Setup Cognito

[briri]

Update Cognito to allow users to login with Shibboleth and ORCID

• Define oauth authroizer for Shib
• Define new OpenIDConnect authorizer using ORCID's info: https://sandbox.orcid.org/.well-known/openid-configuration
• Use member creds
• Update user pool to allow this auth method
• Update Cloud formation

[briri]

Going to close this one since we're going to fold the React pages into the DMPTool Rails codebase. We will continue to use Cognito for the DMPHub API authentication.

[briri]

Reopening this one since we want to investigate the use of Cognito for the new system

[marisastrong]

https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1429930512/AmazonCognito

[briri]

https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1429930512/AmazonCognito

[marisastrong]

Pros

• Removes Apache
• can control access to AWS resources via user pool/IAM?
• Cognito identity pool ids could be used to allow users to call openSearch (directly from the React UI instead of transiting through the Rails app). It could, if we structure the indices properly, also facilitate fine grained access to openSearch records (e.g. only allowing the user to search their Org's content)

Cons

• still need to manage InCommon metadata as we will continue as a federated SP to connect with IdPs
• may not support non-federated institutions as well (need more research on this)
• less visibility into backend which may negatively impact troubleshooting

[briri]

Successfully built a Prototype of the initial Cognito functionality. The work can be found in this repo's cognito-auth branch

• I added a homepage to the dmphub.uc3dev.cdlib.net site (currently only supports DMP ID landing pages and a 404 page)
• Added a Cognito Identity Pool attached to the existing UserPool (currently used by the DMPTool to connect to the DMPHub API)
• Added a Lambda to exchange OAuth grant codes for OAuth tokens
• The homepage has a Login / Sign Up (and Sign Out if user is already logged in)
• When the user clicks to Login / Sign up they are redirected to a Cognito authentication form. This test just allowed for email+password auth (no Shib, ORCID, Google at this point)
• After they login the are redirected to the new Lambda function with an OAuth code. The Lambda calls Cognito to exchange the Code for a Token
• The Lambda, if successful, redirects the user back to the React page with the token. React stores the token in the user session and then redirects them to a test dashboard page.

[briri]

We will use Cognito with just username/email and password to start. This will get us up and running and we can then pivot if we decide that we do not want to support Cognito and instead stick with Shib SP.

[briri]

Breaking this one up into separate tickets.

• Basic Cognito setup (Username, email, password, first/last names) ticket Basic Cognito Setup #89
• Add Shibboleth to Cognito Cognito Shibboleth integration #90
• Add ORCID to Cognito Add ORCID as an authentication method #91