Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.44k stars 1.07k forks source link

Support for SSO via AWS Cognito JWT Method #5294

Open ecapuano opened 6 years ago

ecapuano commented 6 years ago

Might be the wrong place to make such a request, but due to lack of SAML/SSO/MFA,etc, would be ideal to be able to leverage existing authentication gateways such as Cognito. The existing SSO plugin only supports simpler HTTP header methods.

Possible Solution

Great articles below https://www.stackery.io/blog/authentication-aws-cognito/ https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

Feel free to discard if out of scope for this repo.

Akrugerus commented 3 years ago

Support for AWS Cognito would be possible by implementing a reverse proxy like nginx to handle authentication, but due to the reaction to 9714, this implementation would be incomplete because of the inability to provision users from the Cognito user pool. Having to manually provision users sort of defeats the purpose of implementing Cognito as you wouldn't be able to trust an audit of your Cognito policies to be accurate in regards to Graylog.