Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Cognito JWT attribute-based routing

Tags:

amazon-web-services

oauth-2.0

jwt

routes

amazon-vpc

I'm new to AWS and it's services. What I want to achieve is a multi-tenancy SaaS application. What my concept looks like: I use Cognito for user authentication. There all users no matter what tenant they belong to should use one frontend to login. For the tenant-recognition I use a custom attribute "custom:tenant" which I get from the JWT when the login is successful. For the applicantion itself I want to use VPCs and to ensure encapsulation each tenant should have their own VPC.

Example:

  • User A of Tenant 1 login and gets back JWT with claim "custom:tenant":"1" should be routed to VPC 1
  • User B of Tenant 2 login and gets back JWT with claim "custom:tenant":"2" should be routed to VPC 2

Now my question is: how do I achieve this routing from the success of the login to the appropriate VPC? Do I need further Services for that or where do I find these settings?

like image 834
Soteri Avatar asked Dec 01 '21 12:12

Soteri

People also ask

How do I create a JWT authorizer using AWS Cognito?

The following AWS CLI command creates a JWT authorizer that uses Amazon Cognito as an identity provider. For Audience, specify the ID of a client that's associated with the user pool that you specify for Issuer. The following command updates a route to use a JWT authorizer.

What is a custom attribute in AWS Cognito user pool?

With a custom attribute-based multi-tenancy approach, you can generate and add an ID for every user profile as a custom attribute. Custom attributes are useful when you want to add additional user data to AWS Cognito User Pool.

How do I decode a JWT token generated by Amazon Cognito?

Amazon Cognito generates two pairs of RSA cryptographic keys for each user pool. One of the private keys is used to sign the token. Decode the ID token. You can use AWS Lambda to decode user pool JWTs. For more information see Decode and verify Amazon Cognito JWT tokens using Lambda .

How does AWS Cognito work with SAML?

Amazon Cognito handles the SAML response, and maps the SAML attributes to a just-in-time user profile. The SAML groups attribute is mapped to a custom user pool attribute named custom:groups. An AWS Lambda function named PreTokenGeneration reads the custom:groups custom attribute and converts it to a JSON Web Token (JWT) claim named cognito:groups.

Video Answer

1 Answers

There is a standard content based routing technique for routing based on the contents of JWTs. This type of thing is usually managed by a reverse proxy or API gateway placed in front of APIs, which runs some custom logic to read the JWT and route accordingly. This also keeps the plumbing outside of application components.

EXAMPLE

Here is an NGINX example coded in LUA, a high level scripting language, to read the JWT and extract a claim. In this example it is a zone whereas in your case it is a tenant ID:

  • NGINX Configuration
  • NGINX Plugin Code
  • Architecture Article

PREREQUISITES

Not all middleware supports this type of routing though. Eg you won't be able to do it in a simple load balancer. One option might be to use NGINX as a cloud managed service though it will cost money. A good gateway in front of APIs is an important architectural component though, so see if your company feels it is worth investing in.

like image 200
Gary Archer Avatar answered Nov 15 '22 05:11

Gary Archer
Sign in to Comment

Related questions

How to get access to private s3 bucket using cognito
How to modify multiline parameters in CloudFormation?
How to include AWS Glue crawler in Step Function
Flask endpoint vs Sagemaker endpoint
How to pass value of NODE_EXTRA_CA_CERTS to AWS Lambda deployed with Serverless?
How to catch failed S3 copyObject with 200 OK result in AWSJavaScriptSDK
Unable to connect to EC2 Linux instance from Windows 10 CMD using ssh
Using AWS Appsync with AWS Neptune
How to connect AWS Glue to a VPC, and access private resources?
AWS CDK: run external build command in CDK sequence?
AWS Batch Job Stuck in Runnable State
Create CloudFormation Yaml from existing RDS DB instance (Aurora PostgreSQL)
How do you install dplyr-snowflakedb and rJava on Amazon Linux?
Accessing Amazon Global Infrastructure region table (for RestAPI or dotNet)
Which endpoint to connect to for read/write operations using AWS Aurora PostgreSQL Database Cluster
How to manage client certificates for mutual TLS to be used within AWS Lambda
413 Request Entity Too Large - Elastic Beanstalk + Load Balancer + Node.js application
What are the practical differences between an IP vs instance based target types for an AWS NLB?
Logstash throwing 401 while connecting with AWS Elasticservice
How to use DBT with AWS Managed Airflow?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!