2

I trying to implement authN/authZ for my application using Spring Security 5.2.2 and OAuth2/openid connect protocols. I use AWS Cognito as an identity provider and I'm trying to implement role-based authorization for my application. I've created user groups in the AWS Cognito user pool. In the resource server, when I convert access token, I use this groups ("cognito:groups" claim in the access token) to build granted authorities for spring security. And I manage access in my application based on this groups.

Is this the correct use of AWS Cognito user groups?

Kirill
  • 121
  • 2
  • Hey @Kirill, what was your conclusion on that? I'm facing the same problem. – cristianoms Oct 19 '20 at 21:33
  • 2
    I created a custom mapper that converts cognito user groups to roles. I also made a decorator for cognito token. But using congito was a mistake in or case because it has a lot of restrictions. These are the problems: 1. cognito doesn't support CORS (at all) 2. very weak user interface customization 3. it's not possible to customize emails template 4. only few of user attributes are serchable – Kirill Oct 24 '20 at 13:48
  • @Krill so have you abandoned Cognito? If yes, in favor of which vendor? Thanks! – cristianoms Oct 28 '20 at 13:06
  • @cristianoms I had no option to abandon cognito at the point I met these restrictions. I added custom filter before OAuth2AuthorizationRequestRedirectWebFilter to fix the problem with CORS and added redis cash not to load all the users every time. Maybe I would think about keyckloak – Kirill Oct 30 '20 at 05:56
  • Thanks for the heads up about it's limitations. Bad thing about KeyCloak is you'll have to host the whole thing, meaning database and application server. Have you came across any other SAAS solution? – cristianoms Nov 02 '20 at 13:09

0 Answers0