Integrate Cognito Into Diffgram
In this article you will learn how easy it is to integrate your OIDC or SAML providers using cognito and Diffgram. Sometimes, you might need to have some type of single sign on for your business and to keep the security department happy. Luckily, Diffgram now offers a simple integration with Cognito, and generic OIDC support so that you can use your existing user pools with it, or even add capabilities like sign with Google, Facebook, etc without having to implement all of that yourself.
Main Benefits of Using OAuth2.0 in your Diffgram installation:
- Separation of concerns.
- Decoupling authentication from the Diffgram platform, which usually serves business.
- You can enable your Diffgram installation(The client) to access resources that belong to the user and do not belong to the Diffgram natively.
- You can implement an alternative to Single SignOn: If you have multiple applications that trust one STS. One username for all applications.
- You can direct the authentication process to a third party that you trust , and never worry about user authenticity validation. This is specially important if you company has strict security policies.
Let’s get started!
- A working installation of Diffgram (either with docker or kubernetes)
- An AWS Account with access to Cognito Service with an existing user pool to integrate.
1. Configuring Diffgram App in Cognito User Pool
The first step is to go yo you cognito user pool and create a new app client for Diffgram. Go to your Cognito user pool => app integration tab => create app client:
Set the following values on the App Client configuration:
- Set your client as Public client. Optionally you can set as private and provider the secret key to Diffgram at a later step.
- Set your app client name.
- Make sure to have
ALLOW_USER_PASSWORD_AUTHON YOUR Authentication flows. You can add more flows if you desire.
2. Configuring the Hosted UI Settings
Now go to the Hosted UI Settings Section:
- On the Allowed Callback URLs add
- On the Allowed sign-out URLs add
- Make sure
Authorization code grantis selected on the OAuth2.0 grant types selector.
- Add any extra custom scopes you desire, the only required scopes are the
OpenIDscopes. The rest of them are optional.
3. Create the App Client
Hit Create App Client, and take note of your App
4. Activate OIDC in Diffgram
OIDC does not come out of the box. You will need to configure the provider you will use and activate the functionality on you environment variables.
Make sure you set the following environment variables on your diffgram installation. This can be on the
.env file on docker-compose or on your
values.yaml if you are using Diffgram’s helm chart
USE_OAUTH2 = “True”
OAUTH2_PROVIDER_NAME = “cognito”
OAUTH2_PROVIDER_HOST = “https://YOUR_COGNITO_API_URL" OAUTH2_PROVIDER_CLIENT_ID = “YOUR APP CLIENT ID” OAUTH2_PROVIDER_CLIENT_SECRET = “YOUR APP CLIENT SECRET (OPTIONAL)” COGNITO_LOGIN_URL = “THE HOSTED UI URL FOR YOUR LOGIN”
Now you should be able to login with Diffgram using Cognito. You will see a new button on the login screen that says “Login with SSO”
After clicking it you will be redirected to you OAuth Provider, in this case, Cognito: