How to use AWS Cognito as a provider in Passport?

Question

I have a Javascript backend (NestJS with Express + Passport).

I would like to outsource the complexity of authentication (e.g. social auth) to Cognito but avoid getting locked in. I was wondering if I can use Cognito as a provider in Passport, similar to social providers (Google, Facebook, etc). That way, I could integrate many providers with the effort of integrating just one. I would still manage user data, authorization, etc in my own app, therefore, if I wanted to in the future, I could implement Google, Facebook, etc. social auth in my own app and get rid of Cognito.

If I understand it correctly this is possible with Auth0.

Ideally, I would like to implement an OAuth flow where the user is redirected to a simple "sign up / log in" Cognito app, logs in, gets redirected to a callback URL in my app where I receive user data. If AWS doesn't host a solution for this, I can also use their UI elements to build & host this app.

If implemented as a provider / strategy, this could be as simple as:

passport.use(new CognitoStrategy({
    key: KEY,
    secret: SECRET,
    callbackURL: "http://www.example.com/auth/cognito/callback"
  },
  function(token, tokenSecret, profile, done) {
      User.findOrCreate({ uuid: profile.id }, function (err, user) {
        return done(err, user);
      });
  }
));

app.get('/auth/cognito', passport.authenticate('cognito'));
app.get('/auth/cognito/callback', 
  passport.authenticate('cognito', { failureRedirect: '/auth/cognito' }),
  function(req, res) {
    res.redirect('/');
  });

Is there a solution for this? Does this make sense in principle? Am I missing any complexity in the many-for-one idea?

Related resources:

• https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js
• https://brightinventions.pl/blog/using-cognito-with-nest-js
• NestJs/Angular/Cognito flow

Answer 1

It's possible to use both User Pools and Identity Pools via OAuth. Cognito even has a self-hosted UI, with own domain & branding available. Setup steps: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html

I used a generic OAuth2 Passport strategy: https://github.com/jaredhanson/passport-oauth2

Endpoint details: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html

After the setup, Federated Identities can be set up from the AWS console.

In the end an unbranded screen looks like this:

Answer 2

If you are already getting your hands dirty managing your user data I would integrate directly with the social providers. Cognito is most useful as a cheap and dirty place store user data and to host managed authentication and authorization services. You are already storing your own user data and sounds like you are only supporting social login; Cognito might be more of hindrance in this situation.

Additonally, there isn't some magic that powers cognito social logins, you have to go through the same configuration steps if you were integrating directly, only difference is cognito will act as the callback endpoint.

But if you want to forge ahead while avoiding vendor lock-in use it strictly as an OIDC service provider and use a generic OIDC strategy with passport or just remove passport altogether as you don't really need it in this situation, then as auth0 recommends use the oidc express middleware to protect your endpoints and use something like AppAuth to get the access token in your frontend.