Skip to main content

AWS Cognito

Find AWS Cognito integration example in the following Caddyfile and associated environment file.

Cognito User Pool

Follow the below screenshots to create new Cognito user pool.

AWS Cognito

AWS Cognito

Here, add custom attribute roles and timezone. It would help with role-based access.

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

AWS Cognito

Review your selection.

AWS Cognito

AWS Cognito

Note the User Pool ID and update your environment file with it.

export COGNITO_US_EAST_1_POOL_ID=us-east-1_UFeMzbuJe

AWS Cognito

Next, browse to "App Integration", "App client settings". Enable Cognito User Pool and update relevant URL.

For example:

  • Set "Callback URL(s)" to https://auth.myfiosgateway.com:8443/oauth2/cognito-us-east-1/authorization-code-callback
  • Set "Sign out URL(s)" to https://auth.myfiosgateway.com:8443/logout

AWS Cognito

Next, create a random string for your Cognito domain and save it. This step is mandatory for a working OAuth integration.

AWS Cognito

Cognito Client

During this step, you will extract Client ID and Secret and update environment file with:

export COGNITO_US_EAST_1_CLIENT_ID=2jvuq8gkhfoh7u4fdfihiditj5
export COGNITO_US_EAST_1_CLIENT_SECRET=ldjkr0pn1jmo9lule3ge06ju13rhmsffda1vama1f80frlcvplf

Note the "App client id" and click "Show Details".

AWS Cognito

Not the "App client secret".

AWS Cognito

Cognito User

During this step, you will create a user.

Click "Create user".

AWS Cognito

Follow the selections below.

AWS Cognito

After creating the user, the user will have FORCE_CHANGE_PASSWORD status. We will overwrite it via command-line.

AWS Cognito

Open AWS CloudShell.

AWS Cognito

Run the following commands in the terminal.

export TARGET_POOL="us-east-1_UFeMzbuJe"
export TARGET_USER="jsmith"
export TARGET_USER_NAME="John Smith"
aws cognito-idp admin-set-user-password --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} --password "The@Password" --permanent
aws cognito-idp admin-update-user-attributes --user-pool-id ${TARGET_POOL} --username ${TARGET_USER} \
--user-attributes Name="name",Value="${TARGET_USER_NAME}" \
--user-attributes Name="custom:roles",Value="authp/admin|authp/user" \
--user-attributes Name="custom:timezone",Value="America/New_York"
aws cognito-idp admin-get-user --user-pool-id ${TARGET_POOL} --username ${TARGET_USER}

The roles are being separated by | (pipe).

The above command set permanent user password (i.e. no need to do password change), set custom roles and timezone.

Next, run the following command to review the created user:

aws cognito-idp admin-get-user --user-pool-id ${TARGET_POOL} --username ${TARGET_USER}

The output follows:

{
"Username": "jsmith",
"UserAttributes": [
{
"Name": "sub",
"Value": "55ddc31e-b818-4136-8fb8-84cfb31af537"
},
{
"Name": "custom:roles",
"Value": "authp/admin|authp/user"
},
{
"Name": "custom:timezone",
"Value": "America/New_York"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "name",
"Value": "John Smith"
},
{
"Name": "email",
"Value": "jsmith@authcrunch.com"
}
],
"UserCreateDate": "2022-04-23T17:12:05.282000+00:00",
"UserLastModifiedDate": "2022-04-23T17:30:43.896000+00:00",
"Enabled": true,
"UserStatus": "CONFIRMED"
}

User Login

Finally, start Caddy and browse to authentication portal. Click "AWS Cognito US" link to initiate authentication.

AWS Cognito

You will be redirected to AWS Cognito for authentication.

AWS Cognito

You will be redirected back to authentication portal after successful authentication. Click "My Identity" to see the contents of your user token.

AWS Cognito

The token will contain your name email. However, the custom roles and timezone will not be there.

AWS Cognito