/aws-cognito-okta-federation

Primary LanguageTypeScriptMIT No AttributionMIT-0

Example of accessing Amazon API Gateway with Amazon Cognito User Pools and Okta OpenID Connect Federation

The purpose of this codebase is to illustrate a possible implementation of the Authorization Code grant type, with Amazon Cognito and an OpenID Connect provider. The access token, retrieved as the final outcome of the flow, is then used by the client to access an endpoint, exposed by Amazon API Gateway and implemented by an AWS Lambda function.

The client is made of 2 software components: some basic HTML and JavaScript code runing in the user agent (browser) and an Express application running on Node.js.

On the server side, Amazon Cognito includes a dedicated user pool, associated to Okta, which is the selected OpenID Connect identity provider.

Architecture Diagram

The sequence of calls to complete authorisation and resource retrieval is as follows:

Sequence Diagram

Upon successful authentication with Okta, Amazon Cognito creates a user in the configured user pool, which you can see in the AWS Management Console.

Pre-requisites

  1. CDK setup
  2. Node.js installed

Setup steps

  1. Setup a free trial account at Okta

  2. Copy your account domain from the top right part of the screen, it looks like dev-{NUMBER}.okta.com

  3. Create a new OpenID Connect (OIDC) app integration:

    1. On the left sidebar navigation menu, select Applications => Applications
    2. Select Create App Integration

    Okta create app

    1. Select OIDC - OpenID Connect

    Okta create app

    1. On the same screen select Web Application

    Okta create app

    1. Assign a name of your choice to App integration name (note: Grant type = Authorization Code will be auto-selected)

    Okta create app

    1. Assign the following value to Sign-in redirect URIs: https://{COGNITO DOMAIN}.auth.{REGION}.amazoncognito.com/oauth2/idpresponse, where {COGNITO DOMAIN} is a unique value of your choice and {REGION} is the Region you selected on your AWS account

    Okta create app

    1. For the purpose of this exercise, under Controlled access, select Allow everyone in your organization to access and click save
    2. After saving, copy Client ID and Secret under CLIENT SECRETS

    Okta assignments

  4. Fill in cdk/config.json according to the comments in the file

  5. cd to the cdk directory and run npm install && cdk deploy on a Terminal window

  6. Note the Outputs section of the log:

CDK Outputs

  1. Fill in src/config.js according to the output above and the comments in the file

Run steps

  1. cd to the src directory and run npm install && npm start
  2. On a browser, navigate to http://localhost:3000/
  3. Tap Login

Login

  1. Select Okta authentication from the next screen (Sign in with your corporate ID)

Authentication selection

  1. Authenticate with your Okta user

Call API Gateway

  1. After redirection, tap Call API Gateway
  2. If all ok, you will be able to see the message Hello! You've successfully hit /hello

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.