Cognito Auth integration

[MartinTechy]

Cognito Integration for Redwood

This PR aims to add a new Cognito Auth integration.

I wanted to use AWS Cognito for my project but saw there was no integration yet. After seeing that #3562 was abandoned and that I was not the only one wanting to use Cognito for Authentication I decided to take the matter in my own hands.

This PR takes a lot of @josuablejeru's work and adds the missing pieces. So big thanks for the initial work !

How it will work

1. Create a user pool on AWS .
2. Run yarn rw setup auth cognito
3. Add COGNITO_USERPOOL_ID and COGNITO_CLIENT_ID to your .env file

RBAC is based on the the Cognito user groups without IAM Roles

Missing pieces

What's left to do :

• [x] forgotPassword implementation
• [x] resetPassword implementation
• [x] Documentation
• [ ] Fix the breaking tests

Feel free to comment if I'm missing something

[netlify[bot]]

✅ Deploy Preview for redwoodjs-docs ready!

Name	Link
🔨 Latest commit	7ed3bdcd91f56fc5cbac07e9894beaddb0620f9e
🔍 Latest deploy log	https://app.netlify.com/sites/redwoodjs-docs/deploys/62c028c32402a30008eacb68
😎 Deploy Preview	https://deploy-preview-5745--redwoodjs-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[MartinTechy]

A few questions for the maintainers :

• I don't see any function in AuthClient allowing a manual confirmation of an Account. Is it supposed to be part of the login flow ? Where if you try to login with an account that is not confirmed yet you can pass a confirmation code along with your credentials to confirm your account and login ?
• Is there any plan to type the useAuth hook and the values it returns. I use Typescript a lot and would love to have some validation and auto completion there 😄

[josuablejeru]

@MartinTechy thanks for your work! 💪 . I'm glad to see someone put in the effort to finish this feature. Let me know if you need any support on some of the missing features. 🚀

[Leon-Sam]

Thank you @MartinTechy for taking this to the finish line! Perfect timing! My project requires AWS Cognito as well, so I'll be helping you finish this. For your earlier question:

I don't see any function in AuthClient allowing a manual confirmation of an Account. Is it supposed to be part of the login flow ? Where if you try to login with an account that is not confirmed yet you can pass a confirmation code along with your credentials to confirm your account and login ?

I ran into the same problem when trying to handle the AWS side of the SDK. Docs to AWS Cognito SDK view the README for the docs

confirmRegistration(): Called after user inputs email/sms verfication token after signup
ResendConfirmationToken(): Resends the post signup registration token
globalSignout(): Signs out of all devices

There's a handful additional convenient functions that the AWS SDK exposes, but the Redwood doesn't account for in it's AuthClient interface.

So I did some digging on who worked on the resetPassword,forgotPassword,validateResetToken part of the AuthClient interface, since it's right up our alley for the AWS Cognito Auth SDK, and it was our favorite @cannikin while working on dbAuth. I did some more digging and found an insightful thread regarding this. A post by @dthyresson caught my attention

FYI I read SSO as single sign in not social login, but I assume you are asking to support third party auth over OAuth in dbAuth. Personally, this is a slippery slope towards implementing full-featured authentication service inside Redwood and is something I am not in favor of. If you are not careful you’ll have to build soooo much. Mail. Password strength. Auditing. Admin api. Callback whitelisting. App and user metadata. Multiple identity provider support. Account blocking. Login attempt anomaly detection. IP address spoof detection. Token refreshing. Then you’ll want passwordless and magic link. And then SMS one time password authentication. And then support multiple phone providers. Oh and then 2FA or even MFA. And then you’ll have to do GDPR protection on all your user profile data. And what happens if your password salt is compromised? Or you leak the hashes? Where will it end? I see dbAuth as a light weight and limited alternative to the authentication as a service providers and one that should be used with some understanding of its limitations. It’s nice to get you started. Authentication isn’t just a user record in a database. It’s a product.

TLDR: With this AWS Cognito integration, I think were are at the exact point where it becomes a slippery slope with auth.

We should grab the AWS client directly from {client} =useAuth() and directly call the relevant functions in our components. If dbAuth ever updates itself with more auth logic, we can start refactoring.

I vote for bypassing RW's Authclient interface for using all of the extra little features in AWS Cognito. I'm super curious to here other peoples opinions.

[MartinTechy]

@Leon-Sam Thanks for your inputs !

I vote for bypassing RW's Authclient interface for using all of the extra little features in AWS Cognito.

I was slowly coming to the same conclusion. The basic functionality is there and we give the user a way to implement the more complex cases.

IMO as long as we document it correctly it will be fine.

Do you have an opinion on managing the roles with the Cognito user groups ? It felt like the easiest and most straightforward way to add role support

[MartinTechy]

I might need some help to fix these tests. I spent some time trying to find were these Only absolute URLs are supported come from and why they only appear after my changes but couldn't pinpoint the cause 🤔

[Leon-Sam]

Sound like a plan. Here's my current to-do list. Work is a little busy right now, but I plan on getting to this over the weekend. If your waiting on me for this, feel free to get ahead and I'll pull down any updates

1. Setup logic to verify JWT on api side (Mission critical) Docs
2. Merge the work between @MartinTechy and @ManavDia did in #5765 (Where it makes sense)
3. Make the tests pass in this PR

Edit: For the roles: I haven't got to thinking about that yet. I'll report back once I have better grasp on the api side

[MartinTechy]

I just added the JWT verification on the API side so I think I'll open the PR for review as I estimate that it is ready feature wise.

I was also thinking about creating a post on the forum about the tests breaking to reach more people. In the mean time here are my findings :

1. The tests fails only when the Cognito integration is added on the authClients/index.ts file
2. The tests failing seems to be using the custom authentication mode
3. The tests fails because the text Only absolute URLs are supported is found instead of Log Out, due to an error
4. This line is triggering the error
5. I checked the result from this.getApiGraphQLUrl() and it is the same both when the test run with Cognito added to the authClients and without Cognito

That's what I have for now, maybe it'll help someone to find the issue

[Leon-Sam]

Hey MartinTechy,

Work made a change on our Redwood project; and we switched auth providers. (Azure AD B2C); I spent my weekend adding compatibility for that. #5781 I'm going to spend my "open source time" to take that one to the finish line. Once that is done, I'll circle back here and help you close this out. This might take a couple weeks on my end.

[ManavDia]

Hi Martin if I can give you a hand please let me know. My branch had most of the functionality except the decoder.

[MartinTechy]

@ManavDia I think the only missing piece is this failing test so if you have an idea why it's failing I would take it 😅

Someone on the Discourse mentioned that @dthyresson should be able to help troubleshoot

[jtoar]

Hey @MartinTechy. Super stoked by the collaboration happening in this thread! @ManavDia I saw your PR too. There has been and still is some real interest around integrating cognito auth, and we've yet to get back to you, so thanks for your patience and persistence!

We just discussed this PR and a few others that add auth providers today. Redwood already has quite a few auth providers, and as we add more, the cost of maintaining them all is in the back of our minds. A post-v1 goal of ours was to decouple auth. We haven’t made headway on it yet, cause other things (many other things), but given the activity around this PR, we’re going to prioritize figuring out what "decoupling auth" would mean this week. I.e. exactly how much work is it, and once we know that, when could we get it done?

If it turns out that decoupling auth is months of work, we’ll prioritize getting this one in. But if we think we can do it soon, we’re going to ask you to wait till we’ve got that figured out. But we've kept you in suspense long enough so we're timeboxing ourselves a bit: we'll let you know by ~next week. Till then you're welcome to continue working on this one, or you can wait till you hear back from us. Thanks for taking the time to contribute!

[MartinTechy]

Hi @jtoar, thanks for your message !

I have no problem waiting a few days for the decision about decoupling. I personally think it would totally make sense to do it but I have no idea of the workload it would represent 😅

I think that except for this failing test, all the work needed is done on this PR. But let me know if I missed something !

