Amazon Cognito Connector

Category: Connectors
Subcategory: AWS

Overview

IMPORTANT - This is a temporary, community-supported connector. We will soon be replacing this with a platform-supported version, which includes the session-based authentication using the AWS Authentication connector.

Leverage AWS Cognito for fully scalable identity and access management through an application landscape. Suited for B2B or B2C scenarios where internal and external users need different SSO-solutions.

Documentation

Description

This module enables delegating identity and access management from single app level to identity store and management on AWS Cognito.

Typical usage scenario

Typical usage is aimed at management for external users in B2B or B2C applications. The module is expressly intended and suited for landscapes where an external user accesses multiple applications. Usage in a stand-alone application is also possible and has the advantage of preparing an application for future integration with other systems.

The main advantage of this module is keeping internal and external user populations separated. It can be used with other SSO-solutions in the same application. For example: keep external users in AWS Cognito and manage your employees application access with Office365 or Okta.

Features and limitations

Current features:

  • User creation
  • User deletion – use this with caution!
  • Group membership add
  • Group membership remove
  • User disable/enable
  • List groups for a user
  • List groups for a userpool

Limitations:

  • Password reset only available through the Cognito management console.
  • Federation with common IdP's not yet available.
  • Only one single set of IAM credentials is supported as of now.
  • Only one single App configuration with one userpool ID and one GroupName is supported.
  • MFA not yet supported.

Further important points:

  • The OIDC Custom microflow assigns the 'User' user role to all users authenticated through Cognito. Change this if necessary to fit your use case.
  • Less crude user role management is part of the roadmap.
  • If a user is a member of multiple groups, the customized OIDC flow will check against the constant CognitoConnector.AllowedCognitoGroups if access is allowed. This will change in a future release.

AWS Cognito configuration points of attention:

  • AWS Cognito is meant for authentication, i.e. it verifies the identity of a user.
  • This means that authorization, i.e. determining a users access rights must be done on application level.
  • There is currently no method of tying Groups to an Application, pay attention to this when configuring Cognito.
  • The recommended way of configuring is to create a separate Group for each Application.

Better support for authorization is part of the roadmap for this module.

Dependencies

  • Studio Pro 9.13.0 or higher.
  • AWSServices
  • Encryption
  • LibraryLogging
  • OIDC
  • CommunityCommons
  • MxModelReflection
  • NativeMobileResources

Installation

Add the modules stated under Dependencies to your app.

  • Set the EncryptionKey constant in the Encryption module.
  • Add AWSServices.AfterStartup to the AfterStartup flow.

Configuration – Mendix app side

Note: it is recommended to prepare AWS Cognito first!

Configuration steps:

  • Add 'Cognito' to OIDC.ENU_UserProvisioningFlows. This results in a breaking change in case of an OIDC update, so consider moving this piece of functionality outside the OIDC.
  • The OIDC dependency is left on purpose to keep everything as default as possible.
  • Add the Administrator role to
    • AWS Services
    • MxModelReflection
    • OIDC
    • CognitoConnector
  • Solve other errors that result from extending the OIDC.ENU_UserProvisioningFlows.
  • Allow Anonymous users.
  • Connect the Anonymous Module role in OIDC to the Anonymous user role.
  • Add CognitoConnector.CognitoConfiguration_Dashboard to the navigation.
    • In AWS management configure:
      • IAM user credentials for a user with access to Cognito and a User Pool.
        • Select the region that corresponds with your User pool
        • Idenfier: Account ID (12 digits) or account alias
        • Provider: Static (access and secret key)
        • Endpoint: leave blank
        • Static credentials:
          • Access key
          • Secret key
      • Cognito settings:
        • App name
        • User pool ID as configured in Cognito
        • Group name as configured in Cognito
    • In OIDC configure everything that is necessary for the app. See screenshots & steps under Configuration – AWS Cognito.
    • For OIDC pay special attention to these attributes after app configuration in Cognito (see below):
      • Add Client ID and secret
      • Client assertion: Client ID and Secret
      • Active: yes
      • Use PKCE: no
      • Automatic Configuration URL: https:// cognito-idp.USERPOOLREGION.amazonaws.com/USERPOOLID/.well-known/openid-configuration (remove spaces)
        • For example: eu-central-1, us-east1
      • The above mentioned URL saves you a lot of copy/paste.
      • Callback response mode: Query
      • User provisioning flow: Cognito
    • Constant 'CognitoConnector.AllowedCognitoGroups'

Actual usage:

  • Add the microflows in _USE_ME/4. User data management - use this folder wherever necessary in your user creation or management logic.
  • Use the microflows in _USE_ME/3. User data EXAMPLES for inspiration.
  • Don't forget to communicate the temporary password to your user, by means of email or whatever else fits your process. There is no way to recover the password otherwise.

Configuration – AWS Cognito

The minimum configuration level to let the connector work is one IAM user with access to a User Pool and with an App integration defined. The process of creating a user pool involves a wizard of 5 steps and not all options can be changed afterwards.

Top-level bullet points correspond with currently known tab-names in the User pool view menu.

  • Users: will show up once you start creating them from your app.
  • Groups: configure the groups necessary for your landscape.
  • Sign-in experience:
    • Cognito user pool sign-in options: Email.
    • Federated IdP sign-in: not yet supported with this module.
    • Password policy
      • Length: 12 characters recommended. The module itself is set to 12 characters.
      • Contains at least 1 number
        Contains at least 1 special character (^ $ * . [ ] { } ( ) ? - " ! @ # % & / \ , > < ' : ; | _ ~ ` + =)
        Contains at least 1 uppercase letter
        Contains at least 1 lowercase letter
    • User account recovery: Enabled, Email
    • Device tracking disabled.
  • Sign-up experience: not supported, done through the initial app in your landscape from which a user is created.
  • Messaging:
    • Not supported and actively surpressed in the Java code.
    • It is possible to enable messaging through Cognito, but this requires code changes and much more additional configuration in Cognito, out of scope.
  • App integration:
    • App client information:
      • App client name
      • Store the Client ID & Secret in a safe place.
      • Authentication flows:
        • ALLOW_REFRESH_TOKEN_AUTH
        • ALLOW_USER_SRP_AUTH
        • other flows not necessary
      • Add a callback URL: ApplicationURL+ /oauth/v2/callback
    • Tweak the Hosted UI if desired.
    • User pool properties: not supported.

 

 

 

Releases

Version: 1.0.0
Framework Version: 9.13.0
Release Notes: Intial release contains: - Basic user management - AWS configuration - OIDC configuration