search

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application
Apache License 2.0
168 stars 54 forks source link

Add support for custom cognito redirect path #87

Closed fknittel closed 4 months ago

fknittel commented 5 months ago

Description of changes: We are using cognito-at-edge in an environment where not all paths are handled by our edge lambda. Specifically, the website root / is not handled by us.

Example:

An access attempt to https://example.com/foo/ results in a redirect to https://domain.auth.us-east-1.amazoncognito.com/authorize?redirect_uri=https://example.com&response_type=code&client_id=63gcbm2jmskokurt5ku9fhejc6&state=/foo/

Notice that the redirect_uri points to a path that is not handled by us.

This PR adds an option redirectPath to allow specifying a different value for redirect_uri. Example:

const authenticator = new Authenticator({
  region: 'us-east-1',
  userPoolId: 'us-east-1_tyo1a1FHH',
  userPoolAppId: '63gcbm2jmskokurt5ku9fhejc6',
  userPoolDomain: 'domain.auth.us-east-1.amazoncognito.com',
  redirectPath: '/foo/oauth2/idresponse',
});

An access attempt to https://example.com/foo/ now results in a redirect to https://domain.auth.us-east-1.amazoncognito.com/authorize?redirect_uri=https://example.com/foo/oauth2/idresponse&response_type=code&client_id=63gcbm2jmskokurt5ku9fhejc6&state=/foo/

I hope the use-case makes sense to you and isn't too much of an edge case. (Otherwise I'd love to learn of a way to get the same result without modifying or effectively forking cognito-at-edge.) I'd be more than happy to tweak the naming, add more automated tests, etc.

The modified code appears to work well and is already used in production.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

gabrielcho commented 5 months ago

It would be great to have this implemented. Answering your request of finding a way to get the same result without forking: I was experimenting with the parseAuthPath field used in the Authenticator constructor object parameter and I managed to get a redirect_uri that includes it on the first unauthenticated call cognito-at-edge does to the cognito api /login. The problem comes when you are calling cognito-at-edge again, (after successful login) with the generated code you got from the previous call, the redirect_uri doesn't have the parseAuthPath parameter on the request made by lambda@edge to the cognito endpoint /oauth2/token to actually validate that code.

jeandek commented 4 months ago

@fknittel Hi Fabian, sorry for the lack of response from the team on this PR. Unfortunately, we have a lot of conflicting priorities which take precedence over maintaining and extending this package.

It turns out that we have a very similar need to yours, though, so I will be happy to review your CR and merge it ASAP.

jeandek commented 4 months ago

I needed to maintain compatibility with the parseAuthPath parameter which already existed, so I made a few changes. Thanks for your contribution! Expect a new release early next week.