I want to integrate an external authorization server as an OIDC IdP with Amazon cognito. The authorization server application is being developed by another party so we can not do any changes or modifications in that service. On this url, https://docs.aws.amazon.com/de_de/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html some requirements have been specified for an OIDC IdP. I have also highlighted the points in the below image:
The problem is that the auth service which I want to integrate as an OIDC IdP does not support https. Also it supports only client_secret_basic client authentication which is not supported by AWS Cognito. When I hit the auth service Document Discovery URL http://auth-server:9000/.well-known/openid-configuration, I get the response:
{
"issuer":"http://auth-server:9000",
"authorization_endpoint":"http://auth-server:9000/oauth2/authorize",
"token_endpoint":"http://auth-server:9000/oauth2/token",
"jwks_uri":"http://auth-server:9000/oauth2/jwks",
"userinfo_endpoint":"http://auth-server:9000/userinfo",
"token_endpoint_auth_methods_supported":[
"client_secret_basic"
],
"response_types_supported":[
"code"
],
"grant_types_supported":[
"authorization_code"
],
"subject_types_supported":[
"public"
],
"id_token_signing_alg_values_supported":[
"RS256"
],
"scopes_supported":[
"openid",
"profile",
"email"
],
"userinfo_signing_alg_values_supported":[
"RS256"
],
"display_values_supported":[
"page"
],
"claims_supported":[
"auth_time",
"birthdate",
"email",
"email_verified",
"family_name",
"gender",
"given_name",
"iss",
"middle_name",
"name",
"preferred_username",
"sub",
"updated_at"
],
"claims_locales_supported":[
"en"
],
"ui_locales_supported":[
"en",
"de",
"fr",
"ru",
"sk"
],
"end_session_endpoint":"http://auth-server:9000/logout"
}
Can anyone guide me how I can solve this problem as I have mentioned that we can not change anything in the auth server because it has been developed by another company.
Related
I have setup AWS Cognito with an OIDC federated identity provider. When logging in through the federated identity provider, two tokens are generated - ID token and access token. ID token contains the user specific claims where the access token contains the group specific claim.
Access Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669187153,
"aud": [
"group",
"identity provider URL/resources"
],
"scope": [
"openid",
"email",
"profile",
"group"
],
"amr": [
"external"
],
"client_id": "...............",
"sub": "..........",
"auth_time": 1669183545,
"idp": "..............",
"username": "John Doe",
"group": [
"admin"
],
"tenant": "Tenant",
"sid": "xxxxxxxxxxxxxxxx"
}
ID Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669183853,
"aud": "..............",
"amr": [
"external"
],
"at_hash": "PlXvXPmIGRyX6e8V0U67BQ",
"sid": "xxxxxxxxxxxxxxxx",
"sub": "...............",
"auth_time": 1669183545,
"idp": "..................",
"username": "johndoe",
"name": "John Doe",
"email": "johndoe#gmail.com"
}
The nameinfo endpoint of the OIDC identity provider contains some user specific information, but not the group information.
I have tried using pre token generation lambda trigger but the event parameter also does not contain access token specific information.
Is there any other way by which I can get the access token claims to add it to the token generated by AWS Cognito?
I have deployed WSo2 API Manager 4.1.0 on a Debian 10 machine using the ZIP archive.
I have configured my Keyrock instance as an external identity provider in the Management Console.
When I log in with the Keyrock admin account, I can access the Publisher of the API Manager.
However, with any other account, I get the following error:
Error 403 : Forbidden - The server could not verify that you are authorized to access the requested resource.
After many verifications, I think I have correctly configured WSo2:
WSo2 API Manager configuration:
Basic Claim Configuration
Role Configuration (I also tried to give all roles to the user)
Federated Authenticators / OAuth2/OpenID Connect Configuration
Just-in-Time Provisioning
Keyrock configuration:
Application configuration
Users authorization
I have no log for WSo2 when the error is displayed.
Here is the content of the JWT token that Keyrock sends back to WSo2:
{
"organizations": [],
"displayName": "",
"roles": [
{
"id": "1a209432-7bfe-4055-9028-a42524fc5418",
"name": "publisher"
},
{
"id": "8192fef7-d77d-4389-a618-082ccddd33ad",
"name": "apim_publisher"
}
],
"app_id": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"trusted_apps": [],
"isGravatarEnabled": false,
"id": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"authorization_decision": "",
"app_azf_domain": "",
"eidas_profile": {},
"attributes": {},
"shared_attributes": "",
"username": "pierre.josselin",
"email": "email#example.com",
"image": "",
"gravatar": "",
"extra": "",
"iss": "http://localhost:3000",
"sub": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"aud": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"exp": 1657904225,
"iat": 1657900625,
"at_hash": "9zTg2zPtFlbJpLmKE8Izsg=="
}
Thank you very much
I'm trying to integrate Google as an IdP in our existing Cognito UserPool. Everything is set up so far, and I can SignUp/SignIn using Google, which creates the new user. I'm using the PreSignUp Lambda trigger to Link an existing user or create a new native one if there's no existing one. Now I was expecting that the event.Request.UserAttributes['name'] contains the user's name as provided by Google or at least seeing the attribute in the id_token. But I see no possibility to get those values at the moment. We started using Cognito just as the store for username/password, and none of the userAttributes are filled nor marked as required.
