OpenID Connect with Amazon Cognito
Amazon Cognito Configuration
Amazon Cognito has two significant components: Identity Pools and User Pools. Identity Pools are the original functionality deployed in 2014; they mainly use proprietary AWS interfaces and libraries to accomplish the task of authenticating users. Furthermore, Identity Pools have no concept of claims (standard or custom) stored in the system; it is entirely a federated identity construct. User Pools are the more recent addition to the Cognito feature set; User Pools are a multi-tenant LDAP-like user repository combined with an OAuth2 and an OpenID Connect interface.
In this configuration, we use User Pools.
- Log in to AWS Console.
Navigate to the Amazon Cognito Service.
Click on Manage User Pools.
Click the Create a user pool button on the right-hand side.
Enter a pool name; we use “test-pool” for this example.
Click Step Through Settings.
Select Email address or phone number, and under that, select Allow email addresses. Select the following standard attributes as required: email, family name, given name.
- Click Next step.
- Accept the defaults for Password settings, then click Next step.
- Accept the defaults for MFA and verifications, then click Next step.
- Accept the defaults for Message customizations, click Next step.
- On the next screen, we are not going to create any tags. Click Next step.
- Select No for Do you want to remember your user’s devices, then click Next step.
- We can create an application definition later. Keep things simple for now and click Next step.
We don’t have any need for Triggers or customized Sign Up/Sign In behavior for this example. Scroll down and click Save Changes.
- Click Create pool. Wait a moment for the success message.
- Make a note of the Pool ID. You will need this when configuring the application later.
You need to add an OAuth2 application definition to the User Pool we just created.
Go to the App clients screen in the AWS Cognito management screen for the User Pool we just created.
Click “Add an app client”.
Enter an App client name. This demo is using “kong-api”
- Enter a Refresh token expiration (in days). We will use the default of 30 days.
Do not select “Generate client secret”. This example will use a public client.
Do not select any other checkboxes.
Click the “Set attribute read and write permissions” button.
Let’s make this simple and only give the user read and write access to the required attributes. So, uncheck everything except the email, given name, and family name fields.
Click “Create app client”
Click “Show Details”.
- Take note of the App client ID. We will need that later.
- Go to the App integration -> App client settings screen.
- Click the “Cognito User Pool” checkbox under Enabled Identity Providers.
Add the following to the Callback URLs field:
“https://kong-ee:8446/default, https://kong-ee:8447/default/, https://kong-ee:8447/default/auth, https://kong-ee:8443/cognito”
Note that AWS Cognito doesn’t support HTTP callback URLs. This field should
include the API and Dev Portal URLs that you want to secure using AWS Cognito.
Click the “Authorization code grant” checkbox under Allowed OAuth Flows.
- Click the checkboxes next to email, OpenID, aws.cognito.signin.user.admin, and profile.
- Click the “Save changes” button.
- Click on the domain name tab.
- Add a sub-domain name.
- Click the Check Availability button.
As long as it reports “This domain is available”, the name you have chosen will work.
- Click the “Save changes” button.
Now that you have created an Amazon Cognito User Pool and Application Definition, we can configure the OpenID Connect plugin in Kong. We can then test integration between Dev Portal and Amazon Cognito.
Amazon’s OIDC discovery endpoint is available from:
For example, in this demo, the OIDC discovery endpoint is:
The OAuth + OIDC debugger is a handy utility that you may use to test the authorization flow before configurations in Kong.
OIDC Plugin Configuration
Identify the Route or Service to be secured. In our example, we created a new route called /cognito to which we added the OpenID Connect plug-in.
The number of options in the plug-in can seem overwhelming but the configuration is rather simple. All you need to do is configure:
issuer - You can use the OIDC discovery endpoint here, e.g.
config.client_id - This is the client ID noted when the application was created
config.client_secret - This is the client secret noted when the application was created. In this demo we are leaving this blank as we didn’t create a client secret.
config.auth_methods - If this is left blank, all flows will be enabled. If only specific flows are in scope, configure the appropriate flows accordingly.
Validating the Flows
You can test the route by accessing URL “https://kong-ee:8443/cognito/anything”, and you should redirect to the Amazon Cognito login page. You need to click “Sign up” link to create a user first using your email address. The application sends a verification code to your email. Once you enter the verification code, Amazon Cognito acknowledges the account.
You can verify the confirmed user from the Cognito page under “General settings” -> “Users and groups”.
Dev Portal Integration
Important: The settings below are intended for non-production use only, as they override the default
admin_listen setting to listen for requests from any source. Do not use these settings in environments directly exposed to the internet.
If you need to expose the
admin_listen port to the internet in a production environment,
secure it with authentication.
Since AWS Cognito only supports the HTTPS protocol, when you start Kong Gateway, ensure that HTTPS protocol for Dev Portal is enabled. For example:
docker run -d --name kong-ee --link kong-ee-database:kong-ee-database \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-ee-database" \
-e "KONG_CASSANDRA_CONTACT_POINTS=kong-ee-database" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001 , 0.0.0.0:8444 ssl" \
-e "KONG_PORTAL=on" \
-e "KONG_ENFORCE_RBAC=off" \
-e "KONG_ADMIN_GUI_URL=http://kong-ee:8002" \
-e "KONG_AUDIT_LOG=on" \
-e "KONG_PORTAL_GUI_PROTOCOL=https" \
-e "KONG_PORTAL_GUI_HOST=kong-ee:8446" \
-e "KONG_LICENSE_DATA=$KONG_LICENSE_DATA" \
-p 8000-8004:8000-8004 \
-p 8443-8447:8443-8447 \
Under Dev Portal settings, select “Open ID Connect” as the authentication plugin.
Copy and paste the following Auth Config JSON object:
To log out the user completely, we need to use the logout endpoint provided by Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html). Therefore, in the above configuration, we have passed in Cognito logout endpoint of logout redirect URL.
Please also note that the developer signed up from Dev Portal doesn’t get created in Cognito automatically. Therefore, developer sign-up is a two-step process:
- The developer signs up from Dev Portal itself, so a Kong Admin needs to approve the developer access.
- The developer signs up from Amazon Cognito. Please make sure that you use the same email address for both sign-ups.
Now you should be able to login to Dev Portal using the Amazon Cognito user and credential.