search

byo-software / steam-openid-connect-provider

Steam OpenID Connect Identity Provider (IdP)
MIT License
67 stars 24 forks source link

Integration with AWS Cognito failed #2

Closed secretshardul closed 4 years ago

secretshardul commented 4 years ago

I'm trying to integrate AWS cognito with Steam login. As cognito supports OpenID Connect and not OpenID 2.0, I tried using your library. But this is leading to some issues.

Issues with cognito

  1. Cognito cannot discover issuer image

This gives the following error

Discovery returned no results. Check the issuer and run discovery again or manually add the required fields below.
  1. If discovery fails cognito provides choice to use Authorization endpoint, Token endpoint, Userinfo endpoint and Jwks uri instead. I can't find such endpoints in your code. image

In short, can you provide some documentation on issuer, Authorization endpoint, Token endpoint, Userinfo endpoint and Jwks uri?

Environment

  1. steam-openid-connect-provider docker image running on AWS elastic beanstalk. Environment variables have been set as given in instructions. Here I passed redirect URL given in AWS documentation. 
    https://<cognito_pool_url>.com/oauth2/idpresponse
  2. Created cognito user pool and went to OpenID Connect integration option. Here I assigned a unique name to the server and added the client name and client secret which were added to the docker image. For issuer URL I tried different combinations endpoints of your auth server like /ExternalLogin and /ExternalLoginCallback but this failed. Also tried various combinations for Authorization endpoint, Token endpoint, Userinfo endpoint and Jwks uri but this too doesn't work.
Trojaner commented 4 years ago

There should be a discovery document at /.well-known/openid-configuration with all the endpoints

secretshardul commented 4 years ago

Thank you very much, found the discovery document. But turns out that cognito accepts only https and not http. image

We were unable to create identity provider: Oidc issuer must start with https:// (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: f0d9d82c-813c-46af-baa8-37ae9c0b71fa)

I'll try adding HTTPS to your code and let you know. But I've never used .net or C# before. Can you briefly explain how this can be done?

Trojaner commented 4 years ago

You can add something like this:

.UseKestrel(options =>
    {
        options.Listen(IPAddress.Any, 80);         // http:*:80
        options.Listen(IPAddress.Loopback, 443, listenOptions =>
        {
            listenOptions.UseHttps("certificate.pfx", "password");
        });
    })

to https://github.com/ImperialPlugins/steam-openid-connect-provider/blob/master/src/Program.cs#L26

Trojaner commented 4 years ago

Alternatively you can use a reverse proxy (e.g. with nginx)

secretshardul commented 4 years ago

Thank you very much. Keep going with your excellent project 👍

joshli commented 4 years ago

Sorry to bother you. This is new to me and I'm having a hard time figure out how to setup the reverse proxy with nginx. I currently have this Docker Image on Elastic Beanstalk. Would you happen to know how I might set it up?

Thank you!

Trojaner commented 4 years ago

You can check out this: https://hub.docker.com/r/jwilder/nginx-proxy/ It seems to be an easy way of setting up nginx reverse proxy by using docker. It supports this image since it exposes the related port 80.

secretshardul commented 4 years ago

@joshli try installing SSL certificate on Elastic Load Balancer. Tell me if you succeed.

https://medium.com/@jameshamann/configuring-your-elastic-beanstalk-app-for-ssl-9065ca091f49 https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html

Trojaner commented 4 years ago

Closing issue, feel free to open a new one if you have issues with setting this up.