redash icon indicating copy to clipboard operation
redash copied to clipboard

Published 20 hours ago verified publisher icon getredash

Add AWS Cognito as IdP with Multiple Organization Support

Open gsollazzo opened this issue 6 years ago • 5 comments

This add one more authentication method via AWS Cognito based on the JWT integration (see merged pull request #2768)

Example config:

REDASH_JWT_LOGIN_ENABLED: "true"
REDASH_JWT_AUTH_ALGORITHMS: "RS256"
REDASH_JWT_AUTH_PUBLIC_CERTS_URL: "https://cognito-idp.[region].amazonaws.com/[User Pool ID]/.well-known/jwks.json"
REDASH_JWT_AUTH_AUDIENCE: "[APP ID]"
REDASH_JWT_AUTH_ISSUER: "https://cognito-idp.[region].amazonaws.com/[User Pool ID]"
REDASH_AWS_COGNITO_ENABLED: "true"
REDASH_AWS_COGNITO_REGION: "eu-central-1"
REDASH_AWS_COGNITO_BASE_URL: "https://[custom-url].auth.[region].amazoncognito.com/"
REDASH_AWS_COGNITO_ORG_ATTRIBUTE: "custom:organization_name"
REDASH_HOST: "http://localhost:5000"
REDASH_PASSWORD_LOGIN_ENABLED: "false"
REDASH_MULTI_ORG: "true"

When we get user from AWS Cognito as a JWT, it's match user by email+organization in database and log in. If we don't have user with this email in database, and the organization exist, then it will be created.

gsollazzo avatar Dec 26 '18 18:12 gsollazzo

Hello guys,

Do you know when Cognito support will be pushed to the master branch and AWS AMI images?

ivanpetrushev avatar Mar 25 '19 12:03 ivanpetrushev

bump

cjangrist avatar Jul 11 '19 00:07 cjangrist

Great feature, we need it merged¡

christophlingg avatar Nov 03 '19 06:11 christophlingg

Will this get merged in 9.0? and this is not supporting if we try to use UI seperatly mentioned in this link https://redash.io/help/open-source/dev-guide/remote-server

techwavein avatar Nov 21 '19 06:11 techwavein

We want to use this feature! please merge it.

seiyeah78 avatar Jul 07 '22 06:07 seiyeah78

@gsollazzo , thanks for the PR! We've updated a lot of things now that we're Community-driven so - if you're still interested in getting this merged - would you mind rebasing off master to re-run the CI, as well as updating merge conflicts?

We're trying to clean up our PR todo list, so if you're not interested, that's fine - we'll close the PR in about a week if we don't hear back. If you're interested in reopening the PR afterwards, we would also very much welcome that.

guidopetri avatar Jul 15 '23 19:07 guidopetri

In the initial PR submission it has this:

If we don't have user with this email in database, and the organization exist, then it will be created.

That sounds like a potential security problem to me. Hopefully I'm misunderstanding something? :smile:

justinclift avatar Jul 17 '23 07:07 justinclift