[jtoar]

Hey @MartinTechy, thanks for your patience! We’ve done the preliminary work around decoupling auth. The team feels good about it, so we’re going to move ahead with that. But instead of asking you to just wait for us to finish, we’d like to invite you to collaborate with us on this. No pressure—totally optional! And while we’re still working out all the details, we think that this would mean the following:

• You’ll be given access to a new redwoodjs GitHub repo to develop against (in this case, something like redwoodjs/cognito). This would eventually be a package published to npm
• You’ll basically do what you did in this PR, but in that repo against a new auth API. You’ll collaborate with us by using and giving us feedback about the new auth API because we want to make sure it’s easy to use

I'm sure you still have questions, but are you open to trying something like that out? Let us know and we'll circle back when we have it all ironed out.

[MartinTechy]

Hey @jtoar , I would love to be part of that project and the discussions around it !

Just let me know what I can do

[MartinTechy]

Hi @jtoar,

Is there any update on this ?

[Tobbe]

Hi @MartinTechy We're currently working on restructuring our entire auth sub-system over here https://github.com/redwoodjs/redwood/pull/5985

The web/front-end part of it is in pretty good shape. I'm currently working on the setup scripts. After that I (or someone else) has to take on the api/back-end side of things. We've done some experimentation, but haven't started working on it yet.

I don't like doing estimates, because it always just leave people feeling disappointed. But do check back in about a week or so and see how far along we are on #5985. As soon as it's merged into main it would be great if we could get some help validating our new implementation by having someone like you try to implement a new auth provider as an external package 🙏

[MartinTechy]

Hi @MartinTechy We're currently working on restructuring our entire auth sub-system over here #5985

The web/front-end part of it is in pretty good shape. I'm currently working on the setup scripts. After that I (or someone else) has to take on the api/back-end side of things. We've done some experimentation, but haven't started working on it yet.

I don't like doing estimates, because it always just leave people feeling disappointed. But do check back in about a week or so and see how far along we are on #5985. As soon as it's merged into main it would be great if we could get some help validating our new implementation by having someone like you try to implement a new auth provider as an external package 🙏

@Tobbe Thank you for your quick answer !

I didn't see this PR so I'll keep an eye on it. I'll definitely be in to try to implement the Cognito auth with this new system. Let me know if you need some help in the meantime

[noire-munich]

@MartinTechy just a notice that #5985 has been merged, should you be ready to move this forward, there is interest 👍🏻

[MartinTechy]

@MartinTechy just a notice that #5985 has been merged, should you be ready to move this forward, there is interest 👍🏻

@noire-munich Yes just saw that the other day. I was thinking that it would be better to wait for the official release before working on it but maybe that's not the right approach.

@Tobbe what do you think about this ? Is everything ready to start on new implementations ? You mentioned every provider would be implemented in its own separate package, is there any example I could follow ? I see that the current providers still live in the main Redwood repo

[Tobbe]

I feel like the api is pretty stable. So you could totally get started if you wanted. BUT We do plan to move things to their own separate packages, but we're not there yet. We might even end up making a release with the auth providers where we have them now, and then move them later. It's a tradeoff between getting things out faster vs forcing our users having to deal with two major releases with auth changes in both of them. I think we're leaning towards moving them before releasing, if not to their final place, so at least to somewhere where the next upgrade would be easier. As far as examples go I hope all of them could serve as an example the way they are right now. But we don't have any docs yet. We'll add docs before we release this.

[noire-munich]

@noire-munich Yes just saw that the other day. I was thinking that it would be better to wait for the official release before working on it but maybe that's not the right approach.

What @Tobbe says 👍🏻

[MartinTechy]

In that case I will wait for the official release and use the same implementation as the other packages (and do the migration later if needed).

[Tobbe]

I'm cleaning up our PRs in preparation for the next major version of RW. This one seems to have gone stale, so I'm going to close it. I really appreciate the work that's gone into this PR 🌟

If anyone is still interested in working on this feature or if there are any unresolved issues, please feel free to:

1. Reopen this PR: If there are specific changes or updates needed.
2. Create a new PR: In case you'd like to start fresh or make significant modifications.

Let's keep the collaboration going 🚂 If you have any questions or need assistance, don't hesitate to reach out. Thanks again for the contributions 🙏