SSO Integration between 2 webapps using Cognito
We have a requirement where we need an external partner's users to be able to access our web application.
External Partner set up : Web app with Cognito User pool on their own AWS account
Our set up : React App with Cognito user pool (username/password authentication) on our AWS account.
The requirement is : Our partner's users will login into the partner's website. Once authenticated, they will land on the home page and see a link to our website. Upon clicking the link, our webapp must be launched in a new tab, users must be verified(probably provisioned in our Cognito prior to that) and allowed access to our applications home page without the need to sign in again.
Our app is a React SPA hosted using S3/Cloudfront. We have a app client for the UI set up in Cognito. When a user attempts to access the app, they are presented with a custom login screen. Once credentials are verified(done using Amplify Auth in the React App) tokens are created in local storage and used thereon to invoke REST APIs etc.
Therefore we need to replicate similar behavior for users accessing our site from the partners website.
Have been reading articles related to SSO / OAuth 2.0 / OIDC looking for information on:
Does the partner need to make any config changes to their user pool to achieve this ?
What changes do we need to make to our user pool ?
How should our webapp be accessed from the Partners website(GET on
our homepage or POST some info like a token etc..) ?What changes do we need to make in our UI App code to accommodate
this ?
Found a article that talks about federating 2 Cognito's :
But this set up means our partners users will have to sign in(using iDP federation) to access our app which is not the intended behavior(using SSO to be able to access both sites seamlessly).
If anyone has any solutions / pointers, kindly share, it will be much appreciated.
The link you posted shows the correct OIDC solution. What that link calls the "customer user pool" is really what you are calling your partner app. It is the OIDC identity provider. The login will not use your app, but will use the login page of the partner's website. The fact that the partner's website is implemented using Cognito is immaterial. The partner could be Facebook, Google, or some other OIDC provider. In any of these cases, your app initiates the login with the partner using OIDC, and once logged in the OIDC provider (partner) will send info back to you that you can use to establish the user, which is what is shown in step 12 of the diagram on the page you referenced--image copied here:
If the users have already logged in on the partner's website, then when your app initiates the step #2 request in that diagram (that is, you redirect their browser to the "authorize" endpoint to kick off the authentication process with the OIDC provider), the partner website will recognize them and won't force them to type their credentials in again. It will use the credentials they already established and will issue tokens back to your Cognito which your Cognito can and will use to identify and establish the users. They will show up in your Cognito with a Confirmation Status of "External provider."
The key point is that Cognito is an OIDC provider. So you can integrate it just like you can with any OIDC provider.
- The partner will need to give you a client ID/secret to use when you set up your federated identity provider in Cognito. So yes, they will need to set up a client for your app.
- You will need to set up a federated identity provider in your pool. You will use the info provided above along with other details like the issuer URL and potentially other endpoints to do this.
- You can give the partner website a URL to your web app that will initiate the "authorize" flow (i.e. will redirect the browser to the authorize endpoint).
- Your app code may need to be updated with a page that the partner web app can target which will initiate the login process (i.e. redirect to the "authorize" endpoint).
- How to access parent ref from child
- How do i define the fib() function, which returns the next Fibonacci number after each call?
- A returned Promise with Fetch doesn't respond to .then()
- How to trigger inline script onload?
- How to get index of an array element in click event with JavaScript
- Line 6 of this Javascript program is confusing me
- How to use Lightbox on AJAX loaded content
- How to increase quality on a PixiJS canvas?
- is it possible to install canvas with M1 chip
- Executing Javascript from Python
- regex to match HTML <p ...> tag
- How to swap two variables in JavaScript
- Primitive value vs Reference value
- Why would one use a logical AND expression (using the `&&` operator, double ampersand) as a stand-alone statement?
- Error copying 2d array contents to Google Sheets column
- how to pass values to :nth-child() css selector in cypress
- How to validate email by whitelist domain regex
- Passing checkbox value to show / hide Password via react native
- MUI with Preact & HTM No Build Setup
- Drag and drop items from different groups
- In React, what's the difference between onChange and onInput?
- Accessing http status code constants
- Next.js middleware Module not found: Can't resolve 'fs'
- How to parse JSON response in Google App Script?
- Chaining on an Array.find() in JavaScript
- NextJS - Update data object being passed into Child Component based on Button Click
- Close Modal when clicked on other div
- Convert relative path to absolute using JavaScript
- React Hook Warnings for async function in useEffect: useEffect function must return a cleanup function or nothing
- Add A Year To Today's Date