the important thing from the Parameter Retailer, you should use the SDK or the AWS Parameter and Secrets and techniques Lambda Extension. With AWS KMS, you possibly can each create and retailer the personal key in addition to derive a public key via the service’s APIs, and you may as well use the signing API to signal the JWT within the Lambda operate.
Conclusion
By redirecting the IdP token endpoint within the Cognito consumer pool’s exterior OIDC IdP configuration to a route in an API Gateway, you should use Lambda features to customise the request circulation between Cognito and the IdP. Within the instance on this put up, we confirmed how you can change the consumer authentication mechanism throughout the token request from a consumer secret to a consumer assertion with a signed JWT (personal key JWT). It’s also possible to apply the identical proxy-like method to customise the request circulation even additional—for instance, by including a Proof Key for Code Alternate (PKCE), for which yow will discover an instance within the aws-samples GitHub repository.
When you have suggestions about this put up, submit feedback within the Feedback part beneath. When you have questions on this put up, begin a brand new thread on AWS re:Publish for Amazon Cognito Consumer Swimming pools or contact AWS Help.
Need extra AWS Safety how-to content material, information, and have bulletins? Comply with us on Twitter.
[ad_2]
Source link