AWS Cognito Support

[swiffer]

Hey there,

we're looking for Authentication of Users via AWS Cognito and JWT.

The current implemenation of the JWT Authenticator supports passing algorithm and secretKey arguments.

However AWS Cognito is making use of multiple secret keys and therefore resolution needs some additional steps upfront:

https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt#resolution

There is a sample implementation for laravel described on Medium

https://medium.com/@tsubasakondo_36683/verifying-cognito-jwt-with-laravel-d600096a2394

Would this be in the plugins scope to have a cognito authenticator implemented or does anyone know of a plugin that is doing this or should we implement a custom authenticator class for this use case?

This is an outdated plugin I found

https://github.com/awallef/cakephp-cognito-auth

Thanks a lot!

[markstory]

Would this be in the plugins scope to have a cognito authenticator implemented

I am reluctant to provide adapters for proprietary vendor integrations. We are not well equipped to support them as we don't have subscriptions to cloud services. I am guessing that the AWS flavour of JWT is not supported by the libraries we already use for JWT?

[dereuromark]

I would recommend making a custom plugin as an extension to this one
SImilar like I did as https://github.com/dereuromark/cakephp-ide-helper-extra for https://github.com/dereuromark/cakephp-ide-helper
This way this plugin stays independent from those.

[swiffer]

Ok - after doing a little more research this does not seem to be vendor specific. It's part of JWK which also is supported by firebase/php-jwt

• https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2
• https://github.com/firebase/php-jwt#using-jwks

It looks like the only real thing that needs to be changed is instead of passing a secretKey here is passing the result of JWK::parseKeySet() instead.

authentication/src/Authenticator/JwtAuthenticator.php

Line 164 in faf550e

$this->getConfig('secretKey'),

Additionally up for consideration: Should the JSON response of the public JSON Web Key (JWK) be stored in the config directly (changes are rarely) or should a url be stored and the authenticator is handling, download, cache and json parsing of the public keys.

From the AWS Docs:

Note
Downloading and storing the JWK for your user pool is a one-time step before your web API operations can process tokens. After doing so, you can perform the following steps each time the ID token or the access token is used with your web API operations.

[swiffer]

Maybe nothing needs to be changed at all - fetching the keys and parsing them via JWK::parseKeySet can be part of Application.php and the result can be passed as secretKey option to JwtAuthenticator.

[swiffer]

Had to make some minor changes - let me know what you think