Anyone have a working AWS Cognito configuration w/ ouath2, openid or sso?

I’m trying to integrate Discourse with our existing Cognito UserPool.

Don’t have any IdP or SAML setup in AWS for sso so haven’t gone there.

Tried w/ openid plugin but it Discourse redirects login to the /AUTHORIZE endpoint in Cognito instead of /LOGIN - I know it gets this from the configuration in .well-known, but not sure how this is suppose to work.

Tried w/ oauth2 plugin - I see Discourse calling the /TOKEN endpoint and receiving the JWT back from Cognito, but the /USERINFO endpoint then returns an error, so it doesn’t get beyond that.

Does anyone have a working config they can share - oauth2 seems like the best route but I’m missing something somewhere apparently.

2 Likes

How did you get on with this?

I have same need

Cheers

Todd

2 Likes

Hi - I have gotten any replies from anyone and I haven’t had a chance to revisit it myself unfortunately.

2 Likes

For AWS Cognito as an identity provider for OpenID Connect plugin

  1. Click on Create a User Pool button within AWS Cognito web console
  2. click on Review Defaults to use mostly the default settings
    2a. before creating the pool make sure to click on “Add an App Client”
    2b. create an App Client; give it a name and uncheck everything except Enable refresh token based authentication (ALLOW_REFRESH_TOKEN_AUTH)


3. Click Create pool
4. Now under General Settings on the left menu you should click on App Client and take note of the values for App client id & App client secret
5. Next under to App integration on the left menu you should click on Domain name. Enter a subdomain here. The name here will be the domain that users get routed here when they login.

6. At the top left of the AWS Cognito Console - click on the Federated Identities, it’s a bit hard to find.
federated-identities
7. Once there click on Create new identity pool
8. Give the identity pool a name
8b. Under the Authentication providers section use the User Pool ID from the previously created User pool & the App client id from the previously created App client.


9. Click Create Pool & Allow the console to create the IAM roles to use with the new identity pool
10. At this point you’ve got pretty much everything you should need to get going with setting up your Discourse instance with the correct site settings. assuming you’ve installed the plugin.

openid connect enabled: enable this
openid connect client id: use the App Client Id we retrieved above in the earlier steps
openid connect client secret: use the App Client Secret we saw above in the earlier steps
openid connect discovery document: the link for the discovery document URL follows the format below… you can see the format for userPoolId above in the screenshot with step 8b…

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration

to check that you have the URL format correct - just try to paste into your browser and you should get a nice json that returns the authorization endpoint, issuer, and other things.

openid connect authorize scope: openid email


Other things that may be useful

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.