Spring

Integrate Spring Boot Application with Amazon Cognito

In this article, we will show how to use Amazon Cognito service for authentication users in a Spring Boot application using the OAuth 2.0 client library introduced in Spring Security 5.0.

What is AWS Cognito?

Amazon Cognito is service offered by AWS which provides user management services like sign up and sign in, in addition to providing support for granting credentials for accessing AWS services. It has its own identity provider in addition to integrating with identity providers like Facebook, Google, SAML, OpenId

What’s in It for Web Application Developers?

Web application developers (server side / single page applications) and even mobile application developers can off load user signup and authentication to Amazon Cognito and focus on implementing business requirements.

Cognito supports features like multi factor authentication (MFA), email and phone number verification, password strength management. It also supports authentication with other identity providers like Facebook, Google and custom SAML integration where cognito acts as an adapter to integrate with them.

So in short developers get to focus on business features and let AWS handle the user signup and authentication.

Setting up Amazon Cognito

Cognito contains two main components:

  • User pools – which is used for user and identity management, managing application client details (i.e the clients which would use cognito for authentication)
  • Identity pools – which is used for granting AWS credentials for accessing AWS services

Let us configure user pool and also create an application client which we can use to connect with cognito.

Creating user pool

Enter the pool name and click on review defaults, to accept the default settings for user pool

Creating app client

Click on App Clients (on the left) and then Add an app client to get the above screen
The app client will have client id and client secret. Client secret is visible on clicking “Show Details”

Setting up app client


In setting up the app client we define the identity providers (authentication method), OAuth flows supported, OAuth scopes allowed, callback URL (URL to which cognito will send after user authentication)

Setting up domain name for user pool

Domain name is used to configure the end point to which OAuth client application send the user for authentication

Creating test users

“Users and groups” tab shows list of users and new users can be created by clicking on “Create User”

These were the few steps to follow to setup your Cognito user pool and application client.

Configuring Spring Boot Application

We will make use of the OAuth client library included as part of Spring Security 5 and its integration with Spring Boot.

Update the pom.xml to Add OAuth Client Dependency

Add the following dependency to your pom.xml to be able to get grab the OAuth client library

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

Add the properties related to OAuth client

We need to define some properties related to registering the OAuth provider and setting up the OAuth provider. The following properties need to be added:

app.url=http://localhost:9999
cognito.rooturl=https://test-userpool.auth.eu-west-1.amazoncognito.com
spring.security.oauth2.client.registration.cognito.provider=cognito
spring.security.oauth2.client.registration.cognito.client-id=<client-id>
spring.security.oauth2.client.registration.cognito.client-secret=<client-secret>
spring.security.oauth2.client.registration.cognito.client-name=test-client
spring.security.oauth2.client.registration.cognito.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.cognito.scope=email,openid
spring.security.oauth2.client.registration.cognito.redirect-uri-template=${app.url}/login/oauth2/code/cognito

spring.security.oauth2.client.provider.cognito.authorizationUri=${cognito.rooturl}/oauth2/authorize
spring.security.oauth2.client.provider.cognito.tokenUri=${cognito.rooturl}/oauth2/token
spring.security.oauth2.client.provider.cognito.jwkSetUri=https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_Mi1q5QPXa/.well-known/jwks.json
spring.security.oauth2.client.provider.cognito.user-info-uri=${cognito.rooturl}/oauth2/userInfo
spring.security.oauth2.client.provider.cognito.userNameAttribute=username

The JWK URI is built based on the guidelines given here.

Creating an HTML Page to Show Authenticated User Detail

We have added an index.html to show the logged in user detail using Thymeleaf-Spring security dialects as shown below:

<div class="container">
	<div class="row">
		<div class="col">
			Authenticated successfully as [[${#authentication.name}]]<br/>
			Principal: [[${#authentication.principal}]]
			<div>
				<a th:href="@{/logout}" class="btn btn-primary">Logout</a>
			</div>
		</div>
	</div>
</div>

Testing the Integration

Just run the main class and the application will start running on http://localhost:9999/. On navigating to this URL you will redirected to Cognito for authentication and once successfully authenticated you will be taken to the application page which looks something like:

Authenticated user information showing username and Principal object

The complete code for the app can be found here. In the subsequent posts we will look at customizing the Principal object, making use of the user info end point, roles management via Spring security and also look at how single page applications can leverage Cognito.

Advertisements

Categories: Spring, Spring Boot

Tagged as: ,

5 replies »

  1. Logout is automatically redirecting to a success login.. so user isn’t actually logged out (just for few moments), how are you managing this?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.