You must first create the Google project credentials. Follow these steps for doing so.
After that, create the infrastructure:
# Add the Google attributes in this file
cp infra/templates/dev.auto.tfvars infra/.auto.tfvars
terraform -chdir="infra" init
terraform -chdir="infra" apply -auto-approve
# Get the app client credentials
aws cognito-idp describe-user-pool-client --user-pool-id "<region>_xxxxxxxxx" --client-id "00000000000000000000000000"
Backend to test the authentication.
cd backend
Create the .env
file:
touch .env
Add the required OIDC variables to the .env
file (copy from Cognito):
ISSUER_BASE_URL="https://cognito-idp.<region>.amazonaws.com/<user-pool>/"
BASE_URL="http://localhost:8080"
CLIENT_ID="00000000000000000000000000"
CLIENT_SECRET="000000000000000000000000000000000000000000000000000"
SECRET="abcdef0123456789"
Start the application server:
bash mvnw spring-boot:run -Dspring-boot.run.profiles=dev
- Access the application login: http://localhost:5000/login
- Create your account on cognito
- You should be redirect to the application after authentication
- Try accessing restricted data: http://localhost:5000/profile
- Logout should be http://localhost:5000/logout but Cognito doesn't expose it in the issuer API, so build manually the URL like this:
https://<DOMAIN_PREFIX>.auth.<AWS_REGION>.amazoncognito.com/logout?client_id=0000000000000000000&logout_uri=http://localhost:5000/logout
Optionally, deploy to an EB environment.
ℹ️ You'll need to activate HTTPS in order for Cognito to accept the callback URLs.
touch elasticbeanstalk/.auto.tfvars
Add the variables according to your requirements:
region = "us-east-2"
ec2_instance_types = "t2.micro"
client_id = "00000000000000000000000000"
client_secret = "0000000000000000000000000000000000000000000000000000"
secret = "abcdef0123456789"
issuer_base_url = "https://cognito-idp.<region>.amazonaws.com/<user-pool-id>"
Deploy the infrastructure:
terraform -chdir="elasticbeanstalk" init
terraform -chdir="elasticbeanstalk" apply -auto-approve
At this point, configure HTTPS in Elastic Beanstalk.
➡️ Set the Elastic Beanstalk application URL as BASE_URL
environment variable in EB that must have HTTPS.
➡️ Set the Elastic Beanstalk application URL as a callback URL in Cognito that must have HTTPS.
Deploy the code to Elastic Beanstalk.
Once ready, delete the infrastructure:
terraform -chdir="cognito" destroy -auto-approve
terraform -chdir="elasticbeanstalk" destroy -auto-approve
Also delete the Google credentials and authorization.