Single-Sign-On By Vouch Proxy And AWS Cognito

Abstract

• For Kubernetes cluster, we have many observability and monitoring tools which are built-in with separated dashboard/console UIs with login-authentication. We don't want to create many domains as well as multiple accounts to handle them. This post introduces vouch proxy as a solution to provide single-sign on which supports many OAuth and OIDC login providers and can enforce authentication to AWS Cognito user pool.

Table Of Contents

• Vouch Proxy Overview
• What Exactly Vouch Proxy Does?
• How does vouch-proxy protect the domains?
• Setup AWS Cognito as authorised provider
• Deploy vouch-proxy and nginx
• Troubleshooting
• Conclusion

---

🚀 Vouch Proxy Overview

• Vouch Proxy - An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once.
• Vouch Proxy supports many OAuth and OIDC login providers and can enforce authentication to... This blog introduces applying vouch-proxy with AWS Cognito userpool
• In this blog post, we apply this solution for Applications such as Solr Cloud, AKHQ, and glowroot in Kubernetes cluster where vouch proxy and nginx are also deployed on.

🚀 What Exactly Vouch Proxy Does

• Diagram

• The flows
  1. User access to one of the subpaths such as /solr for Solr Admin UI through https://sso.simflexcloud.com/solr
  2. The request is go to AWS Application load balancer and then forwarded to NGINX target group
  3. Nginx authorizes the request by calling/validating the request using vouch-proxy through the internal endpoint http://vouch:9090/validate of Kubernetes service
  4. Vouch-proxy validates and returns 200 if the user already has the cache login token or returns 401 if not yet performed login
     • With 200 code, the request is redirected to the target location here is Solr UI admin
     • With 401 code, the request is redirected to https://vouch.simflexcloud.com/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err> to login, if the login is successful, the request is redirected to the target location here is Solr UI admin
  5. Default redirect is the main page or marketing page or anything you would like to show as your SSO

🚀 How does vouch-proxy protect the domains?

• Vouch-proxy (VP) supports many OAuth and OIDC login providers to authentication
• Furthermore, vouch-proxy whitelists the domains, not only the access domain but also the domain of email login. The cookie domain, the domain that VP is served from and the protected app must all be the same domain. For example, if we just whitelist the app domain such as simflexcloud.com but the email is simflex.cloud@gmail.com it will not authorize the user ```

2022-07-07T15:58:12.716Z WARN /auth User is not authorized: verifyUser: Email simflex.cloud@gmail.com is not within a Vouch Proxy managed domain . Please try again or seek support from your administrator

## 🚀 **Setup AWS Cognito as authorised provider** <a name="Setup-AWS-Cognito-as-authorize-provider"></a>
- Pre-requisite: You already create Coginto user for login authentication.

- Cognito userpool application client

  <img src=https://raw.githubusercontent.com/vumdao/sso-vouch-proxy/master/images/cognito-sso.png width=1100>

- Setup vouch-proxy config with AWS Cognito, replace the URLs with one's setup from Cognito

vouch:
logLevel: debug
port: 9090

cookie:
  secure: false

domains: # app domain and mail domain only
- simflexcloud.com
- gmail.com

oauth:
provider: oidc
client_id: AWS_COGNITO_VOUCH_CLIENT_ID
auth_url: https://{yourCognitoDomain}.amazoncognito.com/oauth2/authorize
token_url: https://{yourCognitoDomain}.amazoncognito.com/oauth2/token
user_info_url: https://{yourCognitoDomain}.amazoncognito.com/oauth2/userInfo
scopes:
- openid
- email
- profile
callback_url: https://{callbackURL}/auth

## 🚀 **Deploy vouch-proxy and nginx** <a name="Deploy-vouch-proxy-and-nginx"></a>
- Go to [nginx](https://github.com/vumdao/sso-vouch-proxy/tree/master/nginx) to get Dockerfile, nginx config files to build the `nginx-gw` image
- Use the `quay.io/vouch/vouch-proxy` image to start vouch-proxy by mounting the config file to `/config/config.yml`

## 🚀 **Troubleshooting** <a name="Troubleshooting"></a>
- Getting started to align between Nginx, Vouch Proxy and your identity provider (IdP) can be tricky, vouch-proxy provides a config to enable the testing mode

vouch:
testing: true
logLevel: debug

- With testing enable, the UI will step us to each phase of redirecting

  <img src=https://raw.githubusercontent.com/vumdao/sso-vouch-proxy/master/images/vp-1.png width=1100>

  <img src=https://raw.githubusercontent.com/vumdao/sso-vouch-proxy/master/images/vp-2.png width=1100>

## 🚀 **Conclusion** <a name="Conclusion"></a>
- Now we have SSO domain to access all the services conveniently and it's possible to add any more subpath for other services. The session with Congito userpool token has expired time and we can update this timeout through Cognito attributes.

---


    
      

        
      
    
  

    

🚀 Vu Dao 🚀 Follow

    

      🚀 AWSome Devops | AWS Community Builder | AWS SA || ☁️ CloudOpz ☁️
    
  



  

    

      
      
        vumdao
       / 
        vumdao