gather custom claims from IdP's IDToken (was Header X-Vouch-IdP-Claims-Cognito-Groups not set)

[bonnydeal]

I have set up a claim for "cognito:groups" in the config. The vouch log reports: {"level":"info","ts":1617014646.7303452,"msg":"Vouch.header.claims cognito:groups will be forwarded downstream in the Header X-Vouch-IdP-Claims-Cognito-Groups"} However the header is not being set. The value for "cognito:groups" is present and correct in the JWT. All the other claims are being set correctly.

The comment here indicates that this is not expected to work until #183 and #184 are resolved.

I see #183 and #184 are closed, but not seeing the header. Is there some other problem?

[bnfinet]

I believe it should work, but I am not a cognito user and I have not tested that fix.

@bonnydeal could you please post logs and config in the manner described in the README? Without those it's difficult to advise.

[bonnydeal]

I have put the logs and the nginx conf into the gist here.

https://gist.github.com/bonnydeal/2b9a57f37d930194ea730e94f9752838

[bnfinet]

I think you want to get rid of the add_header directives. https://gist.github.com/bonnydeal/2b9a57f37d930194ea730e94f9752838#file-nginx-conf-L47-L51

Is there something else which needs to be configured on the Cognito end to offer that information?

@bonnydeal can you please show logs that include the full roundtrip including /auth. The Usernifo call back to AWS Cognito is most critical.

[bonnydeal]

Hi Thanks for the response.

I tried to create a new vouch log with testing on (sorry, I forgot that in the earlier gist). However, I get a 400 bad request when i click login on the testing page. With testing turned off, it works again.

If i get rid of the add_header directives, I don't get any of the claims forwarded. With the add_header in place I get them all apart from cognito groups.

I have checked the jwt token, and it does contain the cognito groups. (decoded jwt included in the gist) https://gist.github.com/bonnydeal/7e7b5dce99363ce81bbfe46b1cd01fe2

[bnfinet]

@bonnydeal if testing isn't working that may point at the problem with your setup

Please upload the log and config associated with testing: true. If you're getting an error, lets troubleshoot that first.

Could you please re-read these and follow the instructions. You may need to logout first. https://github.com/vouch/vouch-proxy#okay-i-looked-at-the-issues-and-have-tried-some-things-with-my-configs-but-its-still-not-working

Specifically, I need the roundtrip and the userinfo call.

[bonnydeal]

Hi

I have created a new gist with testing:true and attempted to log in. https://gist.github.com/bonnydeal/091fd87199550a7839ba25147654ad66

I am using the docker method described here: https://github.com/vouch/vouch-proxy#okay-i-looked-at-the-issues-and-have-tried-some-things-with-my-configs-but-its-still-not-working:

docker run --name vouch_proxy -v $PWD/config:/config -v $PWD/certs:/certs -it --rm --entrypoint /do.sh voucher/vouch-proxy:alpine bug_report yourdomain.com anotherdomain.com someothersecret

[bnfinet]

@bonnydeal when you are redirected to the testing mode /login screen after accessing your protected website, do you click on the link to AWS Cognito (the 302 redirect)? What happens then?

[bonnydeal]

OK, my bad i didn't realise you had to click all the links in the testing page!

Now I have managed to login and get to my protected page and all works properly in testing mode as well. I have created a new gist with the vouch log. https://gist.github.com/bonnydeal/df33895b0ed02bfb49f11be2154b8855

[bnfinet]

It does not appear that Cognito is passing the group array in the Userinfo call

https://gist.github.com/bonnydeal/df33895b0ed02bfb49f11be2154b8855#file-vouch-testing-log-L109-L110

This seems similar to what @rogerscuall was seeing in #221

@bonnydeal where did the JWT you decoded come from? How are you seeing it from Cognito?

[bonnydeal]

I use the jwt token from X-Vouch-IdP-IdToken from the /validate call as described in the scopes and claims section here https://github.com/vouch/vouch-proxy

On Tue, 6 Apr 2021, 21:25 Benjamin Foote, @.***> wrote:

It does not appear that Cognito is passing the group array in the Userinfo call

https://gist.github.com/bonnydeal/df33895b0ed02bfb49f11be2154b8855#file-vouch-testing-log-L109-L110

This seems similar to what @rogerscuall https://github.com/rogerscuall was seeing in #221 https://github.com/vouch/vouch-proxy/issues/221

@bonnydeal https://github.com/bonnydeal where did the JWT you decoded come from? How are you seeing it from Cognito?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/vouch/vouch-proxy/issues/377#issuecomment-814416111, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF27BOL6I7IMZFM3SB3CRW3THNU4TANCNFSM42BWW77Q .

[bnfinet]

upon further inspection #221 went fallow and was closed without resolution by the OP. So I was mistaken when I said that it should work.

The issue is that the IdToken returned from the IdP is not inspected for claims.

OIDC looks at userinfo https://github.com/vouch/vouch-proxy/blob/09a72cab24380c955179ca46d35392dcb25203d8/pkg/providers/openid/openid.go#L52

It could be improved to do something similar to what ADFS does by grabbing the IdToken out of userinfo call https://github.com/vouch/vouch-proxy/blob/09a72cab24380c955179ca46d35392dcb25203d8/pkg/providers/adfs/adfs.go#L104-L112

It'd be pretty nice to add that logic to pkg/providers/common.go.

@bonnydeal do you have any interest in working on that?

[bonnydeal]

I would be interested on working on that, but I have no experience in "Golang". I will try to have a look tonight.

I have also contacted AWS and they confirm it is not in the userInfo response. I have made a feature request for it to be included, but there is no guarantee that it will be or in what time-frame. Another (AWS specific) idea would be to create a new endpoint for userInfo that calls a lambda which calls the cognito userInfo and decorates the returned data with the required fields.

[bonnydeal]

Hi i got put on something else. In the meantime I found an AWS specific solution. This is to create a pre token generation trigger in the cognito user pool. This trigger then calls a lamda which adds the group(s) to the userinfo