How to Integrate AWS Cognito with OpenShift 4

In this post, we are going to integrate the Cognito authentication service from AWS with Red Hat OpenShift 4.

OpenShift 4 comes with a wide range of authentication providers to authenticate users, they can be very basic (HTPasswd), traditional (LDAP), integrated (GitHub) or based on OpenID Connect. We're going to focus on the OpenID Connect identity provider.

Configure AWS Cognito

Creating of the service

1. Open your AWS Console and go to the Cognito service
2. Create a user pool and choose the Step trough settings option
3. In the Attributes section, ensure you configure the following:
   1. How do you want your end users to sign in? Username (you can also allow users to use their e-mail address)
   2. Which standard attributes do you want to require?: email, profile, preferred username
4. In the App client section, click on Add an app client, enter an app name (e.g.: OCP) and ensure you select Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH), keep the rest as it is and click on Create app client
5. Once the pool is created, go to App integration > App client settings and configure the following:
   1. Enabled Identity Providers: Select all
   2. Cognito User Pool: Checked
   3. Callback URL(s): https://oauth-openshift.apps.demo.example.com/oauth2callback/Cognito (Match to your domain)
   4. Allowed OAuth Flows: Authorization code grant
   5. Allowed OAuth Scopes: email,openid,aws.cognito.signin.user.admin,profile
6. Confirm configuration by clicking on Create pool in the Review section

Configuration of the service

Now that the user pool has been created and configured to accept authentication requests from OpenShift, we'll have to gather some information:

1. Go to freshly created pool and go to the General settings section and copy the value from Pool Id
2. On the App clients section, you should find the the app client created previously, click on Show Details to expend and gather the App client id and the App client secret
3. Create some users in your pool

Configure OpenShift 4

Now that Cognito is ready, let's configure OpenShift to use the values gathered previously.

1. Go to Administration > Cluster Settings
2. Go to Global Configuration and search for OAuth
3. In the dropdown located in the Identity providers part at the bottom, choose OpenID Connect and enter the following information
   • Name: Cognito
   • Client ID: {Gathered client ID from previous step}
   • Client Secret: {Gathered client secret}
   • Issuer URL: https://cognito-idp.{aws_region}.amazonaws.com/{ pool ID eg: eu-west-1_sLzMKS}

1. Leave the other parameters and click Add

2. Leave a few minutes to the Authentication Operator to reload and try to logout
   

   oc get clusteroperator authentication
   

Once the authentication operator has restarted, logout from OpenShift. On the login page, you should now see a button named Cognito.

When clicking on the Cognito button, you'll be redirected to the Cognito login page.

Use the account you previously created in Cognito and voilà!

Conclusion

This gives you an overview on how to get Cognito working with your OpenShift. It still requires to manage the RBAC and the groups for the users so they have correct permissions on the cluster. Also note that all theses steps can be automated.