How can I add GitHub as an identity provider for AWS Cognito with Terraform?
I am using AWS Cognito to build out the authentication layer for my React app, and I'm trying to go for the quickest win possible. I'm using Terraform to build my backend, and have successfully got Google working as an identity provider. Now I want to add Github, but I'm unable to find any sample Terraform resources that I can use for this. I am using the hosted UI to test the configuration, but will copy the links directly into my react app once it's all working.
I have created an OAuth application in GitHub and used the credentials from that.
Here is my resource for the GitHub identity provider (which I came up with largely with the help from copilot):
resource "aws_cognito_identity_provider" "github_provider" {
user_pool_id = aws_cognito_user_pool.user_pool.id
provider_name = "GitHub"
provider_type = "OIDC"
provider_details = {
authorize_scopes = "openid"
client_id = "XXXXXXXXXXXXXXXXX"
client_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
oidc_issuer = "https://token.actions.githubusercontent.com"
attributes_request_method = "GET"
}
attribute_mapping = {
username = "sub"
}
}
In the hosted UI I can then see my GitHub authentication button:
However, if I click the link, it immediately goes to my callback with the error without going to GitHub:
http://localhost:3000/callback?error_description=Unsupported+configuration+for+OIDC+Identity+Provider.+Please+review+the+documentation+for+specification.&error=server_error
"Unsupported configuration for OIDC Identity Provider. Please review the documentation for specification."
I can't find any description of this error message on Google and it doesn't help explain what the problem is. Can anyone help?
I've spent a day of trial and error on this, but mostly thanks to this article I was able to get it working: https://sst.dev/examples/how-to-add-github-login-to-your-cognito-user-pool.html
GitHub doesn't implement OCID the way AWS expects it to, so I had to add two proxies to my API to properly format the request and response between AWS and GitHub.
Here is the final working aws_cognito_identity_provider:
resource "aws_cognito_identity_provider" "github_provider" {
user_pool_id = aws_cognito_user_pool.user_pool.id
provider_name = "GitHub"
provider_type = "OIDC"
provider_details = {
authorize_scopes = "openid user:email"
client_id = "XXXXXXXXXXXXXXXXXX"
client_secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
attributes_request_method = "GET"
oidc_issuer = "https://token.actions.githubusercontent.com"
authorize_url = "https://github.com/login/oauth/authorize"
token_url = "https://${var.api_domain}/auth/github-token-proxy"
attributes_url = "https://${var.api_domain}/auth/github-userinfo-proxy"
jwks_uri = "https://token.actions.githubusercontent.com/.well-known/jwks.json"
}
attribute_mapping = {
email = "email"
username = "sub"
}
}
for the token_url proxy, the main change is attaching the accept: "application/json" which Cognito doesn't seem to do on it's own:
import { corsMiddleware } from "../middleware/corsMiddleware";
import fetch from "node-fetch";
import parser from "lambda-multipart-parser";
import { Logger } from "@aws-lambda-powertools/logger";
export const handler = corsMiddleware(async (event) => {
const result = await parser.parse(event);
const logger = new Logger({ serviceName: "postAuthGithubTokenProxyHandler" });
logger.info(event);
const token = await (
await fetch(
`https://github.com/login/oauth/access_token?client_id=${result.client_id}&client_secret=${result.client_secret}&code=${result.code}`,
{
method: "POST",
headers: {
accept: "application/json",
},
}
)
).json();
logger.info(JSON.stringify(token));
return {
statusCode: 200,
body: JSON.stringify(token),
};
});
For the second proxy, I had to change the authorization header from "Bearer" to "token". I also had to add in a call to /user/emails as the default /user endpoint doesn't return private emails on its own:
import { corsMiddleware } from "../middleware/corsMiddleware";
import fetch from "node-fetch";
import { Logger } from "@aws-lambda-powertools/logger";
export const handler = corsMiddleware(async (event) => {
const logger = new Logger({
serviceName: "getAuthGithubUserInfoProxyHandler",
});
logger.info(event);
const bearerToken = event.headers["Authorization"].split("Bearer ")[1];
if (!bearerToken) {
return {
statusCode: 401,
body: JSON.stringify({
error: "Missing bearer token",
}),
};
}
const token = (await (
await fetch("https://api.github.com/user", {
method: "GET",
headers: {
authorization: `token ${bearerToken}`,
accept: "application/json",
},
})
).json()) as { id: string; email: string };
logger.info(JSON.stringify(token));
let email = token.email;
if (email === null) {
const emails = (await (
await fetch("https://api.github.com/user/emails", {
method: "GET",
headers: {
authorization: `token ${bearerToken}`,
accept: "application/json",
},
})
).json()) as { email: string; primary: boolean; verified: boolean }[];
logger.info(JSON.stringify(emails));
const primaryEmailObj = emails.find((email) => email.primary);
if (primaryEmailObj) {
email = primaryEmailObj.email;
}
}
return {
statusCode: 200,
body: JSON.stringify({
email: email,
sub: token.id,
}),
};
});
- Google Cloud credentials with Terraform
- Terraform unknown provider packages
- How to get IP address from of an RDS host?
- Terraform lambda source_code_hash update with same code
- How to override default chart values in terraform using helm provider?
- Error 400: Request contains an invalid argument while creating google_cloudbuild_trigger resource in Terraform from github source
- terraform destroy needs original terraform code to destroy?
- Create proper resource names using terraform for_each
- Azure ACI cannot pull image from public docker registry (Possible bug)
- What does "~>" mean in terraform required_providers version?
- How to recreate EC2 instances of an autoscaling group with terraform?
- How to enable "Use for Hive table metadata" in "AWS Glue Data Catalog settings" using Terraform?
- How to use array as input in terragrunt which accepts only as string in terraform
- Unexpected JWT alg received, expected RS256, got: HS256
- terraform tags for list variable not working
- Terraform 13, Validate variable base on the value of another
- How do I reference a resource created from different module in my current module?
- Terraform - GCP - Import project IAM member
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Terraform: Merge two tuples/lists to create a map
- Terraform doesn't allow to use variable when creating resource. How to go around?
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Terraform outputs 'Error: Variables not allowed' when doing a plan
- Issue with Azure key vault and Azure storage account deployment
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Why is TF build failing with "Error refreshing state: HTTP remote state endpoint requires auth"?
- With Gitlab, in the CI/CD pipeline, how can I dynamically create and save SSH key pairs as CI/CD project variables?
- Conditionally add element to existing map
- Parse HCL block into Golang map
- Run an AWS ECS task