Comments (6)
Hi @wakie thanks for the suggestion.
Do you have an idea/opinion on how that should work? Will it be an externally hosted login page or within the same CloudFront distribution?
And did you consider federating Cognito to e.g. your AD or other IDP solution? Is that applicable to you? If you federate Cognito to exactly 1 IDP then the Cognito Hosted UI won't be shown even, the user would be forwarded to the IDP's login page immediately (can also make it work with multiple IDP's by the way).
from cloudfront-authorization-at-edge.
Hi @ottokruse appreciate the response.
My intention is to use my own page hosted within the same CloudFront distro. My script plugs directly into the Cognito APIs so it can handle all of the authentication. This is for the purpose of maintaining a consistent UX without redirecting to a different domain with a different experience.
I don't intend on using AD or third party IDPs at this stage, but may do in the future. I specially want to use the Cognito user pool right now.
I'm happy to add any requirements (oAuth, etc) into my app in order to implement the support, just so long as I maintain full control of the login flow's UX.
from cloudfront-authorization-at-edge.
I just had a thought @ottokruse
If we allowed "CognitoAuthDomain" to be set via an input parameter, it may just do what I want!
Would that be tricky to implement, at least to try it out as a proof of concept?
from cloudfront-authorization-at-edge.
There is a PR for that actually #44
But... I'm inclined to not pursue that, and instead make the User Pool itself a param, not just the auth domain (read the PR comments if you wanna know why).
You could checkout that PR though and see if it does what you want.
from cloudfront-authorization-at-edge.
Nice, I didn't know that existed.
I've been thinking about the custom User Pool param feature. I could potentially use that to fit my needs on the assumption that I could use Cognito's custom domain but have the DNS records for that domain to be pointed elsewhere to serve a different page with the domain.
Essentially have the edge Lambdas redirect to the custom domain set in the User Pool which is hosted elsewhere.
Does that sound like it could work?
from cloudfront-authorization-at-edge.
While that could work, I think for what you are looking for it will not be the simplest solution. The lambda's are currently coded to cooperate in the OAuth2 dance of the Cognito hosted UI. You would need to build that OAuth2 dance then also in your custom sign-in page.
Other approach might be:
- create custom sign-in page yourself. It can interact with Cognito API's directly, not through OAuth2
- change the checkauth lambda to redirect to your own page, instead of the Cognito hosted domain
- do everything you need to do for sign-in in your own page, including acquiring JWT's, and setting them in cookies. (That would replace the parseauth function.)
But of course that deviates from the solution in this repo - it is similar but different.
from cloudfront-authorization-at-edge.
Related Issues (20)
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.