Open MrChadMWood opened 2 months ago
Here's a minimal example of the Cognito for more context:
# main.tf
provider "aws" {
region = "us-west-1"
}
resource "aws_cognito_user_pool" "user_pool" {
name = "user-pool"
username_attributes = ["email"]
password_policy {
minimum_length = 7
require_lowercase = true
require_numbers = true
require_symbols = true
require_uppercase = true
temporary_password_validity_days = 7
}
device_configuration {
challenge_required_on_new_device = true
}
verification_message_template {
default_email_option = "CONFIRM_WITH_CODE"
}
email_configuration {
reply_to_email_address = "mycompanybi@mycompanyco.com"
}
schema {
name = "email"
attribute_data_type = "String"
required = true
mutable = false
}
#lambda_config {
# create_auth_challenge = aws_lambda_function.lambda_email_domain_verifier.arn
#}
}
resource "aws_cognito_user_pool_domain" "domain" {
domain = "mycompanybi-auth"
user_pool_id = aws_cognito_user_pool.user_pool.id
}
resource "aws_cognito_user_pool_client" "client" {
name = "user-pool-client"
user_pool_id = aws_cognito_user_pool.user_pool.id
generate_secret = true
explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
prevent_user_existence_errors = "ENABLED"
callback_urls = ["https://mycompanybi.link"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_flows = ["code"]
allowed_oauth_scopes = ["email", "openid"]
supported_identity_providers = ["COGNITO"]
}
Some useful links to get started:
Forgive my ignorance, as I'm not an expert with Caddy, Cognito, or OAuth2.0. I have some experience with all three, but I'm not quite comfortable with any yet. My goal is to utilize all three for network-level authentication and authorization. If an unauthorized visitor should visit any resource where authentication is required, Caddy should redirect them to a login portal. If the visitor successfully authenticates, Caddy should automatically redirect them to their original destination.
I'm struggling to understand the full set of configuration options available within the
security
component of the Caddy file (ref: Github examples). Second, I'm struggling to understand how each configuration option [present in the example] is used by Caddy. Which are optional, required, what acceptable values are, ...Take the following snippet:
Much of the above is self-explanatory, I'm sure. For example,
cookie domain myfiosgateway.com
pretty much explains itself. For many other parts, I'm struggling. What ismyportal.transform user
,cognito-us-east-1.icon
, doing. Whats going on inmyportal.ui.links
? Am I able to just use the AWS Cognito Hosted UI directly, without any other login portal created by this module (ref: Authcrunch's documentation)?I feel like I have so many questions that I am probably missing some important documentation. Rather than work through all my questions here, could you kindly advise where I should be looking for more details on the Caddyfile configuration for Cognito? Thanks!
Edit: One other thing. The current AWS Cognito docs (ref: Authcrunch's documentation) make many highlights on various configuration details for Cognito. This is quite confusing for me, as I struggle to understand if the Caddy-Securty module requires such a setup or if I'm free to make some changes. For example, I want to allow users to signup themselves and I don't want to allow preferred usernames. As I'm sure this would be fine, I still struggle finding the boundary between what needs to be done for compatibility purposes and what is optional.