search

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application
Apache License 2.0
168 stars 54 forks source link

Federated cognito-at-edge #55

Closed nagendrakumar02 closed 1 year ago

nagendrakumar02 commented 1 year ago

I have a lamnda@edge function that is configured to call cognito user pool with relevant parameters. Cognito is using SAML provider. When cloudfront is configured to use the lambda@edge (viewer request) the application is giving a CORS error. Any help is appreciated!

Is there a way to set identity_provider and scope with in the code?

jeandek commented 1 year ago

Hi @nagendrakumar02 ,

There's is currently no way to configure a specific value for identity_provider and scope when using cognito-at-edge. However, as detailed in the docs, these parameters are optional and Cognito uses sensible default values. My knowledge of SAML is limited (I've only used OIDC providers with Cognito), but unless I am mistaken it does not have auth scopes anyway.

Are you sure that the issue occurs when the /authorize endpoint is called? You should be able to view the Lambda@Edge logs if you find the region the function executions happened.

nagendrakumar02 commented 1 year ago

Hi @jeandek,

I was able to get it working by forking the code and added 2 optional parameters (idprovider and scope). If the 2 parameters are set, it is appended to the redirect url. This has fixed my issue.

jeandek commented 1 year ago

Hum, that's probably something we should make configurable then, if it's required for SAML providers.

Can you shared any more specific details about the SAML providers you've been using? Are they MIcrosoft AD or something else? I'll try to add a SAML provider to my test setup.

nagendrakumar02 commented 1 year ago

Sure, I can submit a PR for the change. SAML IdP is from a 3rd party, I don’t know what they are using. The good thing is as long as the IdP supports SAML, we can just set these parameters and cognito will work seamlessly.

So, I can do this in my @.*** and works very well

const { Authenticator } = @.***/cognito.at.edge');

const authenticator = new Authenticator({ // Replace these parameter values with those of your own environment region: 'us-west-2', // user pool region userPoolId: 'us-west-2_dddF', // user pool ID userPoolAppId: '444feerr7', // user pool app client ID userPoolDomain: 'cognito.amazon.com, // user pool domain idpIdentifier: 'hgebf', //idprovider name scope: 'openid', //scope, openid for saml }); exports.handler = async (request) => authenticator.handle(request);

From: Jean de Kernier @.> Date: Wednesday, January 11, 2023 at 11:58 AM To: awslabs/cognito-at-edge @.> Cc: nagendrakumar02 @.>, State change @.> Subject: Re: [awslabs/cognito-at-edge] Federated cognito-at-edge (Issue #55)

Hum, that's probably something we should make configurable then, if it's required for SAML provider.

Can you shared any more specific details about the SAML providers you've been using? Are they MIcrosoft AD or something else? I'll try to add a SAML provider to my test setup.

— Reply to this email directly, view it on GitHubhttps://www.google.com/url?q=https://github.com/awslabs/cognito-at-edge/issues/55%23issuecomment-1379165452&source=gmail-imap&ust=1674061090000000&usg=AOvVaw3GRjhgr4IgI_ip02gseDJR, or unsubscribehttps://www.google.com/url?q=https://github.com/notifications/unsubscribe-auth/AY4N7ZJOQPRIPI7VODC274TWR3RCDANCNFSM6AAAAAATUE4IZI&source=gmail-imap&ust=1674061090000000&usg=AOvVaw2XM7zgAmBo7gjIDLfUG-cy. You are receiving this because you modified the open/close state.Message ID: @.***>