Using Auth0 as OIDC provider for Cognito Identity Pool

Gunjan Chhetri — Sat, 24 Aug 2024 08:13:11 +0000

In a previous post Authentication and Authorization with AWS Cognito, we explored how to securely grant users access to AWS resources by leveraging AWS Cognito User Pools and Identity Pools. In that scenario, the User Pool handled authentication, and upon successful login, the Identity Pool provided the necessary temporary credentials, allowing access to services like Amazon Kinesis.

In this post, we will take a step further and replace the Cognito User Pool with Auth0 for authentication. This approach is particularly useful if you prefer Auth0’s robust and feature-rich authentication services. We will walk through the steps to integrate Auth0 with an AWS Cognito Identity Pool, enabling authenticated users to access AWS resources securely.

The full code can be found here https://github.com/gunjchhetri/autho_cognito_identity

Create an application in Auth0
The first step is to create an application in Auth0, which serves as the identity provider for the users.

Create a New Application: Go to Auth0 dashboard and click on the "Applications" section and create a new application. You will need to select the type of application (e.g., Single Page Application, Native, etc.) based on your use case. For this demo we will be creating Single Page Application.
Retrieve Application Domain and Client ID: Once the application is created, note down the Domain and Client ID—these will be used in later steps.

For detailed instructions, refer to the https://auth0.com/docs/get-started/auth0-overview/create-applications

Create Custom Identity Provider
Next, we need to set up an OpenID Connect (OIDC) identity provider in AWS IAM, where we provide the details of th Auth0 aplication that we created above

Here’s how you can do this using AWS CDK:

 const auth0Provider = new iam.OpenIdConnectProvider(this, "Auth0Provider", {
      url: "https://YOUR_DOMAIN_NAME", // Replace with your Auth0 domain
      clientIds: [Client_Id],
    });

The url is the Auth0 domain specific to your application.
The clientIds field should include the Client ID you retrieved from the Auth0 application settings. This creates an OIDC identity provider in AWS that trusts your Auth0 application.

Create a Cognito Identity Pool
Now, you need to create a Cognito Identity Pool that uses the Auth0 identity provider that we created above for authentication. This Identity Pool will issue AWS credentials to the users using which they will be able to access AWS Services(Kinesis in our case)

Here’s how to do it using AWS CDK:

 const identityPool = new cognito.CfnIdentityPool(this, "IdentityPool", {
      allowUnauthenticatedIdentities: false,
      identityPoolName: "MyAuth0IdentityPool",
      openIdConnectProviderArns: [auth0Provider.openIdConnectProviderArn],
    });

Grant required role for AWS Service
To allow authenticated users to access AWS resources like Kinesis, you need to define an IAM role with the necessary permissions and attach it to the Identity Pool.

const authenticatedRole = new iam.Role(
      this,
      "CognitoKinesesAuthenticatedRole",
      {
        assumedBy: new iam.FederatedPrincipal(
          "cognito-identity.amazonaws.com",
          {
            StringEquals: {
              "cognito-identity.amazonaws.com:aud": identityPool.ref,
            },
            "ForAnyValue:StringLike": {
              "cognito-identity.amazonaws.com:amr": "authenticated",
            },
          },
          "sts:AssumeRoleWithWebIdentity"
        ),
        managedPolicies: [
          iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonKinesisFullAccess"),
        ],
      }
    );

    // Attach the authenticated role to the identity pool
    new cognito.CfnIdentityPoolRoleAttachment(
      this,
      "IdentityPoolRoleAttachment",
      {
        identityPoolId: identityPool.ref,
        roles: {
          authenticated: authenticatedRole.roleArn,
        },
      }
    );

UI Setup for Authentication and AWS Access

In this demo, we'll use a single index.html page to illustrate how to implement user authentication with Auth0 and access AWS resources securely.
To get started, include the necessary AWS and Auth0 SDKs in your index.html:

 <script src="https://sdk.amazonaws.com/js/aws-sdk-2.774.0.min.js"></script>
    <script src="https://cdn.auth0.com/js/auth0-spa-js/2.0/auth0-spa-js.production.js"></script>

Configure Auth0
Create a configuration file named auth0.json with the following content. This file stores your Auth0 domain and client ID:

{
  "domain": "YOUR_DOMAIN",
  "clientId": "Client_Id"
}

and then configure the auth0 client:

const response = await fetch("/auth0.json")
      const config = await response.json();

      auth0Client = await auth0.createAuth0Client({
        domain: config.domain,
        clientId: config.clientId,
        authorizationParams: {
          redirect_uri: window.location.origin,
        },
      });

