This article focuses on how to setup an ODIC in Cognito and leverage Amplify Client to handle Authenticate and Authorization. The Amplify Client can handle flows needed to access a protected API Gateway using IAM Authorization. The Amplify CLI is used to create the following resources but is not required to use Amplify Client.
- API Gateway - Authorization via IAM
- Cognito UserPools & IdentityPools
- Lambda
- IAM Roles
- React App
- Cloudfront
- S3 Bucket
-
Client Authenticates w/ Identity Provider via Cognito OpenID Connect
- Upon successful authentication, Cognito will receive a code grant
- The code grant is negotiated for a JWT token with Okta
- A Cognito JWT token is returned to the application
- An STS token is also returned that is tied to a role that allows access to invoke ApiGateway
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
-
User makes a call to the backend resource (API Gateway)
- STS token is passed in Header
- Amplify Client handles API call
-
STS token is verified via IAM
- STS token is tied to IAM Role for permissions
-
API Gateway invokes Lambda and passes event
- Configure Amplify CLI https://docs.amplify.aws/cli/start/install/
- Install React Dependencies
npm install
- Init Amplify inside App root
amplify init
- Amplify add auth
amplify add auth
- Follow directions to add Okta OIDC https://aws.amazon.com/premiumsupport/knowledge-center/cognito-okta-oidc-identity-provider/
- Configure
/src/oidc-env.jsto hold Okta OIDC params - Amplify add api (API Gateway) with authenticated users only
amplify add api
- Start React App
npm start
- When testing is complete host app via Amplify
amplify add hosting
- Amplify Client Auth Library https://docs.amplify.aws/lib/auth/getting-started/
- Amplify Client Config Categories https://docs.amplify.aws/lib/client-configuration/configuring-amplify-categories/q/platform/js/#top-level-configuration-5
- Setup Okta OIDC with Cognito https://aws.amazon.com/premiumsupport/knowledge-center/cognito-okta-oidc-identity-provider/
- IAM for API Gateway https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
- AWS Amplify, Amazon Cognito, and an OpenID Connect Identity Provider https://aws.amazon.com/blogs/mobile/building-an-application-with-aws-amplify-amazon-cognito-and-an-openid-connect-identity-provider/