How to integrate Java Spring Boot application with AWS Cognito using OIDC?
In this blog, I will explain how to integrate a Spring Boot web app with AWS Cognito. Spring Boot is one of the most widely used framework in the Java world and AWS Cognito is one of the most widely used Identity providers.
Use Case
Many organizations around the world build web applications using Spring framework. All these applications require some kind of authentication. AWS Cognito is a IDaaS service which supports OpenID Connect (OIDC) protocol. Spring Boot applications can be integrated with AWS Cognito for user authentication.
Architecture
- User enters the Spring Boot web app URL in the browser
- If the user has not already logged in i.e. if there is no active session, web app will redirect the user to Cognito /oauth2/authorize endpoint.
- Cognito will display the hosted UI login page .
- User enters the credentials (username / password).
- Cognito validates the credentials after the user clicks the login button.
- If the credentials are valid, Cognito will redirect to Spring Boot web app redirect_uri with an authorization code in the URL parameter.
- Spring Boot web app will call the /oauth2/token API to get the ID, Access and Refresh tokens.
- Cognito will return the tokens if the authorization code and other parameters are valid.
- Spring Boot will validate the tokens and create a session for the user.
- App will display the home page. App can have business logic based on the ID or Access tokens to show or hide features to the user.
How to configure a Spring Boot app to use Cognito as the Identity provider
Key points to note
- I followed the instructions in this Spring blog to setup the Spring Boot app. Please note that some of the steps are outdated.
- Please refer this official spring documentation to configure a OIDC provider.
- Spring Boot provides out of the box support for OIDC integration. It takes care of URL redirection, token validations, creating sessions etc.
- There are multiple ways to configure all the IdP URLs in application.yml file. The easiest way is to configure just the “spring.security.oauth2.client.provider.[providerId].issuer-uri”. Refer this documentation for Cognito issuer-uri. You can check the iss attribute in https://cognito-idp.
Region.amazonaws.com/your user pool ID/.well-known/openid-configuration
If you want to integrate Java Spring Boot application with AzureAD using OIDC, please follow the below blog
If you want to integrate Java Spring Boot application with Okta using OIDC, please follow the below blog
Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.