Retrieve AWS IAM Credentials
Upon successful login to AUth0, user will receive the Id token which can be used to obtain the IAM credentials from the cognito identity pool:

 AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: IDENTITY_POOL_ID,
        Logins: {
          [APP_DOMAIN_NAME]: idToken,
        },
      });

By using this credentials, user would be able to securely call the kinesis stream

const kinesis = new AWS.Kinesis();
        const jsonString = JSON.stringify({ event: "linkClicked" });
        const kinesisParams = {
          Data: jsonString,
          PartitionKey: "key1",
          StreamName: "DemoKinesis",
        };

        kinesis.putRecord(kinesisParams, (err, data) => {
          if (err) console.error(err, err.stack);
          else console.log(data);
        });

By following these steps, we can replace AWS Cognito User Pools with Auth0 for authentication while still leveraging Cognito Identity Pools to grant secure, temporary AWS credentials to theusers. This setup combines the flexibility of Auth0 with the power of AWS, enabling us to build secure, scalable applications with ease.

Authentication and Authorization with AWS Cognito

Gunjan Chhetri — Sat, 24 Aug 2024 04:49:22 +0000

AWS Cognito offers powerful features for user authentication and authorization. The User Pool in Cognito primarily handles authentication, while the Identity Pool manages authorization by granting users access to required AWS services, providing short-lived IAM credentials. In this article, we will use the User Pool for authentication and demonstrate how to grant required permissions to the logged in user.

Create AWS resources

We will be using CDK to create the required resources namely

Cognito User Pool
Cognito Identity Pool
Kinesis Stream

The full code can be found here - https://github.com/gunjchhetri/cognito-kinesis

Once the User Pool and Identity Pool are created, we would need to create a role that would grant the required permission to put data to the kinesis stream

const authenticatedRole = new iam.Role(
      this,
      "CognitoDefaultAuthenticatedRole",
      {
        assumedBy: new iam.FederatedPrincipal(
          "cognito-identity.amazonaws.com",
          {
            StringEquals: {
              "cognito-identity.amazonaws.com:aud": identityPool.ref,
            },
            "ForAnyValue:StringLike": {
              "cognito-identity.amazonaws.com:amr": "authenticated",
            },
          },
          "sts:AssumeRoleWithWebIdentity"
        ),
        managedPolicies: [
          iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonKinesisFullAccess"),
        ],
      }
    );

The above role is then attached to the identity pool so that the logged in users from user pool would be able to put message to kinesis stream.

 new cognito.CfnIdentityPoolRoleAttachment(
      this,
      "IdentityPoolRoleAttachment",
      {
        identityPoolId: identityPool.ref,
        roles: {
          authenticated: authenticatedRole.roleArn,
        },
      }
    );

UI Integration

For this demo, we will be using a single index.html file where the user will first log in to the Cognito User Pool. The code below will open the default cognito login page.

 const redirectUri = "http://localhost:8000";
const loginUrl = `https://${cognitoDomain}/login?response_type=code&client_id=${clientId}&redirect_uri=${encodeURIComponent(
        redirectUri
      )}`;
      window.location.href = loginUrl;

Once the user logs in to Cognito, they will be redirected back to the application with the token ID attached in the URL, which we can use to get the access token:

 const tokenUrl = `https://${cognitoDomain}/oauth2/token`;
      const body = `grant_type=authorization_code&client_id=${clientId}&code=${code}&redirect_uri=${encodeURIComponent(
        redirectUri
      )}`;
      //const authHeader = "Basic " + btoa(`${clientId}:${clientSecret}`);

      const response = await fetch(tokenUrl, {
        method: "POST",
        headers: {
          "Content-Type": "application/x-www-form-urlencoded",
        },
        body: body,
      }); 

      token = response.json();
      return token;

The access token can then be used to obtain short-lived IAM credentials, which can be used to call the Kinesis stream using the AWS SDK:

AWS.config.region = "AWS_REGION";  

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: "Idenitity_Pool_ID",
        Logins: {
          [`cognito-idp.${AWS.config.region}.amazonaws.com/User_Pool_Id`]:
            idToken,
        },
      });

      await AWS.config.credentials.getPromise();
      return AWS.config.credentials;

By leveraging AWS Cognito's User Pool and Identity Pool, we've demonstrated how to securely authenticate users and grant them the necessary permissions to interact with AWS services, such as Kinesis, using short-lived IAM credentials.

DEV Community: Gunjan Chhetri

Using Auth0 as OIDC provider for Cognito Identity Pool

Authentication and Authorization with AWS Cognito

Create AWS resources

UI Integration