How to use AWS Cognito as a provider in Passport?
I have a Javascript backend (NestJS with Express + Passport).
I would like to outsource the complexity of authentication (e.g. social auth) to Cognito but avoid getting locked in. I was wondering if I can use Cognito as a provider in Passport, similar to social providers (Google, Facebook, etc). That way, I could integrate many providers with the effort of integrating just one. I would still manage user data, authorization, etc in my own app, therefore, if I wanted to in the future, I could implement Google, Facebook, etc. social auth in my own app and get rid of Cognito.
If I understand it correctly this is possible with Auth0.
Ideally, I would like to implement an OAuth flow where the user is redirected to a simple "sign up / log in" Cognito app, logs in, gets redirected to a callback URL in my app where I receive user data. If AWS doesn't host a solution for this, I can also use their UI elements to build & host this app.
If implemented as a provider / strategy, this could be as simple as:
passport.use(new CognitoStrategy({
key: KEY,
secret: SECRET,
callbackURL: "http://www.example.com/auth/cognito/callback"
},
function(token, tokenSecret, profile, done) {
User.findOrCreate({ uuid: profile.id }, function (err, user) {
return done(err, user);
});
}
));
app.get('/auth/cognito', passport.authenticate('cognito'));
app.get('/auth/cognito/callback',
passport.authenticate('cognito', { failureRedirect: '/auth/cognito' }),
function(req, res) {
res.redirect('/');
});
Is there a solution for this? Does this make sense in principle? Am I missing any complexity in the many-for-one idea?
Related resources:
It's possible to use both User Pools and Identity Pools via OAuth. Cognito even has a self-hosted UI, with own domain & branding available. Setup steps: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html
I used a generic OAuth2 Passport strategy: https://github.com/jaredhanson/passport-oauth2
Endpoint details: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html
After the setup, Federated Identities can be set up from the AWS console.
In the end an unbranded screen looks like this:
- Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS
- Role-based authentication not working with Keycloak and Java Spring
- What If Session Expires While User Is Still On The Website
- Remix run: Authentication succeeds on validation failures
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Using two or more SecurityFilterChains with Spring Security 6 does not work properly, only one chain is invoked
- What is the purpose of the 'state' parameter in OAuth authorization request
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications
- OAuth 2 access_token vs OpenId Connect id_token
- Spring Security - Multiple OAuth2 Identity providers (github and google) work with only one Bean with @Prirmary?
- Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
- MSAL Node service & The Partner Center API
- How to change the app name for Firebase authentication (what the user sees)
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Is it okay to encrypt a 3rd party access token and refresh token, in an encrypted JWT?
- Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
- What is the purpose of a "Refresh Token"?
- Pagination with oauth azure data factory
- How to use supabase google auth provider in react naive expo app
- How to bypass keycloak login page and provide client suggested idp with spring security
- Issue with Discord OAuth2 redirect_uri component
- npm install error - invalid package.json
- Google Identity Platform: Using OAuth 2.0 in Powershell using Firebase Admin SDK private key
- Can I get the company name/logo with the LinkedIn API?
- PayPal REST API credentials of another business or party
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Problems logging into coinbase api with oauth2
- Azure authentification for multiple audience using WithExtraScopesToConsent and AcquireTokenSilent
- Microsoft OAuth authorization code flow CORS
- How to authorize a request to the FCM v1 API with an access token