AWS cognito user pool server side flow with spring boot

2
votes

I want to implement AWS Cognito server side flow with spring boot. I don't quite understand what the flow should be. Should I use spring oauth along with it ?

Requirement is something like this. As an admin create user and give access to these created users to use my API from API Gateway (Let's ignore API Gateway part and say we just need access token from cognito for now)

Here is what I think should happen if I use AWS cognito with spring oauth2

user hits localhost:8000/oauth/token - with basic authentication (username and password) which will do an API call with user credentials. User receives the token and uses it however he/she needs it.

  1. Is this flow secure ? Should I use spring oauth along ?
  2. How to handle respond to auth challenge ? Should user pass new password for first time when calling my application API ?
@RestController
public class Oauth {


    @PostMapping(path = "/oauth/token")
    public AdminInitiateAuthResult token(@RequestHeader("username") String username, @RequestHeader("password") String password) {

        AWSCognitoIdentityProvider provider = AWSCognitoIdentityProviderClientBuilder
                .standard()
                .withRegion(Regions.US_WEST_2)
                .withCredentials(new AWSStaticCredentialsProvider()).build();


        Map<String, String> authParams = new HashMap<>();

        authParams.put("USERNAME", username);
        authParams.put("PASSWORD", password);

        AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest()
                .withClientId("{client-id}")
                .withUserPoolId("{user-pool-id}")
                .withAuthFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
                .withAuthParameters(authParams);

        AdminInitiateAuthResult authResult = provider.adminInitiateAuth(adminInitiateAuthRequest);
        return authResult.getAuthenticationResult().getIdToken();
    }

}
1
javaamazon-web-servicesspring-bootoauth-2.0amazon-cognito
How well do you understand the OAuth2 authorization code flow? This is what it seems you are essentially attempting to implement - Cameron Downer
@CameronDowner I have implemented with a user base in a database and pretty much understand the concept. The requirement now is different, to use a user pool in cognito and restrict access to only these users to specific APIs. Quite confused on how to manage it using spring boot, but I definitely don't want to hosted UI method. - devfreak
To use your database as an external auth provider you would have to setup your Spring as an ID provider. This would be essentially creating what you are trying to get Cognito to provide. If you want to hand off the work to Cognito you would need the user details to be stored in Cognito. You would then send the users to Cognito to authenticate and only get a token back - avoiding storing the password yourself - Cameron Downer
Yes I understand that right, I need to configure spring as an ID provider. User details are stored in cognito user pool and we authenticate using cognito through spring to get token. I have edited the question to provide a sample code on how above implementation will look like. Will there be any security issue in this ? What would the best practice be ? - devfreak
You have a mixture of tools and no clear idea what you want to achieve. Instead start from business requirement - what do you want to achieve? Then let's think about a solution how to achieve it. For example Cognito has nothing common with basic authentication and there is no need to use Spring as Identity Provider along with Cognito at the same time. If you start from numerous solutions, then you forgot to add Kubernetes, Agile and FaaS to the list of things you need to use :-D - nickolay.laptev

1 Answers

0
votes

Business requirement is quite simple there needs to be a pool of users (cognito in this case) who can get some kind of a token to access few APIs. I want to achieve this using spring boot, since the API is written using spring boot and also I use AWS Api Gateway

Should I use spring oauth along with it ?

No. Authorization is done by API Gateway.
API clients need to obtain token from Cognito (i.e. authenticate themselves there) before using API. There is no need to do anything on application (Spring) side.
Details are here.

If you want to implement authentication for API clients using Cognito, then see Cognito docs for examples and manuals.
FYI Application Load Balancer can be used to handle all authentication flow for API.