identity/cognito: support revocation / add custom provider

[psychomelet]

configured following the aws cognito doc

[desimone]

Hi @psychomelet ,

AWS cognito uses the default oidc configuration. Unfortunately, the OIDC spec does not provide a standardized method of token revocation. To support revocation, a custom interface would have to be created for AWS cognito (see examples in internal/identity/*) and implements their revocation method. Contributions are very welcome.

See also:

• https://openid.net/specs/openid-connect-core-1_0.html#TokenLifetime
• https://stackoverflow.com/questions/46519391/when-does-api-gateway-validate-revoked-cognito-id-token

\cc @stuh84

[psychomelet]

noticed another problem, I can't get groups from aws cognito, is it expected behavior too?

[desimone]

Oftentimes yes, group membership and revocation fall outside the spec. Group retrieval usually needs an extra api call, but sometimes is included as a claim.

Fortunately, there's usually not too much work to do to support a custom provider.
See okta, for example : https://github.com/pomerium/pomerium/blob/master/internal/identity/okta.go

That said, it looks like AWS supports the groups claim.

See:

• https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
• https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
• https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

[desimone]

I may spoke to soon, per #501 , if cognito implements revocation_url per rfc8414 we could support it.

I don't have an cognito account at hand. Would you be to supply what your .well-known/openid-configuration looks like?

[enniomara]

For anyone looking into doing group based auth in Cognito I found a way. Cognito embeds the group membership into the access token. Pomerium does have an option called allowed_idp_claims which allows for validating fields in the claim.

So validating groups in Cognito can be done using the following, where admins is a group I created in Cognito.

- from: http://from.example.com
  to: http://to.example.com
  allowed_idp_claims:
    cognito:groups:
      - admins

Maybe this should be given as an example in the Cognito example setup at https://www.pomerium.io/docs/identity-providers/cognito.html

[saltbo]

https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_mz1mLazJM/.well-known/openid-configuration

This is my .well-known/openid-configuration of cognito, It seems that there is no revocation_url .

Is there any way to implement logout？ @desimone

[saltbo]

https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

I found this from the official doc

[hrishikeshdkakkad]

For anyone looking into doing group based auth in Cognito I found a way. Cognito embeds the group membership into the access token. Pomerium does have an option called allowed_idp_claims which allows for validating fields in the claim.

So validating groups in Cognito can be done using the following, where admins is a group I created in Cognito.

- from: http://from.example.com
  to: http://to.example.com
  allowed_idp_claims:
    cognito:groups:
      - admins

Maybe this should be given as an example in the Cognito example setup at https://www.pomerium.io/docs/identity-providers/cognito.html

Yes this needs to comprehensively be added into the docs