Amazon Cognito Connector

Content Type: Module
Categories: AWS

Overview

Leverage AWS Cognito for fully scalable identity and access management through an application landscape. Suited for B2B or B2C scenarios where internal and external users need different SSO-solutions. Now with Session based credentials authentication.

In this module we have documented the process for leveraging platform supported OIDC, under the tab Documentation.

Documentation

Description

This module enables delegating identity and access management from single app level to identity store and management on AWS Cognito.

Typical usage scenario

Typical usage is aimed at management for external users in B2B or B2C applications. The module is expressly intended and suited for landscapes where an external user accesses multiple applications. Usage in a stand-alone application is also possible and has the advantage of preparing an application for future integration with other systems.

The main advantage of this module is keeping internal and external user populations separated. It can be used with other SSO-solutions in the same application. For example: keep external users in AWS Cognito and manage your employees application access with Office365 or Okta.

Features and limitations

Current features:

  • User creation
  • User deletion – use this with caution!
  • Group membership add
  • Group membership remove
  • User disable/enable
  • List groups for a user
  • List groups for a userpool

Limitations:

  • Password reset only available through the Cognito management console.
  • Only one single set of IAM credentials is supported as of now. Either Static or Session IAM settings.
  • Only one single App configuration with one userpool ID and one GroupName is supported.

Further important points:

  • The OIDC Custom microflow assigns the 'User' user role to all users authenticated through Cognito. Change this if necessary to fit your use case.
  • Less crude user role management is part of the roadmap.
  • If a user is a member of multiple groups, the customized OIDC flow will check against the constant CognitoConnector.AllowedCognitoGroups if access is allowed. This will change in a future release.
  • Currently we have two places to maintain group names:
    • The CognitoConnector.AllowedCognitoGroups constant.
    • The group name in the AWS Configuration/app integration object.
  • This also applies to managing AWS regions:
    • The CognitoConnector.AwsRegion constant
    • If Session credentials are used: the region field on the IAM-settings must match the region for which these settings are created. This may differ from the value of the AwsRegion constant (this is tested).

A solution for this inconvenience is in development.

AWS Cognito configuration points of attention:

  • AWS Cognito is meant for authentication, i.e. it verifies the identity of a user.
  • This means that authorization, i.e. determining a users access rights must be done on application level.
  • There is currently no method of tying Groups to an Application, pay attention to this when configuring Cognito.
  • The recommended way of configuring is to create a separate Group for each Application.

Better support for authorization is part of the roadmap for this module.

Dependencies

  • Studio Pro 9.14.0 or higher.
  • AWSAuthentication
  • Encryption
  • LibraryLogging
  • OIDC
  • CommunityCommons
  • MxModelReflection
  • NativeMobileResources

Note: most of these modules are dependencies for OIDC.

Installation

Add the modules stated under Dependencies to your app.

  • Set the EncryptionKey constant in the Encryption module.
  • Set the AwsRegion constant to the correct value in the CognitoConnector module.
  • Add CognitoConfiguration_Dashboard to the navigation.

Configuration – Mendix app side

Note: it is recommended to prepare AWS Cognito first!

Configuration steps:

  • Add 'Cognito' to OIDC.ENU_UserProvisioningFlows. This results in a breaking change in case of an OIDC update, so consider moving this piece of functionality outside the OIDC.
  • The OIDC dependency is left on purpose to keep everything as default as possible.
  • Add the Administrator role to
    • MxModelReflection
    • OIDC
    • CognitoConnector
  • Solve other errors that result from extending the OIDC.ENU_UserProvisioningFlows.
  • Allow Anonymous users.
  • Connect the Anonymous Module role in OIDC to the Anonymous user role.
  • Add CognitoConnector.CognitoConfiguration_Dashboard to the navigation.
    • In AWS management configure:
      • General Cognito setup:
        • App name
        • User pool ID as configured in Cognito
        • Group name as configured in Cognito
        • Credentials provider: Static or Session.
      • Credentials Configuration
        • Static: IAM user credentials for a user with access to Cognito and a User Pool.
          • Static credentials:
            • Access key
            • Secret key
        • Session: all parameters as shown in the screenshot.
        • For specific information on how to configure AWS Authentication, see the general Mx docs.
      • Please note: credentials configuration is provided to ease onboarding of this module.
    • In OIDC configure everything that is necessary for the app. See screenshots & steps under Configuration – AWS Cognito.
    • For OIDC pay special attention to these attributes after app configuration in Cognito (see below):
      • Add Client ID and secret
      • Client assertion: Client ID and Secret
      • Active: yes
      • Use PKCE: no
      • Automatic Configuration URL: https:// cognito-idp.USERPOOLREGION.amazonaws.com/USERPOOLID/.well-known/openid-configuration (remove spaces)
        • For example: eu-central-1, us-east1
      • The above mentioned URL saves you a lot of copy/paste.
      • Callback response mode: Query
      • User provisioning flow: Cognito
    • Constant 'CognitoConnector.AllowedCognitoGroups'

Actual usage:

  • Add the microflows in _USE_ME/4. User data management - use this folder wherever necessary in your user creation or management logic.
  • Use the microflows in _USE_ME/3. User data EXAMPLES for inspiration.
  • Don't forget to communicate the temporary password to your user, by means of email or whatever else fits your process. There is no way to recover the password otherwise.

Configuration – AWS Cognito

The minimum configuration level to let the connector work is one IAM user with access to a User Pool and with an App integration defined. The process of creating a user pool involves a wizard of 5 steps and not all options can be changed afterwards.

Top-level bullet points correspond with currently known tab-names in the User pool view menu.

  • Users: will show up once you start creating them from your app.
  • Groups: configure the groups necessary for your landscape.
  • Sign-in experience:
    • Cognito user pool sign-in options: Email.
    • Federated IdP sign-in: not yet supported with this module.
    • Password policy
      • Length: 12 characters recommended. The module itself is set to 12 characters.
      • Contains at least 1 number
        Contains at least 1 special character (^ $ * . [ ] { } ( ) ? - " ! @ # % & / \ , > < ' : ; | _ ~ ` + =)
        Contains at least 1 uppercase letter
        Contains at least 1 lowercase letter
    • User account recovery: Enabled, Email
    • Device tracking disabled.
  • Sign-up experience: not supported, done through the initial app in your landscape from which a user is created.
  • Messaging:
    • Not supported and actively surpressed in the Java code.
    • It is possible to enable messaging through Cognito, but this requires code changes and much more additional configuration in Cognito, out of scope.
  • App integration:
    • App client information:
      • App client name
      • Store the Client ID & Secret in a safe place.
      • Authentication flows:
        • ALLOW_REFRESH_TOKEN_AUTH
        • ALLOW_USER_SRP_AUTH
        • other flows not necessary
      • Add a callback URL: ApplicationURL+ /oauth/v2/callback
    • Tweak the Hosted UI if desired.
    • User pool properties: not supported.

IMPORTANT: Configuring AWS for usage with Session credentials/IAM Anywhere is not covered by this documentation. More information here.

 

 

 

Releases

Version: 2.0.0
Framework Version: 9.14.0
Release Notes: Removed dependencies: - AWS Services module - Related .Jar files. Added dependencies: - AWSAuthentication module. - Cognito related .Jar files included with the module. Removed: - Storage of Static credentials in the AWS services module and corresponding pages. Added: - App configuration extended with credential choice (Static/Session) and possibility to store this data. Important: this update breaks the existing AWS credentials configuration. The documentation provides guidance to mitigate this.
Version: 1.0.2
Framework Version: 9.13.0
Release Notes: - Small improvements in the Java code. - Repeatedly running the Create User action resulted in an error, this is fixed.
Version: 1.0.0
Framework Version: 9.13.0
Release Notes: Intial release contains: - Basic user management - AWS configuration - OIDC configuration