Comments (8)
So, it depends where you do the restriction.
If you control the server(s) where you want to use your user pool tokens, then extending the userinfo to include custom claims (such as organisation) is fairly straightforward - you would do so by adding another call to the promise array here. Then, you could map the custom claim to an attribute in your user pool, and read that claim on your target server to determine whether or not to allow access. With this pattern, github users outside the organisation(s) can successfully use github to authenticate, but are unable to use their tokens to do anything. This is what I did when I implemented this feature, but because most of the code is on the server side (and out of the scope of this repository), it doesn't make sense to include it here.
If you want to prevent users outside the organisation from authenticating to the userpool at all, then you would need to add a callback URL to intercept the callback from GitHub (the wrapper currently doesn't have a callback URL, it passes the callback straight to Cognito). This callback URL would need to exchange tokens with github, call the organisations endpoint in github's API, and then determine whether to redirect back to Cognito's callback, or to a page that communicates the failure. If you go this route, I think you would also have to implement your own tokens, since cognito will want to complete the code flow. You'd also need to do something like store the github token on the token you generate, so that you can unpack it and use it when Cognito calls the userinfo endpoint.
The second option is considerably more fiddly, which is why I went with the first option when I was faced with this problem.
And of course, if you (or anyone else) sees an easier way of implementing this within this wrapper, I'd welcome suggestions and/or pull requests.
from github-cognito-openid-wrapper.
Yes, this is possible with some extra development effort. It depends a bit on your use case.
In another project, I added the github organisation / team metadata to the userinfo response, which the app then read to determine whether access was appropriate.
Another approach could be to add a callback to the wrapper, which would be called before the cognito callback. This callback would check the teams, and either redirect to a "login failed" page on failure, or redirect to the cognito callback on success. If you go this route, a PR would be welcome (the functionality could be generally useful).
from github-cognito-openid-wrapper.
from github-cognito-openid-wrapper.
No problem. I'll leave the ticket open, because adding a way to easily add this functionality would be useful.
from github-cognito-openid-wrapper.
just for info Timothy could you possibly merge that functionality with team/organization into this project ? i am looking into this for some time and since you already did it i would like not to reinvent a wheel. or just point me to some code where this is already done (if it is public). thank you so much.
from github-cognito-openid-wrapper.
sorry for bumping up but can someone help me / guide me on request above ?
from github-cognito-openid-wrapper.
Thanks for the explanation and this super useful project. I am facing the same problem and was going to implement the first option above. Your comment gives me confidence that this approach can work.
from github-cognito-openid-wrapper.
You’re very welcome- I’m glad it helps!
If there’s anything I can do in the main repo to make your life easier, do let me know (and of course PRs are welcome if you end up making improvements that might be generally useful)
from github-cognito-openid-wrapper.
Related Issues (20)
- Bad id_token issuer HOT 3
- CDK as a deployment alternative HOT 2
- Add Passing Request Parameters as JWT HOT 1
- Can I use the access token to access the GitHub API? HOT 3
- Getting username attribute mapping required error HOT 3
- GitHub Error - 400 error getting token HOT 3
- Will I be able to consume the GitHub access_token? HOT 5
- Way to add GitHub OAuth scopes HOT 3
- GitHub App vs Github OAuth App HOT 2
- Failed to provide user info: Request failed with status code 403 HOT 6
- Question: Can the auth flow to GitHub be initiated without the Cognito Hosted UI? HOT 16
- Using cognito /logout endpoint not initiating new authn handshake with GitHub HOT 5
- Authenticating With GitHub MFA HOT 1
- Thoughts on how to update some custom claims coming from GitHub after the initial authorization in the OIDC flow HOT 3
- Undefined GITHUB_API_URL and GITHUB_LOGIN_URL HOT 1
- End of AWS Lambda support for nodejs10: July 30th HOT 2
- Token endpoint does not verify client secret HOT 4
- How to develop/test locally HOT 3
- How can I limit GitHub authentication only for users in my GitHub organization HOT 2
- Github App Compatibility HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-cognito-openid-wrapper.