i am using AWS Cognito as a custom provider, before i integrated aws cognito with spring security, where after successful login i took the id, access token and saved it in session. which worked fine. i did more research and now want to use the jwt token instead of session. i need help here
here is method that logs in a user in cognito
public String login(String username, String password, String userPoolId, String clientId, CognitoIdentityProviderClient client) {
logger.info("Login method called");
if (userPoolId == null || userPoolId.isEmpty()) {
userPoolId = awsCredentials.getCognitoPoolId();
}
if (clientId == null || clientId.isEmpty()) {
clientId = awsCredentials.getCognitoClientId();
}
AdminInitiateAuthRequest authRequest = AdminInitiateAuthRequest.builder()
.clientId(clientId)
.userPoolId(userPoolId)
.authFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
.authParameters(Map.of("USERNAME", username, "PASSWORD", password))
.build();
AdminInitiateAuthResponse response = client.adminInitiateAuth(authRequest);
if (response.authenticationResult() != null) {
String accessToken = response.authenticationResult().accessToken();
String idToken = response.authenticationResult().idToken();
logger.info("Login successful for user: {}", username);
return accessToken+ idToken;
} else {
throw new AuthenticationServiceException("Login failed: " + response.challengeName());
}
}
as you can see it returns tokens, I need a way to inform Spring Security that a user is authenticated using these tokens. how. i dont need to have custom jwt token since cognito provides it already. i just need a steps to fallow, the main goal is to make this server a centralized auth server where multiple client can register and login there account in aws cognito and get jwt tokens from this server to access spicific resources based on the scope they get in there account.
additional info
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(tokenValidationFilter, CognitoAuthenticationFilter.class)
.addFilterBefore(cognitoAuthenticationFilter(authenticationManager(http)), UsernamePasswordAuthenticationFilter.class)
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/admin").hasAuthority("SCOPE_aws.cognito.signin.user.admin");
auth.requestMatchers("/emails").hasAuthority("SCOPE_research.admin");
auth.requestMatchers("/register", "/verify").permitAll();
auth.requestMatchers("/images/**").permitAll();
auth.anyRequest().authenticated();
})
.formLogin(form -> form
.loginPage("/login")
.permitAll())
.logout(logout -> logout
.logoutUrl("/logout")
.addLogoutHandler(customLogoutHandler)
.logoutSuccessUrl("/login?logout")
);
return http.build();
}
@Bean
public CognitoAuthenticationFilter cognitoAuthenticationFilter(AuthenticationManager authenticationManager) {
CognitoAuthenticationFilter filter = new CognitoAuthenticationFilter(cognitoAuthenticationProvider, authenticationManager);
filter.setAuthenticationManager(authenticationManager);
return filter;
}
@Bean
public AuthenticationManager authenticationManager(HttpSecurity http) throws Exception {
log.info("calling AuthenticationManager");
AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
builder.authenticationProvider(cognitoAuthenticationProvider);
return builder.build();
}
i did try this but after i loged in and AuthenticationManager > CognitoAuthenticationFilter > CognitoAuthenticationProvider was all seccessfull, but somehow even though i can see the seccessful login, spring secirity wont let me be authenticated
Stykle Sty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1