Take the following steps to set up NGINX ACM/DevPortal OIDC and test it for Amazon Cognito integration.
-
Ensure that you use different application and callback/logout URLs as the following example unlike that are already created to test your containerized NGINX Plus.
Category Example Application Name nginx-devportal-appAllowed Callback URLs https://nginx.devportal.cognito.test/_codexchAllowed Logout URLs https://nginx.devportal.cognito.test/_logout -
Edit
hostsfile in your laptop via if you want to locally test your app:$ sudo vi /etc/hosts 127.0.0.1 nginx.devportal.cognito.test #Note : The provided IP address should be of the host where you installed the Dev Portal packages . # Also make sure your controller and Dev Portal /etc/hosts files have similar entries
Configure a Dev Portal by either referencing NGINX Management Suite Docs of How To Set Up a NGINX Dev Portal or taking the following steps of calling APIs:
Note:
Download an example of postman collection for easily testing the following steps.
-
Open a Postman collection, and edit ACM password and variables:
-
Create a
infra > workspace:POST https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspacesBody:{ "name": "{{infraworkspacename}}" } -
Create a
proxy > workspace:POST https://{{ctrl_ip}}/api/acm/v1/services/workspacesBody:{ "name": "{{proxyworkspacename}}" } -
Create an environment of
Dev Portal:POST https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environmentsOption 1. Request Body for None PKCE:
{ "name": "{{environmentname}}", "functions": ["DEVPORTAL"], "proxies": [ { "proxyClusterName": "{{devPinstanceGroupName}}", "hostnames": ["{{devPenvironmentHostname}}"], "runtime": "PORTAL-PROXY", "policies": { "oidc-authz": [ { "action": { "authFlowType": "AUTHCODE", "jwksURI": "https://cognito-idp.{{idpRegion}}.amazonaws.com/{{idpUserPoolId}}/.well-known/jwks.json", "tokenEndpoint": "https://{{idpDomain}}/oauth2/token", "userInfoEndpoint": "https://{{idpDomain}}/oauth2/userInfo", "authorizationEndpoint": "https://{{idpDomain}}/oauth2/authorize", "logOffEndpoint": "https://{{idpDomain}}/logout", "logOutParams": [ { "paramType": "QUERY", "key": "logout_uri", "value": "https://{{devPenvironmentHostname}}/_logout" }, { "key": "client_id", "paramType": "QUERY", "value": "{{clientId}}" } ], "TokenParams": [ { "paramType": "HEADER", "key": "Accept-Encoding", "value": "gzip" } ], "uris": { "loginURI": "/login", "logoutURI": "/logout", "redirectURI": "/_codexch", "userInfoURI": "/userinfo" } }, "data": [ { "clientID": "{{clientId}}", "clientSecret": "{{clientSecret}}", "scopes": "openid+profile+email" } ] } ], "tls-inbound": [ { "data": { "serverCerts": [ { "key": "{{TLSKey}}", "cert": "{{TLSCert}}" } ] } } ] } } ] }Option 2. Request Body for PKCE:
{ : "authFlowType": "PKCE", : "clientSecret": "{{clientSecret}}", -> Remove this line. : } -
Get an environment of
Dev Portal:GET https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environmentsResponse:{ : curl -k https://<CTRL-FQDN>/install/nginx-agent > install.sh && sudo sh install.sh -g devp-group && sudo systemctl start nginx-agent : } -
SSH into the instance of Dev Portal, and run the following commands:
curl -k https://<CTRL-FQDN>/install/nginx-agent > install.sh && sudo sh install.sh -g devp-group && sudo systemctl start nginx-agent -
Delete an environment of
Dev Portal:DELETE https://{{ctrl_ip}}/api/acm/v1/infrastructure/workspaces/{{infraworkspacename}}/environments/{{environmentname}}
-
Open a web browser and access the Dev Portal's FQDN like
http://nginx.devportal.cognito.test.
-
Login to click
Sign inbutton:Enter your name and password which are registered in Amazon Cognito.
When you login first time you will be prompted to update your password which you can update by entering below fields and clicking 'Send' button.
-
Try
LoginandLogout. -
Test the above TWO steps after changing IdP (PKCE option) and updating Dev Portal via NGINX ACM API.
