Cognito authentication¶
What is it¶
Cognito is a single sign-on system from AWS. It allows multiple apps to accept authentication from the same set of user accounts. It separates the management of users and permissions from the applications that use them.
Why we use cognito¶
We're invested in AWS, so we might as well use this too.
How we implement it¶
We're following the implementation from the djangostar tutorial.
These are the steps involved:
- Backend downloads JWKS from Cognito User Pool on launch
- User submits credentials and gets id_token and access_token
- User sends request with token
- Backend verifies token and processes request
- User gets response from authenticated API
Current Dev Setup¶
- Created app client called "backend within the vrms-dev user pool, with ALLOW_ADMIN_USER_PASSWORD_AUTH enabled
- "Domain Name" is already created at https://hackforla-vrms-dev.auth.us-west-2.amazoncognito.com
- In "App client settings", enabled Implicit grant and openid, Callback URL http://localhost:8000/admin
How it works now with the dev user pool and local development backend¶
- Create a cognito user and login from the Hosted UI (from App client settings). Successful login will redirect to localhost:8000/admin with the necessary tokens
- Take the access_token from the URL and make a GET request to http://localhost:8000/api/v1/me (Headers key=Authorization, value=Bearer
) - Backend should return the user's profile data
Notes¶
The tutorial is 2 years old now (from 2020) and there's been some change made since then.
- We created an app client in Cognito for the backend to interface with. ALLOW_ADMIN_USER_PASSWORD_AUTH is the new name for the old ADMIN_NO_SRP_AUTH setting. Reference
- In the custom User model step, the ugettext-lazy package is gettext-lazy for Django 4.0 Reference
- The tutorial steps don't include instructions to test each step, so it's a little bit of following blindly with the help of linters until the last step.