New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identity/cognito: support revocation / add custom provider #494
Comments
Hi @psychomelet , AWS cognito uses the default oidc configuration. Unfortunately, the OIDC spec does not provide a standardized method of token revocation. To support revocation, a custom interface would have to be created for AWS cognito (see examples in See also:
\cc @stuh84 |
noticed another problem, I can't get groups from aws cognito, is it expected behavior too? |
Oftentimes yes, group membership and revocation fall outside the spec. Group retrieval usually needs an extra api call, but sometimes is included as a claim. Fortunately, there's usually not too much work to do to support a custom provider. That said, it looks like AWS supports the See:
|
For anyone looking into doing group based auth in Cognito I found a way. Cognito embeds the group membership into the access token. Pomerium does have an option called So validating groups in Cognito can be done using the following, where - from: http://from.example.com
to: http://to.example.com
allowed_idp_claims:
cognito:groups:
- admins Maybe this should be given as an example in the Cognito example setup at https://www.pomerium.io/docs/identity-providers/cognito.html |
This is my Is there any way to implement logout? @desimone |
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html I found this from the official doc |
Yes this needs to comprehensively be added into the docs |
configured following the aws cognito doc
The text was updated successfully, but these errors were encountered: