Setup AWS Cognito as OIDC for adding access control for Application
Md Asraful Haque (Sohel)
Posted on August 28, 2024
Goal
We will setup aws cognito by creating user pool and identity provider. This setup can be used for authenticating other app which support oidc endpoint.
Setup AWS Cognito
Create User Pool
Go to AWS Cognito Console
and click on create user pool
Configure sign-in experience
Select the user name
and email
sign-in options selected.
Configure security requirements
Keep everything as default except set No MFA
option to keep things simple
Configure sign-up experience
For this section keep it to the default options
Configure message delivery
For message deliver select select email with cognito
.
Integrate your app
Give some user-pool name eg myapp-users
and app client name is myapp
. Make sure that the app client is public and check the option Generate a client secret
. Keep everything else as their default options.
Create User Pool
Create Identity Pools by going to AWS cognito then identity-pool console
Configure identity pool trust
Check Authenticated Access
and Amazon Cognito User Pool
.
Configure permissions
Create a new role eg named myapp-identity-role
:
Connect identity providers
Select your user pools eg myapp-users
and the client (eg myapp
) you created in earlier steps. Set everything else default
Configure properties
Put some name eg. myapp-idp
, keep everthing else on their default values.
Review and create
Review and Create your identity Pool
Create user at your user pools
Go to your user pools eg myapp-users
, and then click on users
then create user
.
Put your user name and email and set a password:
Get Values for using AWS Cognito as OIDC
CLIENT_ID and CLIENT_SECRET
You will get client-id and secret from your AWS User Pools
ie
- Go to
Cognito User Pools
and select your user pool(eg.tekton-user
) - Click on
App Integration
tab - Go to the
App client list
section - Click on your client
- At App client information page you will find the
Client ID
andClient Secret
.
OIDC Issuer URL
The oidc url for your AWS Cognito User Pools
, It would be like : https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID
.
For example if your region is eu-west-1 and your user-pool id is eu-west-1-1234
, then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234
. You will find the user-pool id at your AWS Cognito user-pools overview page
.
Next Read
See my next blog post on authenticating tekton-dashboard as an example how we can use aws cognito as OIDC provider.
Reference:
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html
Posted on August 28, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.