...
SSO Providers:
Keycloak
Originally the plan was to use Keycloak for A&A:
...
[meeting] with OCIO where 4 other projects are also working on
Jupyter
notebooks front-end to PCMs. The topic was raise for FN and public access to be able to sign into ADE+PCM for on-demand use. As a heads up, OCIO is recommending to not useKeycloak
and instead use AWS Cognito with some additional ELB proxies
AWS Cognito
According to this StackOverflow post:
...
Role-based access control using Amazon Cognito and an external identity provider
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-identity-pools.html
JWT Tokens
Because AWS Cognito supports OpenID Connect, they supply users with a id_token
, refresh_token
and a access_token
example of a access_token
payload:
Code Block | ||
---|---|---|
| ||
{
"sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"device_key": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"cognito:groups": [
"admin"
],
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1562190524,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_example",
"exp": 1562194124,
"iat": 1562190524,
"jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"client_id": "57cbishk4j24pabc1234567890",
"username": "janedoe@example.com"
} |
Subject (sub
)
The sub
claim is a unique identifier (UUID) for the authenticated user. It is not the same as the user name, which may not be unique.
Amazon Cognito groups (cognito:groups
)
The cognito:groups
claim is a list of groups the user belongs to (can be treated the same as roles)
Authentication time (auth_time
)
The auth_time
claim contains the time when the authentication occurred. Its value is a JSON
number that represents the number of seconds from 1970-01-01T0:0:0Z
as measured in UTC format. On refreshes, it represents the time when the original authentication occurred, not the time when the token was issued.
Issuer (iss
)
The iss
claim has the following format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
In the case (otello
, mozart
+ grq2
REST APIs) where a user would need to directly get a set of tokens directly (with username
+ password
) we can leverage boto3
to obtain it (as demonstrated in this StackOverflow post):
Code Block | ||
---|---|---|
| ||
def authenticate_and_get_token(username: str, password: str,
user_pool_id: str, app_client_id: str) -> None:
client = boto3.client('cognito-idp')
resp = client.admin_initiate_auth(
UserPoolId=user_pool_id,
ClientId=app_client_id,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
"USERNAME": username,
"PASSWORD": password
}
)
print("Log in success")
print("Access token:", resp['AuthenticationResult']['AccessToken'])
print("ID token:", resp['AuthenticationResult']['IdToken']) |