Node Reference - Cognito Setup – Source Allies Node Reference - Cognito Setup | Source Allies
← Node Reference - HTTPS Node Reference - Authentication →

Node Reference - Cognito Setup

07/16/2018 By Paul Rowe, Matt Vincent

Cognito setup

In order to secure our application we are going to leverage OpenID Connect. Each request to our application from either another service or a logged in human user will contain a JSON Web Token (a.k.a. JWT) as a “Bearer” token in the Authorization header. This token not only proves who the client is, but it also holds information about that client (e.g. its Claims) that include email address and roles.

Great application security is difficult. This is why we believe in following a best practice of offloading as much security related design to industry standards and as much implementation as possible to community reviewed and trusted third party libraries.

In order to support OpenID Connect we need an Identity Provider. This is a server that both the client and our application / service trust. The client sends credentials (i.e. Client ID and Secret pair) in order to obtain a JWT and the application / service uses the public key of the Identity Provider to verify the signature of the JWT. If your organization already has an OpenID Connect compatible identity provider in place, then reach out to the responsible team to inquire about using it as the provider for your application. This will allow single sign-on for users that already have accounts at that Identity Provider. If not, an AWS Cognito User Pool is OpenID compatible. Unfortunately, the Cloudformation support for User Pools is lacking the ability to configure the resources we need so we will have to do this configuration via a combination of CloudFormation and the AWS CLI.

Start by placing the following in a cognito.template.yaml file. This will specify your CloudFormation stack for the following AWS resources:

  • a Cognito UserPool
  • a Cognito UserPoolClient
AWSTemplateFormatVersion: "2010-09-09"
Description: Pipeline for Organization's Cognito UserPool
Parameters:
  AuthName:
    Type: String
    Description: Unique Auth Name for Cognito Resources
Resources:
  UserPool:
    Type: "AWS::Cognito::UserPool"
    Properties:
      UserPoolName: !Sub ${AuthName}-user-pool
      MfaConfiguration: "OFF"
      AutoVerifiedAttributes:
        - email
      Schema:
        - Name: sub
          AttributeDataType: String
          Mutable: true
          Required: true
          StringAttributeConstraints:
            MinLength: "1"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: name
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: given_name
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: family_name
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: middle_name
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: nickname
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: preferred_username
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: profile
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: picture
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: website
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: email
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: email_verified
          AttributeDataType: Boolean
          Mutable: true
          Required: false
          DeveloperOnlyAttribute: false
        - Name: gender
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: birthdate
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "10"
            MaxLength: "10"
          DeveloperOnlyAttribute: false
        - Name: zoneinfo
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: locale
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: phone_number
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: address
          AttributeDataType: String
          Mutable: true
          Required: false
          StringAttributeConstraints:
            MinLength: "0"
            MaxLength: "2048"
          DeveloperOnlyAttribute: false
        - Name: updated_at
          AttributeDataType: Number
          Mutable: true
          Required: false
          NumberAttributeConstraints:
            MinValue: "0"
          DeveloperOnlyAttribute: false
      Policies:
        PasswordPolicy:
          RequireLowercase: true
          RequireSymbols: true
          RequireNumbers: true
          MinimumLength: "8"
          RequireUppercase: true
  # All attributes are readable and writable by default because 
  # no "ReadAttributes" or "WriteAttributes" are specified.
Outputs:
  UserPoolId:
    Value: !Ref UserPool
    Export:
      Name: "UserPool::Id"

Then deploy your cognito.template.yaml stack via the AWS CLI:

AUTH_NAME="theproducts"

aws cloudformation deploy \
 --stack-name=Cognito \
 --template-file=cognito.template.yml \
 --parameter-overrides AuthName="$AUTH_NAME" \
 --capabilities CAPABILITY_IAM

Next, you can specify the domain of your User Pool via the AWS CLI, since CloudFormation does not support this property at this time.

# This looks up our userpool id. 
# You can also simply copy the output variable from the cognito stack via the AWS Console
USER_POOL_ID=$(aws cloudformation describe-stacks \
    --stack-name Cognito \
    --query 'Stacks[0].Outputs[?OutputKey==`UserPoolId`].OutputValue' \
    --output text)

# Because cloudformation does not yet support domains, we can create it via the CLI
 aws cognito-idp create-user-pool-domain --domain "$AUTH_NAME" --user-pool-id "$USER_POOL_ID"

The Cognito user pool is the shared component (this is why it is deployed as its own template). Each service we build will need its own Resource Server. This is the container for the scopes (or roles) that our service is secured by.

We also need a service account for our service so that the acceptance tests have access to call our APIs. UserPool Client is used for this purpose. Resource servers cannot yet be created via Cloudformation so we will have to use the CLI:

# unique identifier for our resource server. The fully qualified domain name is a good choice
SERVICE_IDENTIFIER="products.example.com"

# Create a resource server
aws cognito-idp create-resource-server \
    --user-pool-id "$USER_POOL_ID" \
    --identifier $SERVICE_IDENTIFIER \
    --name "Product Service" \
    --scopes \
        "ScopeName=products:read,ScopeDescription=Product Read Access" \
        "ScopeName=products:write,ScopeDescription=Product Write Access"

# Create a client for our acceptance tests
USER_POOL_CLIENT_ID=$(aws cognito-idp create-user-pool-client \
    --user-pool-id "$USER_POOL_ID" \
    --client-name "product-acceptance-tests" \
    --generate-secret \
    --allowed-o-auth-flows-user-pool-client \
    --supported-identity-providers "COGNITO" \
    --allowed-o-auth-flows "client_credentials" \
    --allowed-o-auth-scopes \
        "$SERVICE_IDENTIFIER/products:read" \
        "$SERVICE_IDENTIFIER/products:write" \
    --query 'UserPoolClient.ClientId' --output text)
echo "Created User Pool Client: $USER_POOL_CLIENT_ID"

To test your new identity provider, you can use cURL to attempt to obtain a token by executing the following commands:

CLIENT_SECRET=$(aws cognito-idp describe-user-pool-client --user-pool-id "$USER_POOL_ID" --client-id "$USER_POOL_CLIENT_ID" --query 'UserPoolClient.ClientSecret' --output text)

curl -X POST \
  https://${USER_POOL_CLIENT_ID}:${CLIENT_SECRET}@${AUTH_NAME}.auth.us-east-1.amazoncognito.com/oauth2/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=client_credentials

You should receive a JSON response that contains an “access_token” field. This token is the JWT that is sent to the server. It will look something like shown below:

{
    "access_token": "eyJraWQiOiJvO......93t0Ei-hr9Ww",
    "expires_in": 3600,
    "token_type": "Bearer"
}

If you are curious what the token contains, it can be copy/pasted into jwt.io to view its contents. It will look something like this:

{
  "sub": "3op....11f",
  "token_use": "access",
  "scope": "products.example.com/products:read products.example.com/products:write",
  "auth_time": 1528675981,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_LJ****",
  "exp": 1528679581,
  "iat": 1528675981,
  "version": 2,
  "jti": "79b6....15",
  "client_id": "3op....11f"
}

To verify the signature of our token we need to obtain the public key for our identity provider. Most identity providers rotate this key-pair on a frequent (ex. hourly) basis. To always obtain up to date public keys we can leverage the JSON Web Key Set or JWKS standard. This specification provides a standard way to encode a set of public keys in a JSON document and then make it available at a URL. We can fetch the current JWKS document for our identity provider by executing this command with the correct cognito_user_pool_id value (found as Pool Id in the AWS Console in the User Pool’s General Settings):

curl https://cognito-idp.us-east-1.amazonaws.com/${USER_POOL_ID}/.well-known/jwks.json

We now have a fully managed, security standards-compliant identity service available for use. See the changes we made here.

Table of Contents

If you have questions or feedback on this series, contact the authors at nodereference@sourceallies.com.

← Node Reference - HTTPS Node Reference - Authentication →
Source Allies Logo © Source Allies, Inc.