search

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application
Apache License 2.0
168 stars 54 forks source link

Configurable cookie domains #64

Closed vikas-reddy closed 11 months ago

vikas-reddy commented 1 year ago

What would you like to be added:

Add the ability to customize the domain used for token cookies.

// Configuration
const authenticator = new Authenticator({
  region: 'us-east-1', // user pool region
  userPoolId: 'us-east-1_tyo1a1FHH', // user pool ID
  userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6', // user pool app client ID
  userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com', // user pool domain
  // New property
  cookieDomain: 'training.aws.dev',
});

// Place in index.ts where it's going to be used
 return this._fetchTokensFromCode(redirectURI, requestParams.code)
          .then(tokens => this._getRedirectResponse(
            tokens,
            // Updated param
            this._cookieDomain || cfDomain,
            requestParams.state as string
          ));

Why is this needed:

We are planning to use this library for our new authentication gateway application. As opposed to the intended use case of this library, which is to use the handle method to gate static S3 files behind an authentication gate, we are planning to use the individual handler methods directly in our app. This auth gateway app will be a set of Lambda@Edge handlers that work as an intermediary between React frontend clients and AWS Cognito to do

  1. authentication duties,
  2. exchange code for tokens, and
  3. sending tokens as HttpOnly cookies, which clients can use to communicate with some Amazon internal API's

Handlers

  1. /signIn: Mapped to the existing method _getRedirectToCognitoUserPoolResponse
  2. /parseAuth: Mapped to existing method _fetchTokensFromCode
  3. /refreshToken: Mapped to existing method _fetchTokensFromRefreshToken

In our Cloudfront distribution setup, we'd do something like

// signIn Lambda@Edge handler
const authenticator = new Authenticator({...})
exports.handler = async (request) => authenticator._getRedirectToCognitoUserPoolResponse(request, redirectUri)

// parseAuth Lambda@Edge handler
const authenticator = new Authenticator({...})
exports.handler = async (request) => authenticator._fetchTokensFromCode(redirectUri, code)

Slack or email me on vikred@amazon.com for additional details