Demonstrates how to utilize JWKs as a means to validate OAuth2 Bearer Tokens
- Go to you AWS Console
- Find Cognito, and create a user pool. Once created, make sure to note the Pood Id.
- Create an 'App client', this is under the 'General Settings' selection list
- Make sure 'Enable sign-in API for server-based authentication' is selected
- Save Changes
- Update the 'App client settings', this is under the 'App Integration'selection list
- Navigate to the client you created in Step 3.
- Select the 'Cognito User Pool' ins the 'Enable Identity Providers' section
- Select the 'Authorization code grant' option in the 'Authorization OAuth Flows' section
- Select the 'openid' option in the 'Allowed OAuth Scopes' section
- Save changes
- Clone this repository
- Open the 'application.yml' file
- Add the following two lines:
- 'user-info-uri' | You will need the name of your user pool, and the AWS region the Cognito service is in
- 'key-set-uri' | You will need the Pool Id and the, and the AWS region the Cognito service is in
security:
oauth2:
resource:
prefer-token-info: ${OAUTH2_RESOURCE_PREFER_TOKEN_INFO:false}
user-info-uri: https://[Cognito-Pool-Name].[region].amazoncognito.com/oauth2/userInfo
jwk:
key-set-uri: https://cognito-idp.[region].amazonaws.com/[Pool-Id]/.well-known/jwks.json
Once both setup steps are complete, run the project. It should default to http://localhost:8080.
Use a tool such as Postman to hit the http://localhost:8080/ endpoint. Make sure to use the following uris for the OAuth Authorization flow :
- Grant Type: Authoization Code
- Callback Url: http://localhost:8080
- Auth Url: https://[Cognito-Pool-Name].auth.us-east-1.amazoncognito.com/oauth2/authorize
- Access Token Url: https://[Cognito-Pool-Name].auth.us-east-1.amazoncognito.com/oauth2/token
- Client Id: NOTE: Get this from your inside your User Pool at 'General Settings' --> 'App Clients'
- Client Secret: NOTE: Get this from your inside your User Pool at 'General Settings' --> 'App Clients'
- Scope: openid
- Client Authentication: NOTE: Make sure to send as Basic Auth Header