Comments (4)
Hi @alexantom,
No direct integration at this point in time, BUT, you can federate the Cognito User Pool to those IDP's and thus make the solution work with them using Cognito as "middleware".
Makes sense?
from cloudfront-authorization-at-edge.
Cognito federation is the way to go, @alexantom
from cloudfront-authorization-at-edge.
Has anyone tried this solution after adding a Federated Identity provider to the User Pool?
I've done this and I think the solution needs a new feature to make this functional.
I tested it with Google. I'm able to sign in (and sign up) with Google and gain access to the 'private' demo app. The problem is that any google user can also sign in and access the 'private' demo app. So without changes, this approach essentially makes the demo app public since anyone can get a google account.
The users associated with the IdP are given the status EXTERNAL_PROVIDER
. They are also added to an autogenerated user pool group. Cognito issues tokens for them just like a user that is added by an admin so the Lambda functions treat these users as valid.
So what seems to be needed is way for the lambdas to look for some characteristic of users, so an admin can approve an external provider user before they can access the private site.
I'm planning to try supporting this by adding a new configuration parameter to the solution: "required group". Then the lambda can check the id token provided by cognito to see if this group is present. If the group isn't present, hopefully the lambda can show an error message telling the user they need to be contact an admin.
Perhaps there is a better way to do this?
from cloudfront-authorization-at-edge.
Yes, if federating with social IDP's where users can sign-up themselves, you need extra controls to manage user access.
Your suggestion to use Cognito groups could work and makes senseββI'd go for that.
hopefully the lambda can show an error message telling the user they need to be contact an admin.
You can code that, e.g.:
- Redirect to a static HTML page, that sits behind an unprotected public CloudFront behavior. (e.g. /signupmessage)
- Or, use the createErrorHtml function to directly create a message "contaxt X to signup", similar to how messages are shown to users here.
from cloudfront-authorization-at-edge.
Related Issues (20)
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- A potential risk in cloudfront-authorization-at-edge which can be used to upload malicious code. HOT 4
- Having the ability to tune logs HOT 1
- Deployment to eu-west-2 fails with error: Encountered a permissions error performing a tagging operation HOT 4
- Missing User-Agent header in Post request to cognito HOT 3
- Question: redirecting after download from S3 HOT 2
- 'JavaScript heap out of memory' when running npm run build HOT 4
- Sign in, signout and then sign in again gets stuck at parse auth HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.