You are browsing documentation for an outdated plugin version.
Amazon Cognito configuration
Amazon Cognito has two significant components: Identity Pools and User Pools. Identity Pools are the original functionality deployed in 2014; they mainly use proprietary AWS interfaces and libraries to accomplish the task of authenticating users. Furthermore, Identity Pools have no concept of claims (standard or custom) stored in the system; it is entirely a federated identity construct. User Pools are the more recent addition to the Cognito feature set; User Pools are a multi-tenant LDAP-like user repository combined with an OAuth2 and an OpenID Connect interface.
In this configuration, we use User Pools.
- Log in to AWS Console.
- Navigate to the Amazon Cognito Service.
- Click on Manage User Pools.
- Click the Create a user pool button on the right-hand side.
- Enter a pool name; we use “test-pool” for this example.
- Click Step Through Settings.
- Select Email address or phone number, and under that, select Allow email addresses. Select the following standard attributes as required: email, family name, given name.
- Click Next step.
- Accept the defaults for Password settings, then click Next step.
- Accept the defaults for MFA and verifications, then click Next step.
- Accept the defaults for Message customizations, click Next step.
- On the next screen, we are not going to create any tags. Click Next step.
- Select No for Do you want to remember your user’s devices, then click Next step.
- We can create an application definition later. Keep things simple for now and click Next step.
- We don’t have any need for Triggers or customized Sign Up/Sign In behavior for this example. Scroll down and click Save Changes.
- Click Create pool. Wait a moment for the success message.
- Make a note of the Pool ID. You will need this when configuring the application later.
Application definition
You need to add an OAuth2 application definition to the User Pool we just created.
- Go to the App clients screen in the AWS Cognito management screen for the User Pool we just created.
- Click Add an app client.
- Enter an App client name. This demo uses
kong-api
. - Enter a Refresh token expiration (in days). We will use the default of 30 days.
- Do not select Generate client secret. This example will use a public client.
- Do not select any other checkboxes.
- Click the Set attribute read and write permissions button.
- Let’s make this simple and only give the user read and write access to the required attributes. So, uncheck everything except the email, given name, and family name fields.
- Click Create app client.
- Click Show Details.
- Take note of the App client ID. We will need that later.
- Go to the App integration -> App client settings screen.
- Click the Cognito User Pool checkbox under Enabled Identity Providers.
-
Add the following to the Callback URLs field:
“https://kong-ee:8446/default, https://kong-ee:8447/default/, https://kong-ee:8447/default/auth, https://kong-ee:8443/cognito”
Note that AWS Cognito doesn’t support HTTP callback URLs. This field should include the API URL that you want to secure using AWS Cognito.
- Click the Authorization code grant checkbox under Allowed OAuth Flows.
- Click the checkboxes next to
email
,OpenID
,aws.cognito.signin.user.admin
, andprofile
. - Click the Save changes button.
- Click on the domain name tab and add a subdomain name.
- Click the Check Availability button.
If it reports
This domain is available
, the name you have chosen will work. - Click the Save changes button.
Now that you have created an Amazon Cognito User Pool and Application Definition, you can configure the OpenID Connect plugin in Kong.
Amazon’s OIDC discovery endpoint is available from:
https://cognito-idp.<REGION>.amazonaws.com/<USER-POOL-ID>
For example, in this demo, the OIDC discovery endpoint is:
https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_ie577myCv/.well-known/openid-configuration
The OAuth + OIDC debugger is a handy utility that you may use to test the authorization flow before configurations in Kong.
OIDC plugin configuration
Identify the route or service to be secured. In our example, we created a new route called /cognito to which we added the OpenID Connect plug-in.
The number of options in the plug-in can seem overwhelming but the configuration is rather simple. All you need to do is configure:
-
issuer
- You can use the OIDC discovery endpoint here, e.g.https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_ie577myCv/.well-known/openid-configuration
-
config.client_id
- This is the client ID noted when the application was created -
config.client_secret
- This is the client secret noted when the application was created. In this demo we are leaving this blank as we didn’t create a client secret. -
config.auth_methods
- If this is left blank, all flows will be enabled. If only specific flows are in scope, configure the appropriate flows accordingly.
Validating the flows
You can test the route by accessing URL “https://kong-ee:8443/cognito/anything”, and you should redirect to the Amazon Cognito login page. You need to click “Sign up” link to create a user first using your email address. The application sends a verification code to your email. Once you enter the verification code, Amazon Cognito acknowledges the account.
You can verify the confirmed user from the Cognito page under “General settings” -> “Users and groups”.