Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

question: Where can we get configuration details for the AWS Cognito IdP? #336

Open
MrChadMWood opened this issue Apr 25, 2024 · 1 comment
Assignees
Labels
need triage question Further information is requested

Comments

@MrChadMWood
Copy link

MrChadMWood commented Apr 25, 2024

Some useful links to get started:

Forgive my ignorance, as I'm not an expert with Caddy, Cognito, or OAuth2.0. I have some experience with all three, but I'm not quite comfortable with any yet. My goal is to utilize all three for network-level authentication and authorization. If an unauthorized visitor should visit any resource where authentication is required, Caddy should redirect them to a login portal. If the visitor successfully authenticates, Caddy should automatically redirect them to their original destination.

I'm struggling to understand the full set of configuration options available within the security component of the Caddy file (ref: Github examples). Second, I'm struggling to understand how each configuration option [present in the example] is used by Caddy. Which are optional, required, what acceptable values are, ...

Take the following snippet:

		oauth identity provider cognito-us-east-1 {
			driver cognito
			realm cognito-us-east-1
			client_id {env.COGNITO_US_EAST_1_CLIENT_ID}
			client_secret {env.COGNITO_US_EAST_1_CLIENT_SECRET}
			user_pool_id {env.COGNITO_US_EAST_1_POOL_ID}
			region us-east-1
			icon "AWS Cognito US" "aws"
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider cognito-us-east-1
			cookie domain myfiosgateway.com
			ui {
				links {
					"My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.myfiosgateway.com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
		}

Much of the above is self-explanatory, I'm sure. For example, cookie domain myfiosgateway.com pretty much explains itself. For many other parts, I'm struggling. What is myportal.transform user, cognito-us-east-1.icon, doing. Whats going on in myportal.ui.links? Am I able to just use the AWS Cognito Hosted UI directly, without any other login portal created by this module (ref: Authcrunch's documentation)?

I feel like I have so many questions that I am probably missing some important documentation. Rather than work through all my questions here, could you kindly advise where I should be looking for more details on the Caddyfile configuration for Cognito? Thanks!

Edit: One other thing. The current AWS Cognito docs (ref: Authcrunch's documentation) make many highlights on various configuration details for Cognito. This is quite confusing for me, as I struggle to understand if the Caddy-Securty module requires such a setup or if I'm free to make some changes. For example, I want to allow users to signup themselves and I don't want to allow preferred usernames. As I'm sure this would be fine, I still struggle finding the boundary between what needs to be done for compatibility purposes and what is optional.

@MrChadMWood MrChadMWood added need triage question Further information is requested labels Apr 25, 2024
@MrChadMWood
Copy link
Author

Here's a minimal example of the Cognito for more context:

# main.tf

provider "aws" {
  region = "us-west-1"
}

resource "aws_cognito_user_pool" "user_pool" {
  name = "user-pool"
  username_attributes = ["email"]
  
  password_policy {
    minimum_length    = 7
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
    temporary_password_validity_days = 7
  }

  device_configuration {
    challenge_required_on_new_device = true
  }
  
  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
  }

  email_configuration {
    reply_to_email_address = "[email protected]"
  }

  schema {
    name     = "email"
    attribute_data_type = "String"
    required = true
    mutable  = false
  }

  #lambda_config {
  #  create_auth_challenge = aws_lambda_function.lambda_email_domain_verifier.arn
  #}
}

resource "aws_cognito_user_pool_domain" "domain" {
  domain       = "mycompanybi-auth"
  user_pool_id = aws_cognito_user_pool.user_pool.id
}

resource "aws_cognito_user_pool_client" "client" {
  name = "user-pool-client"

  user_pool_id = aws_cognito_user_pool.user_pool.id
  generate_secret = true
  explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
  prevent_user_existence_errors = "ENABLED"

  callback_urls                        = ["https://mycompanybi.link"]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["code"]
  allowed_oauth_scopes                 = ["email", "openid"]
  supported_identity_providers         = ["COGNITO"]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
need triage question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants