Reputation: 4692
Using cognito as IDP for Spring authorization server
I know normally Cognito itself is an authorization server actor in Oauth2 flow. But as per my custom requirements I want to use spring authorization server with Cognito, basically:
- A client comes to oauth2/authorize endpoint with its client ID
- Redirects to login page and spring will know which client is trying a user to login.
- Client receives an auth code from spring after successful login (via Cognito, so auth code from spring, but login should be via cognito)
- Then sends a POST request to token endpoint of Spring to receive access/ID/refresh tokens from Cognito.
- All app clients will be taken from Cognito user pool.
I saw the JDBC example but can't really get it work with Cognito, any help would be appreciated.
Upvotes: 2
Views: 1744
Answers (1)
Reputation: 29273
Thought I'd add some notes here on the OAuth architecture to aim for, and how I think of it, since your question had a couple of points that don't quite seem right. I can't help you on Spring AS specifics though.
ROLES
- Client: triggers user login via Spring AS
- Authorization Server: issues tokens to the client
- Identity Provider: one of many potential login methods
The client implements a code flow at the AS. The AS runs another code flow to the IDP. Chaining these systems together is very standard and should require only configuration, with zero code changes in the client.
REGISTRATION
- The client is registered only in Spring AS
- Spring AS is registered as a client in AWS Cognito
- AWS Cognito is registered as an authentication method (IDP) in Spring AS
TOKENS ISSUED
The client always receives tokens from the AS and not the IDP. The AS issues tokens that protect your business data. It enables you to issue whatever scopes and claims you need to lock down tokens.
UPSTREAM TOKENS
Clients and APIs should not usually need to deal with tokens from the IDP. There is sometimes an exception, eg also use AWS tokens to access the user's AWS resources.
If that is your requirement, aim to use embedded tokens. This means Spring AS issues IDP tokens as custom claims to AS tokens. This enables your APIs to continue to authorize correctly, while also being able to access AWS resources when needed.
Upvotes: 0
Related Questions
- Empty JWK set using Spring Authorization Server as Keycloak IDP
- Spring Authorization Server Integration in Keycloak For Authorization Code Flow
- Why state changes when requires authorization consent in Spring Authorization Server
- TOKEN endpoint returns invalid_client without client secret
- 405 method not allowed error in AWS Cognito oauth2/token endpoint
- Spring Secutity 5 as an OIDC Identity Provider for AWS Cognito User Pool