Skip to content

Authentication Services with Cognito

 

The Cognito Service includes:

  • User Pool: Offering Identity Provider services with a user directory.
  • Resource Server to declare and manage custom scopes.
  • M2M Client to provide API Token Authentication.
  • Web Client to provide OpenID connect authentication.
  • OAuth2 endpoints for authentication and token verification for each client.

In the future, these services will be extended to include integration with other OpenID Connect providers such as Google, LinkedIn, and others

Custom Scopes

  • public: identifies resources that are publicly accessible without authentication.
  • lite: identifies resources matching the Lite or Freemium products.
  • subscription: identifies resources that require a subscription.
  • arda: identifies resources that are accessible only to users acting on behalf of Arda.
  • system: identifies resources that are accessible only to internal system processes.

Each Scope implicitly includes access to the previous scopes.

Custom Attributes

  • tenant: A String that identifies the tenant the user is associated with.
  • role: A String that identifies the role of the user within the tenant. Initially this role matches the defined scopes.

uml diagram

Integration

The authentication service is designed to be used by other services and applications within the Arda ecosystem. It provides two types of OAuth2 clients and exports all necessary configuration details via CloudFormation Export Values.

OAuth2 Flows and Clients

The service supports two primary OAuth2 flows through two distinct Cognito User Pool Clients:

  1. Machine-to-Machine (M2M) Client:

    • Flow: client_credentials
    • Purpose: For backend services that need to authenticate and authorize themselves to access other APIs.
    • Authentication: Uses a Client ID and Client Secret.

  2. Web Client:

    • Flow: authorization_code
    • Purpose: For user-facing web applications that need to authenticate users and obtain tokens on their behalf.
    • Authentication: Standard OpenID Connect / OAuth2 flow involving user redirection to a login page.

CloudFormation Exports

To integrate with the authentication service, you need to use the values exported by the PartitionAuthn CDK stack. These outputs provide the identifiers and secrets for the created Cognito resources.

The following values are exported with a prefix based on the partition locator (e.g., alpha002-dev):

Export Name Suffix Description Example Export Name (alpha002-dev)
-API-UserPoolId The ID of the Cognito User Pool. alpha002-dev-API-UserPoolId
-API-UserPoolDomain The domain for the Cognito-hosted UI. alpha002-dev-API-UserPoolDomain
-API-WebClientId The Client ID for the Web Client application. alpha002-dev-API-WebClientId
-API-WebSecretName The name of the Secrets Manager secret for the Web Client. alpha002-dev-API-WebSecretName
-API-M2MClientId The Client ID for the M2M Client application. alpha002-dev-API-M2MClientId
-API-M2MSecretName The name of the Secrets Manager secret for the M2M Client. alpha002-dev-API-M2MSecretName
-ResourceServerId The ID of the User Pool Resource Server. alpha002-dev-ResourceServerId

To use these values in another CDK stack, you can import them using cdk.Fn.importValue() or use the PartitionAuthn.importValues() static method. The client secrets can be retrieved from AWS Secrets Manager using the provided secret names.

Published Secrets

Authentication Services also publish two AWS Secrets Manager secrets for the Web and M2M clients:

Secret Name Description
<infrastructure>-<partition>-API-WebSecretName The secret for the Web Client application.
<infrastructure>-<partition>-API-M2MSecretName The secret for the M2M Client application.

Comments