Setup AWS Cognito as OIDC for adding access control for Application

asraful_haque

Md Asraful Haque (Sohel)

Posted on August 28, 2024

Setup AWS Cognito as OIDC for adding access control for Application

Goal

We will setup aws cognito by creating user pool and identity provider. This setup can be used for authenticating other app which support oidc endpoint.

Setup AWS Cognito

Create User Pool

Go to AWS Cognito Console and click on create user pool

Configure sign-in experience

Select the user name and email sign-in options selected.

Image description

Configure security requirements

Keep everything as default except set No MFA option to keep things simple

Image description

Configure sign-up experience

For this section keep it to the default options

Configure message delivery

For message deliver select select email with cognito.

Image description

Integrate your app

Give some user-pool name eg myapp-users and app client name is myapp. Make sure that the app client is public and check the option Generate a client secret. Keep everything else as their default options.

Image description

Create User Pool

Create Identity Pools by going to AWS cognito then identity-pool console

Configure identity pool trust

Check Authenticated Access and Amazon Cognito User Pool.

Image description

Configure permissions

Create a new role eg named myapp-identity-role:

Image description

Connect identity providers

Select your user pools eg myapp-users and the client (eg myapp) you created in earlier steps. Set everything else default

Configure properties

Put some name eg. myapp-idp, keep everthing else on their default values.

Review and create

Review and Create your identity Pool

Create user at your user pools

Go to your user pools eg myapp-users, and then click on users then create user.
Put your user name and email and set a password:

Image description

Get Values for using AWS Cognito as OIDC

CLIENT_ID and CLIENT_SECRET

You will get client-id and secret from your AWS User Pools ie

  • Go to Cognito User Pools and select your user pool(eg. tekton-user)
  • Click on App Integration tab
  • Go to the App client list section
  • Click on your client
  • At App client information page you will find the Client ID and Client Secret.

OIDC Issuer URL

The oidc url for your AWS Cognito User Pools, It would be like : https://cognito-idp.AWS_REGION.amazonaws.com/USER_POOL_ID.

For example if your region is eu-west-1 and your user-pool id is eu-west-1-1234, then it will be: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1-1234. You will find the user-pool id at your AWS Cognito user-pools overview page.

Next Read

See my next blog post on authenticating tekton-dashboard as an example how we can use aws cognito as OIDC provider.

Reference:
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

💖 💪 🙅 🚩
asraful_haque
Md Asraful Haque (Sohel)

Posted on August 28, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related