Skip to content

Latest commit

 

History

History
62 lines (50 loc) · 2.9 KB

README.md

File metadata and controls

62 lines (50 loc) · 2.9 KB

Cognito demo

This repo contains an example Python app that uses AWS Cognito for authentication and authorization to access protected AWS resources (an S3 bucket).

The app also showcases how to configure MFA TOTP the first time a user logs in; a step which isn't included in Cognito's hosted UI's.

AWS setup

Setup of the necessary AWS resources using the AWS CDK CLI is included in the aws directory. To run it, first install the AWS CDK CLI and the dependencies before deploying the CloudFormation stack:

$ cd aws 
$ npm install -g aws-cdk
$ pipenv install
$ COGNITO_DEMO_LOGIN_DOMAIN_PREFIX='<login domain prefix>' COGNITO_DEMO_S3_BUCKET_NAME='<bucket name>' COGNITO_DEMO_USERNAME='<username>' cdk deploy

The required enviroment variables are:

  • COGNITO_DEMO_LOGIN_DOMAIN_PREFIX: the domain prefix for the domain of the Cognito user pool.
  • COGNITO_DEMO_S3_BUCKET_NAME: name of the S3 bucket to be created
  • COGNITO_DEMO_USERNAME: username to use when logging in via AWS Cognito

All configuration parameters will be exported as outputs, except the client_secret which is not accessible via CloudFormation. To get that, use the AWS CLI:

$ aws cognito-idp describe-user-pool-client --user-pool-id <value> --client-id <value>

To be able to login with your chosen username, you must also set a password for the created user:

$ aws cognito-idp admin-set-user-password --no-permanent --user-pool-id <value> --username <username> --password <value> 

Running the web app

The web app is a simple Flask app which will list the contents of a preconfigured S3 bucket which the authenticated user will gain access to by obtaining temporary AWS credentials associated with an IAM role from an Cognito Identity pool.

To run it, install the dependencies and update settings.cfg with your configuration. Then start the server:

$ pipenv install
$ COGNITO_DEMO_SETTINGS=settings.cfg python app.py

After that, visit http://localhost:5000 and login using the username and password you have configured. It will ask you to configure TOTP MFA during the first login, so make sure to have an authenticator app.

Try uploading some content to the S3 bucket and refresh the page to view it! 🎉

Using the CLI app

The CLI is a simple script that accepts username and password directly and uses them to obtain tokens from Cognito. Run it with:

$ python cli.py <client id> <username>

and enter the password and configure/confirm MFA code when prompted.