OpenId and AWS Cognito Federation Identity

brocktubre · September 5, 2018, 5:11pm

I have setup my Okta application to use OpenId to communicate with AWS Cognito Federation Identities. I am able to authenticate with Okta and get an idToken and accessToken.

Where my problem lies is AWS needs a login URL for mapping when assigning credentials to a user. Here are other OpenId providers and their Login URLs.

// optional tokens, used for authenticated login
// See the Logins param for AWS.CognitoIdentity.getID (linked below)
Logins: {
    'graph.facebook.com': 'FBTOKEN',
    'www.amazon.com': 'AMAZONTOKEN',
    'accounts.google.com': 'GOOGLETOKEN',
    'api.twitter.com': 'TWITTERTOKEN',
    'www.digits.com': 'DIGITSTOKEN'
}

Is it possible to configure trusts between OIDC Identity Providers (IdP). So, say you have an OIDC token from an external IdP X. With Cognito Federated Identities, one can add IdP X as a trusted IdP, and thus trust tokens that have been issued by IdP X?

Will I be forced to use SAML?

vapi · January 19, 2021, 1:39pm

Hi,
I have a similar situation. The company I’m working on uses Okta as a IDP and everybody uses Okta to login into company its account.

I’m working on a aws serverless application that has to use Okta for log in. Basically, the user is logging in with Okta and as response we get an id token that the app should exchange it with some temporarty credentials at Cognito Identity Pool feature.

An AWS Cognito Identity Pool can be configured to use Authentication Providers as Facebook, Google etc out of the box. In order to use Okta I have configured OpenId connect option.

Now, as above message states once we have the id token we have to exchange it for temporary credentials and the involved code requires to send the Logins information with a specific attribute and the right token.

Example, if I use Facebook instead of Okta I have to write:

Logins: {
‘graph.facebook.com’: ‘FBTOKEN’
}

What should be the Logins attribute for Okta? I need to use something like:

Logins: {
‘okta loggin name’: ‘OKTA-TOKEN’,
}

Regards.

vapi · January 20, 2021, 3:40pm

Meanwhile I found myself the solution.
Since I’m using a developer okta account I use the default auth server with audience api://default.

When configure IAM Identity Provider in AWS for OKTA I have used my auth server as provider url: dev-xxxxxxx.okta.com/oauth2/default.
Still here, I have used ‘api://default’ as audience but not client ID as AWS suggests. This audience is part of the token payload when you send the okta token to Cognito. Token audience should match IAM IDP Audience. The same, token ISSuer should match the provider url.
Configure AWS Cognito Identity Pool to use OpenID and select the IAM IDP configured above.
Configure Cognito auth role as per your need. This auth role will be assumed by okta logged in user.
Finally, after getting the okta auth token (after login) send it to aws cognito in order to obtain temp aws credentials and assume the auth role. Use them to make aws api requests.

// Initialize the Amazon Cognito credentials provider
AWS.config.region = your_region;
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: yourIdentityPoolId,
Logins: {
‘dev-xxxxxxx.okta.com/oauth2/default’: oktaAccessToken
}
});

//logs to check
AWS.config.credentials.get(function (err) {
if (err) {
console.log(err, err.stack);
} else {
// temporary aws credentials
console.log(‘AccessKeyId:’, AWS.config.credentials.accessKeyId);
console.log(‘SecretAccessKey:’, AWS.config.credentials.secretAccessKey);
console.log(‘SessionToken:’, AWS.config.credentials.sessionToken);
}
});

vapi · January 20, 2021, 8:43pm

I have to add some extra details.

If you decide to send an oktaIdToken to Cognito instead of oktaAccessToken then at point 2 you have to use the okta client id as audience instead of api://default.
That’s because the payload of an id token contains the client_id as audience and it should match the audience configured in IAM IDP.