search

LD4P / sinopia_acl

node.js based code to interact with WebACL data on sinopia server
Apache License 2.0
0 stars 0 forks source link

given user email, be able to get current webid from cognito #29

Closed ndushay closed 5 years ago

ndushay commented 5 years ago

See LD4P/sinopia_server#79; this code repo is where we are going to get from user emails to the current cognito webids.

The current webids for admins are needed for webACL work.

Examples of user lookup (by email) w/ AWS CLI, see our terraform repo for AWS CLI setup: https://github.com/LD4P/sinopia_server/issues/79#issuecomment-475142864 . This gets you a sub field for the user, which you can concat w/ known iss URL to get webID trellis derives, see trellis auth wiki page.

jmartin-sul commented 5 years ago

possibly useful info:

from trellis wiki page on authentication https://github.com/trellis-ldp/trellis/wiki/Authentication

In order for Trellis to authenticate users with JWT, it needs to be able to derive a WebID for a user... a client can provide a standard sub claim with a URL identifying a user or a combination of iss (issuer) and sub (subject) to form a WebID. For example, the simplest token could consist of:

{ "webid": "http://example.com/username" }

Or, this would produce the same WebID:

{ "sub": "username", "iss": "http://example.com/" }

Other claims may be present, but they will be ignored by Trellis.

example payload section of a Cognito JWT (which is what we'll be getting)

{"sub":"123aa456-0987-41d2-4321-a177cd72a654","event_id":"1ab2c3de-3456-12a3-b456-4321321cb227","token_use":"access","scope":"openid email","auth_time":1552374716,"iss":"https:\/\/cognito-idp.us-west-2.amazonaws.com\/us-west-2_HUmNIdmhy","exp":1552378316,"version":2,"client_id":"543cav95u0q1rqcags1nedc68a","username":"meatdata.admin"}

the above example omits some of the fields we'd get back, but most relevant are iss and sub, which give us a WebID of https://cognito-idp.us-west-2.amazonaws.com/us-west-2_HUmNIdmhy/123aa456-0987-41d2-4321-a177cd72a654 for the user meatdata.admin. also, the email address does not come in the JWT payload (was not omitted as an edit here). but it is possible to use the CLI invocation described by https://github.com/LD4P/sinopia_server/issues/79#issuecomment-475142864 to look up a user's info (incl sub) either by username or by email address.