question: Is there a way to match if a value is in an array?

[mattatjff]

I'd like to be able to use cognito with the "cognito:groups" field, to see if a person is in a group and transform their roles accordingly. However, the match statements all seem to assume it's looking at a string. Is there a way to match if an element appears in an array?

[mattatjff]

I should also add, it appears there's some difficulty with the match directive parsing the field with a colon in it.

[greenpau]

@mattatjff , what is your current config the output of /whoami?

[mattatjff]

@mattatjff , what is your current config the output of /whoami?

Not sure what that refers to. I don't have any additional configuration with respect /whoami, other than that I have enable id_token cookie <NAME>. Perhaps I'm misunderstanding something, but my understanding was that the match directive allowed you to match the ID Provider's claims in order to modify/transform the claims in the plugin.

Passing ?format=json&id_token=true to /whoami gets the Cognito token which includes claims like:

"cognito:groups": [
  "groupname1",
  "groupname2",
  "..."
]

What I'm trying to do is basically say something like:

transform user {
        match cognito:groups myapp
        action add role authp/user
        ui link "My Application" / icon "las la-star"
}

Such that if a user is in the group "myapp" in cognito and therefore cognito:groups contains "myapp", they are a user for this application.

[greenpau]

my understanding was that the match directive allowed you to match the ID Provider's claims in order to modify/transform the claims in the plugin.

Yes. However, it might work differently than how you think it work.

Here is the working config:

                oauth identity provider cognito-us-east-1 {
                        driver cognito
                        realm cognito-us-east-1
                        client_id {env.WEB_APP_CLIENT_ID}
                        client_secret {env.WEB_APP_CLIENT_SECRET}
                        user_pool_id {env.USER_POOL_ID}
                        region us-east-1
                        icon "AWS Cognito US" priority 100
                        enable id_token cookie
                }

...

                        transform user {
                                match origin cognito-us-east-1
                                action add role authp/user
                        }

Currently, you need to create "custom:roles" attribute to propagate Cognito roles to be able to match them.

https://github.com/greenpau/go-authcrunch/blob/50f3edc60f01348d580c769761097734f4f0527e/pkg/idp/oauth/validator.go#L124C11-L129

However, I could adjust this by making cognito:groups to work the same way how custom:roles work.

When using custom:roles, the value you specify in Cognito UI would be "role1|role2".

That would require me to make changes.

I need to see the actual token with cognito:groups in it. Please enable debug and capture the token.

[mattatjff]

The cognito token looks like the following (some info redacted / slightly modified with ... for privacy):

{
  "at_hash": "eDCbY4G4YwrONcqzgRqLYA",
  "sub": "...",
  "cognito:groups": [
    "myapp"
  ],
  "email_verified": true,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/...",
  "cognito:username": "...",
  "nonce": "...",
  "origin_jti": "3d168ece-6410-4c11-9fbe-cf7208ec5a9a",
  "cognito:roles": [
    "arn:aws:iam::23094802482:role/example"
  ],
  "aud": "4ggmgn8h7it4l4ro6lcdlf8skc",
  "event_id": "...",
  "token_use": "id",
  "auth_time": 1701466138,
  "exp": 1701469738,
  "iat": 1701466138,
  "jti": "588ff023-2c77-4212-8995-6bd3cabe63ea",
  "email": "..."
}

There are two possible properties which I could see as being useful, the cognito:groups and cognito:roles -- the latter list attached IAM roles, the former is just the group names. In my use case, the group name is ideal, but since a group can include a role, either would work. This would just make it more integrated with with how Cognito works with groups/roles.

[mattatjff]

Looks like the tokenFeilds in the validator already accounts for "groups" and there are others who are looking for similar transformation on other projects:

https://github.com/greenpau/go-authcrunch/blob/50f3edc60f01348d580c769761097734f4f0527e/pkg/idp/oauth/validator.go#L29C1-L29C38

smallrye/smallrye-jwt#105

Perhaps simply transforming cognito:groups to groups and cognito:roles to roles would be sufficient?

[greenpau]

Perhaps simply transforming cognito:groups to groups and cognito:roles to roles would be sufficient?

I don't think you can transform on cognito:groups field, because it is non-standard.
That's why I need to modify the logic.

As a side thing, I will add an option of including the following into roles.

  "cognito:roles": [
    "arn:aws:iam::23094802482:role/example"
  ],

[mattatjff]

That should work, much appreciated.

[mattatjff]

Tried to build this to test, but running into this: caddyserver/caddy#5797

[greenpau]

@mattatjff , I am working on the fix and will be releasing new version soon. Will update this issue once completed.

[greenpau]

@mattatjff , please try this release https://github.com/greenpau/caddy-security/releases

[mattatjff]

I don't know go... but this is including the entire id_token from cognito as the role... I think the error is here:

https://github.com/greenpau/go-authcrunch/blob/8eb4bfba8f4993876bc0fa8c03045835d64222e2/pkg/idp/oauth/validator.go#L126C1-L126C34

I believe this should probably be switch values := val.(type) { ... as v is indeed a string, but that's assigned to the ID token itself earlier.

Sorry for the can of worms :P

[greenpau]

@mattatjff , let me quickly fix it. The issue with that specific function is that it is not being tested properly. So I took a shortcut.
If the next one fails, I would need to write a proper unit test 😭

[mattatjff]

v1.1.22 confirmed good... works with either group or the role attached to it. Thank you very much.

[greenpau]

Enjoy the journey 😄

[mattatjff]

@greenpau you too. Thanks for the great piece of software, this really saved me a ton of time. Any place I can donate?

[greenpau]

You are welcome!

Any place I can donate?

Github Sponsors

[greenpau]

Hi @mattatjff, I am looking to add testimonial sections to https://authcrunch.com. Could you please write one and send it to me at [email protected]?