Implement login, logout and related authentication elements.

[v79]

Use the AWS Cognito API to authenticate and log in with the username and password provided.

[v79]

I've been trying to set up authentication to AWS Cognito using the Java v2 SDK. My two options seem to be USER_SRP_AUTH (no password is sent, but a complex hash is generated and sent, challenged and authenticated), or USER_PASSWORD_AUTH (a simpler user/password setup).

Unfortunately AWS are not providing samples or an API in Java for USER_SRP_AUTH (see aws/aws-sdk-java-v2#2851 ).

And AWS CDK does not allow me to create a USER_PASSWORD_AUTH flow for an app client, presumably because it's insecure.

I thought auth was going to be easier than UI...

(The web front end uses ALLOW_REFRESH_TOKEN_AUTH I think). Can I use that on the desktop? How would it redirect to cognito to get the token?

[v79]

Possible partial implementation here: https://github.com/secure-remote-password/stanford-srp/blob/master/java/1.1.x/security/srp/SRPClient.java

And in here: https://github.com/aws-samples/aws-cognito-java-desktop-app/blob/master/src/main/java/com/amazonaws/sample/cognitoui/AuthenticationHelper.java

But both are predicated on me having registered using SRP - and I don't think I have.

There is the insecure ADMIN_USER_PASSWORD_AUTH route but that's only supposed to be used on secured servers, not clients.

[v79]

Replicating the web experience in the desktop:

• app opens browser link to cognito hosted URL. Sets the callback URL to be https://127.0.0.1:/
• App runs a web server at that URL
• So when cognito calls the callback URL, my app's server will respond to the request and capture the code/token

https://www.oauth.com/oauth2-servers/oauth-native-apps/redirect-urls-for-native-apps/

[v79]

Though I had some of this behaviour happening - the app would launch a web browser at the Cognito auth URL, and the app ran a web server which would respond to the callback URL - I can't see how I'd make this sequential, how to make the app wait for the auth code from the callback URL.
It has been suggested that a custom uri schema (myapp://callback) might work better, but to do that I'd need to make registry edits as part of the app building process. Even running the task to build and MSI package fails.

My only remaining thought is to return to the AWS SDK and use the ADMIN_USER_PASSWORD_AUTH mechanism. I would need to give the Corbel app access to my AWS secret key - which is stored in an environment variable, so is do-able.

[v79]

This is now working, without needing to fall back to the ADMIN route. The user clicks Login, and is directed to the Cognito hosted UI. This returns an auth code, which Corbel captures through an embedded ktor server listening on localhost.
Then the app requests a token, supplying the code. Finally, it makes a request to the cantilever API, using the token. I have also implemented token refreshing.