Giter VIP home page Giter VIP logo

Comments (4)

ottokruse avatar ottokruse commented on July 17, 2024 1

Hi @alexantom,

No direct integration at this point in time, BUT, you can federate the Cognito User Pool to those IDP's and thus make the solution work with them using Cognito as "middleware".

Makes sense?

from cloudfront-authorization-at-edge.

str3tch avatar str3tch commented on July 17, 2024

Cognito federation is the way to go, @alexantom

from cloudfront-authorization-at-edge.

scytacki avatar scytacki commented on July 17, 2024

Has anyone tried this solution after adding a Federated Identity provider to the User Pool?
I've done this and I think the solution needs a new feature to make this functional.

I tested it with Google. I'm able to sign in (and sign up) with Google and gain access to the 'private' demo app. The problem is that any google user can also sign in and access the 'private' demo app. So without changes, this approach essentially makes the demo app public since anyone can get a google account.

The users associated with the IdP are given the status EXTERNAL_PROVIDER. They are also added to an autogenerated user pool group. Cognito issues tokens for them just like a user that is added by an admin so the Lambda functions treat these users as valid.

So what seems to be needed is way for the lambdas to look for some characteristic of users, so an admin can approve an external provider user before they can access the private site.

I'm planning to try supporting this by adding a new configuration parameter to the solution: "required group". Then the lambda can check the id token provided by cognito to see if this group is present. If the group isn't present, hopefully the lambda can show an error message telling the user they need to be contact an admin.

Perhaps there is a better way to do this?

from cloudfront-authorization-at-edge.

ottokruse avatar ottokruse commented on July 17, 2024

Yes, if federating with social IDP's where users can sign-up themselves, you need extra controls to manage user access.

Your suggestion to use Cognito groups could work and makes sense––I'd go for that.

hopefully the lambda can show an error message telling the user they need to be contact an admin.

You can code that, e.g.:

  • Redirect to a static HTML page, that sits behind an unprotected public CloudFront behavior. (e.g. /signupmessage)
  • Or, use the createErrorHtml function to directly create a message "contaxt X to signup", similar to how messages are shown to users here.

from cloudfront-authorization-at-edge.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.