Integrate Cognito Into Diffgram

In this article you will learn how easy it is to integrate your OIDC or SAML providers using cognito and Diffgram. Sometimes, you might need to have some type of single sign on for your business and to keep the security department happy. Luckily, Diffgram now offers a simple integration with Cognito, and generic OIDC support so that you can use your existing user pools with it, or even add capabilities like sign with Google, Facebook, etc without having to implement all of that yourself.

Main Benefits of Using OAuth2.0 in your Diffgram installation:

1. Separation of concerns.
2. Decoupling authentication from the Diffgram platform, which usually serves business.
3. You can enable your Diffgram installation(The client) to access resources that belong to the user and do not belong to the Diffgram natively.
4. You can implement an alternative to Single SignOn: If you have multiple applications that trust one STS. One username for all applications.
5. You can direct the authentication process to a third party that you trust , and never worry about user authenticity validation. This is specially important if you company has strict security policies.

Let’s get started!

Pre-Requisites

1. A working installation of Diffgram (either with docker or kubernetes)
2. An AWS Account with access to Cognito Service with an existing user pool to integrate.

1. Configuring Diffgram App in Cognito User Pool

The first step is to go yo you cognito user pool and create a new app client for Diffgram. Go to your Cognito user pool => app integration tab => create app client:

Configuring the Cognito App Client

Set the following values on the App Client configuration:

1. Set your client as Public client. Optionally you can set as private and provider the secret key to Diffgram at a later step.
2. Set your app client name.
3. Make sure to have ALLOW_USER_PASSWORD_AUTH ON YOUR Authentication flows. You can add more flows if you desire.

Configuring your Cognto App Client

2. Configuring the Hosted UI Settings

Now go to the Hosted UI Settings Section:

1. On the Allowed Callback URLs add <YOUR_DIFFGRAM_URL_BASE>user/oauth2-login/
2. On the Allowed sign-out URLs add <YOUR_DIFFGRAM_URL_BASE>user/login/
3. Make sure Authorization code grant is selected on the OAuth2.0 grant types selector.
4. Add any extra custom scopes you desire, the only required scopes are the email and OpenID scopes. The rest of them are optional.

3. Create the App Client

Hit Create App Client, and take note of your App Client ID

4. Activate OIDC in Diffgram

OIDC does not come out of the box. You will need to configure the provider you will use and activate the functionality on you environment variables.

Make sure you set the following environment variables on your diffgram installation. This can be on the .env file on docker-compose or on your values.yaml if you are using Diffgram’s helm chart

USE_OAUTH2 = “True” 
OAUTH2_PROVIDER_NAME = “cognito” 
OAUTH2_PROVIDER_HOST = “https://YOUR_COGNITO_API_URL" OAUTH2_PROVIDER_CLIENT_ID = “YOUR APP CLIENT ID” OAUTH2_PROVIDER_CLIENT_SECRET = “YOUR APP CLIENT SECRET (OPTIONAL)” COGNITO_LOGIN_URL = “THE HOSTED UI URL FOR YOUR LOGIN”

You’re Done!

Now you should be able to login with Diffgram using Cognito. You will see a new button on the login screen that says “Login with SSO”

Diffgram Login Screen With SSO Activated

After clicking it you will be redirected to you OAuth Provider, in this case, Cognito:

Cognito’s Default Login Screen