Cognito :: Angkor DevDocs

AWS Cognito Setup

Cognito → User Pool xxx → General Settings → App Clients

Attribute	Purpose
Name,	spring.security.oauth2.client.registration.cognito.client-name
App client id	spring.security.oauth2.client.registration.cognito.client-id
App client secret	spring.security.oauth2.client.registration.cognito.client-secret

Attribute

Purpose

Name,

spring.security.oauth2.client.registration.cognito.client-name

App client id

spring.security.oauth2.client.registration.cognito.client-id

App client secret

spring.security.oauth2.client.registration.cognito.client-secret

Enable "refresh token based authentication (ALLOW_REFRESH_TOKEN_AUTH)"

Cognito → User Pools xxx → App Integration

App Client Settings

Enabled Identity Providers Facebook + Cognito User Pool
Allowed OAuth Flows: At least Authorization code grant Comma separated List of Callback URL(s), e.g. `http://localhost:8080/login/oauth2/code/cognito,http://localhost:4200/login/oauth2/code/cognito …

Domain Name:

Use Prefix <myapp> .auth.eu-central-1.amazoncognito.com

Cognito → User Pools xxx → Federation → Identity Providers → Facebook

Facebook app ID and App secret: Taken From Facebook for Dev App Setup
Authorize Scope: public_profile,email

Facebook Developers → App <myapp> → Products → Facebook Login → Settings

Goto / signup Facebook for Developers.
You Can change the language at the bottom of the landing page, then navigate to /apps
Enable Client Auth Login, Web Oauth login, Https
Add App Domains: <mydomain>.auth.eu-central-1.amazoncognito.com (from Amazon Cognito userpool setup)
Add Platform → Webpage → https://<mydomain>.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse
Also add above URI in Products | Facebook Login | Settings | Client-OAuth-Settings | Valid OAuth Redirect URLs !!!
Enable Client Oauth Login, probably also web auth (?)
For more details refer to Setup Facebook Login

Selected OAuth2 Tutorials

build.gradle.kts dependency

    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")

OAuth Issues

http header redirect issues for issuer url

Explanation

Even if spring.security.oauth2.client.provider.cognito.issuer-uri is an https url, it will resolve to http if spring boot is running behind an ssl terminating proxy. To avoid redirect issues, as of spring boot 2.2. you should set server.forward-headers-strategy=NATIVE (in previous versions: server.use-forward-headers:) and make sure your nginx config sets the headers accordingly

nginx.conf

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Oauth Token Details

if AbstractAuthenticationToken is an instance of OAuth2AuthenticationToken, this is what principal.attributes would returns for a fictitious guy named Gin Tonic authenticated through Facebook

{
  "at_hash" : "Uv****2YAmqztSp******",
  "sub" : "3913****-****-****-****-****bacc8b9c",
  "cognito:groups" : [ "eu-central-1_ILJadY8m3_Facebook", "angkor-admins" ],
  "cognito:preferred_role" : "arn:aws:iam::06********:role/angkor-cognito-role-admin",
  "cognito:roles" : [ "arn:aws:iam::06********:role/angkor-cognito-role-admin" ],
  "cognito:username" : "Facebook_16************65",
  "given_name" : "Gin",
  "name" : "Gin Tonic",
  "family_name" : "Tonic",
  "email" : "gin.tonic@gmail.com"
  "nonce" : "HIaFHPVbRPM1l3Nleyi-****-****",
  "iss" : "https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_ILJ******",
  "aud" : [ "20rdpl*********" ],
  "identities" : [ {
    "dateCreated" : "159853418****",
    "userId" : "169229217092****",
    "providerName" : "Facebook",
    "providerType" : "Facebook",
    "issuer" : null,
    "primary" : "true"
  } ],
  "token_use" : "id",
  "auth_time" : "2020-08-28T22:06:48Z",
  "exp" : "2020-08-28T23:06:48Z",
  "iat" : "2020-08-28T22:06:48Z",
  "email_verified" : false
}

"Light version" for cognito user Ingo Nito. Note that as long as the user is not yet assigned to at least one greap, cognito:groups and cognito:preferred_role wuill be empty

 {
  "at_hash" : "GI-20TEl4RJ_NBSNwE****",
  "sub" : "4799588a-bfe5-449c-a754-3ac6700a****",
  "cognito:groups" : [ "angkor-guests" ],
  "cognito:preferred_role" : "arn:aws:iam::06*******:role/angkor-cognito-role-guest",
  "email_verified" : true,
  "iss" : "https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_I********",
  "cognito:username" : "ingonito",
  "nonce" : "PheemceLARYn1617O18Mu7n-****-****",
  "aud" : [ "20rdplaf8e*******" ],
  "event_id" : "ac06007a-bc17-4688-a4c1-b92a911b1492",
  "token_use" : "id",
  "auth_time" : "2020-08-28T22:22:20Z",
  "exp" : "2020-08-28T23:22:20Z",
  "iat" : "2020-08-28T22:22:20Z",
  "email" : "ingo.nito@secret.com"
}

Table 1. Cognito Faceboot Mapping
Cognito Attr	FB Att	Example
sub		39134950-97ef-4961-a4b1-9c
identities		[{"userId":"169225" "providerName":"Facebook" "providerType":"Facebook" "issuer":null "primary":true "dateCreated":159853XXXXXX3}]
email_verified		false
name	name	Gin Tonic
given_name	first_name	Gin
family_name	last_name	Tonic
email	email	ginto@mail.com
Username	<Provider>_id	Facebook_169225

RFC 7519 defines some standard claim names in “4.1. Registered Claim Names”. source

iss - Issuer The “iss” (issuer) claim identifies the principal that issued the JWT.
sub - Subject The “sub” (subject) claim identifies the principal that is the subject of the JWT
aud - Audience The “aud” (audience) claim identifies the recipients that the JWT is intended for.
exp - Expiration
nbf - Not Before
iat - Issued At
jti - JWT ID

Cognito

Enable OAuth2