I have set up the Google integration with the following scopes:
.../auth/userinfo.email
.../auth/userinfo.profile
openid
In the UserPoolClient I:
marked name as read- and writeable attribute (along with others)
Checked the following allowed OAuth scopes email, openid, and profile. Those are also defined in the Web-Client in charge of the OAuth flow.
In the Federation section, I configured the attribute mapping:
Testwise, I mapped the name attribute to a custom attribute I used to test stuff. But neither this nor the mapping name to name worked.
Payload I get in the event:
{{PreSignUp_ExternalProvider .... Google_11...} {map[cognito:email_alias: cognito:phone_number_alias: email:m...#...m email_verified:true] map[] map[]} {false false false}}
id_token content:
{
"at_hash": "..",
"sub": "52...",
"email_verified": true,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/...",
"cognito:username": "52..",
"origin_jti": "..",
"aud": "...",
"identities": [
{
"userId": "11...",
"providerName": "Google",
"providerType": "Google",
"issuer": null,
"primary": "false",
"dateCreated": "1648828708886"
}
],
"token_use": "id",
"auth_time": 1648828717,
"exp": 1648830828,
"iat": 1648830228,
"jti": "...",
"email": "m...#...m"
}
access_token content:
{
"origin_jti": "02...",
"sub": "52...",
"token_use": "access",
"scope": "openid profile",
"auth_time": 1648828717,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/....",
"exp": 1648829317,
"iat": 1648828717,
"version": 2,
"jti": "..",
"client_id": "...",
"username": "52..."
}
Now it's working, even though I cannot state the error. I recreated the whole test set again and ensured the correct values of the following:
attribute mappings
authorized scopes
Allowed OAuth scopes
Scopes selected by the frontend
I added the scopes email, profile, and openid to be sure, and now I get the name attribute within the pre signup trigger lambda and in the ID-Token.
On the AWS Cognito OIDC IdP page it is possible to Run Discovery before creating the provider:
Is there a way to this via the command line?
No, you can't do it with the AWS CLI, but you can just call the provider directly with, for example, curl. I just create a test OIDC application on auth0:
curl https://example.auth0.com/.well-known/openid-configuration
{
"issuer":"https://example.auth0.com/",
"authorization_endpoint":"https://example.auth0.com/authorize",
"token_endpoint":"https://example.auth0.com/oauth/token",
"device_authorization_endpoint":"https://example.auth0.com/oauth/device/code",
"userinfo_endpoint":"https://example.auth0.com/userinfo",
"mfa_challenge_endpoint":"https://example.auth0.com/mfa/challenge",
"jwks_uri":"https://example.auth0.com/.well-known/jwks.json",
"registration_endpoint":"https://example.auth0.com/oidc/register",
"revocation_endpoint":"https://example.auth0.com/oauth/revoke",
"scopes_supported":[
"openid",
"profile",
"offline_access",
"name",
"given_name",
"family_name",
"nickname",
"email",
"email_verified",
"picture",
"created_at",
"identities",
"phone",
"address"
],
"response_types_supported":[
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token"
],
"code_challenge_methods_supported":[
"S256",
"plain"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"subject_types_supported":[
"public"
],
"id_token_signing_alg_values_supported":[
"HS256",
"RS256"
],
"token_endpoint_auth_methods_supported":[
"client_secret_basic",
"client_secret_post"
],
"claims_supported":[
"aud",
"auth_time",
"created_at",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"identities",
"iss",
"name",
"nickname",
"phone_number",
"picture",
"sub"
],
"request_uri_parameter_supported":false
}
The .well-known/openid-configuration path is part of the OIDC protocol and must be defined and return a correct JSON document.
I can get id_token from WSO2 5.2 by hitting
https://localhost:9443/oauth2/token
The id_token can be customized by mapping local claim to OIDC claim in open id.
For instance, I can add role in the JWT token from WSO2. However, I can't get WSO2 user shows up in the token.
{
"at_hash": "VFjcb6kEgMrXIemmg7AAMQ",
"sub": "kramercecret",
"iss": "https://a2d92f278368:9443/oauth2/token",
"preferred_username": "Pikachu Jigglpuff",
"given_name": "Pikachu Jigglpuff",
"aud": [
"3j8Bf3bx_mdLagZgTjaZUeDHjAoa"
],
"azp": "3j8Bf3bx_mdLagZgTjaZUeDHjAoa",
"auth_time": 1467078553,
"scope": [
"Internal/everyone",
"Approver"
],
"name": "Pikachu Jigglpuff",
"exp": 1467082172,
"iat": 1467078572,
"email": "pikachu.jigglypuff#yahoo.com"
}
Has anyone done this before?
The purpose of this is to access the username in the ID_Token and let the spring security to decode the JWT token, then store the username in the database.
Thank you very much.