Use Spring Resource Server with AWS Cognito

spring_cognito_resource_Server


What is the resource server?

The resource server is the OAuth 2.0 term for your API server. For example, In your company, you might have servers such as user details server, invoices server, and order server. These servers implement the use cases of your business.

These resource servers can be secured using AWS Cognito.  
  • First, the application obtains the access token from Cognito
  • Then, the token will be included in the request header.
  • Finally, you can call the resource server
access_server_side_resources
Access server-side resources

How to implement it?

You can use Spring boot to develop resource servers.

Dependencies

  • Spring boot: 2.4.0-M1
  • OpenJDK 11

Step 1

Add spring-security-oauth2-resource-server as a dependency and set jwk-set-uri and issuer-uri to your properties file.

            

Get jwk-set-uri and issuer-uri values from AWS Cognito Console. Get the user pool id from the user pool and construct the URLs using that values and the region.

user_pool
User pool


Step 2

Configure Spring security.

"/status" route has no security restrictions, but other routes are secured.

Step 3

Enable Cognito groups in Spring, so you can add restrictions based on the user role/group. To do this, we need to add a JwtDecoder and a Converter.

JwtDecoder can be used to Configure the validations (Validating token window). 
The converter is used to add cognito:groups as authorities to the set of claims.

Now you can restrict access to your routes with @PreAuthorize annotation. I have ROLE_USER, ROLE_ROASTER, and ROLE_ADMIN groups in my AWS Cognito.


Final Step

The final step is to add resource servers to the Cognito. In this step, you have to add the URL of your API to Cogito.

define_resource_servers
Define resource servers

Update 1: 2020/02/01 bug fixes. check Github.

How to test: Send the token in the header as Bearer token. Check the below example.

curl -X GET "http://localhost:89/status" -H "accept: application/json" -H "Authorization: Bearer <access_token>"

The token is included in the header. Notice the "Beare"+WHITWSPACE in the header.


When testing the application, use these VM arguments.
-DISSURI=https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxxxxxxxxxx
-DJWKSETURI=https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxxxxxxx/.well-known/jwks.json

References


Comments