Merge branch 'trs/oidc-authn'

nextstrain · Oct 18, 2023 · 9d7667f · 9d7667f
2 parents 2117f6b + e84c672
commit 9d7667f
Show file tree

Hide file tree

Showing 8 changed files with 270 additions and 80 deletions.
diff --git a/aws/cognito/outputs.tf b/aws/cognito/outputs.tf
@@ -2,17 +2,21 @@ output "COGNITO_USER_POOL_ID" {
   value = aws_cognito_user_pool.nextstrain_dot_org.id
 }
 
-output "COGNITO_BASE_URL" {
-  value = format("https://%s", coalesce(
-    one(aws_cognito_user_pool_domain.custom[*].domain),
-    "${aws_cognito_user_pool_domain.cognito.domain}.auth.${split("_", aws_cognito_user_pool.nextstrain_dot_org.id)[0]}.amazoncognito.com",
-  ))
+output "OIDC_IDP_URL" {
+  value = format("https://%s", aws_cognito_user_pool.nextstrain_dot_org.endpoint)
 }
 
-output "COGNITO_CLIENT_ID" {
+output "OAUTH2_CLIENT_ID" {
   value = aws_cognito_user_pool_client.nextstrain_dot_org.id
 }
 
-output "COGNITO_CLI_CLIENT_ID" {
+output "OAUTH2_CLI_CLIENT_ID" {
   value = aws_cognito_user_pool_client.nextstrain-cli.id
 }
+
+output "OAUTH2_LOGOUT_URL" {
+  value = format("https://%s/logout", coalesce(
+    one(aws_cognito_user_pool_domain.custom[*].domain),
+    "${aws_cognito_user_pool_domain.cognito.domain}.auth.${split("_", aws_cognito_user_pool.nextstrain_dot_org.id)[0]}.amazoncognito.com",
+  ))
+}
diff --git a/docs/infrastructure.md b/docs/infrastructure.md
@@ -72,13 +72,23 @@ Several variables are required but obtain defaults from a config file (e.g. `env
 
   - `COGNITO_USER_POOL_ID` must be set to the id of the Cognito user pool to use for authentication.
 
-  - `COGNITO_BASE_URL` must be set to the URL of the Cognito user pool's hosted UI.
-    In production, this is `https://login.nextstrain.org`.
-    In development and testing, this would be something like `https://nextstrain-testing.auth.us-east-1.amazoncognito.com`.
+  - `OIDC_IDP_URL` must be set to the URL of the Cognito user pool's IdP endpoint.
+    This is something like `https://cognito-idp.{REGION}.amazonaws.com/{REGION}_{ID}`.
 
-  - `COGNITO_CLIENT_ID` must be set to the OAuth2 client id for the nextstrain.org client registered with the Cognito user pool.
+  - `OAUTH2_CLIENT_ID` must be set to the OAuth2 client id for the nextstrain.org client registered with the Cognito user pool.
 
-  - `COGNITO_CLI_CLIENT_ID` must be set to the OAuth2 client id for the Nextstrain CLI client registered with the Cognito user pool.
+  - `OAUTH2_CLI_CLIENT_ID` must be set to the OAuth2 client id for the Nextstrain CLI client registered with the Cognito user pool.
+
+  - `OAUTH2_LOGOUT_URL` overrides any value discovered via IdP metadata.
+    For Cognito, which doesn't provide a value via metadata, this must be set to the logout URL of the Cognito user pool's hosted UI.
+    In production, this is `https://login.nextstrain.org/logout`.
+    In development and testing, this would be something like `https://nextstrain-testing.auth.us-east-1.amazoncognito.com/logout`.
+
+  - `OIDC_USERNAME_CLAIM` must be set to the field in the id token claims which contains the username for a user.
+    For Cognito, this is `cognito:username`.
+
+  - `OIDC_GROUPS_CLAIM` must be set to the field in the id token claims which contains the list of group names for a user.
+    For Cognito, this is `cognito:groups`.
 
 Variables in the environment override defaults from the config file.
 

diff --git a/docs/terraform.rst b/docs/terraform.rst
@@ -262,10 +262,13 @@ Each configuration provides outputs of key-value pairs corresponding to
 environment (or config) variables required by the nextstrain.org server::
 
     $ terraform output
-    COGNITO_BASE_URL=https://login.nextstrain.org
-    COGNITO_CLIENT_ID=rki99ml8g2jb9sm1qcq9oi5n
-    COGNITO_CLI_CLIENT_ID=2vmc93kj4fiul8uv40uqge93m5
     COGNITO_USER_POOL_ID=us-east-1_Cg5rcTged
+    OIDC_IDP_URL=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_Cg5rcTged
+    OAUTH2_CLIENT_ID=rki99ml8g2jb9sm1qcq9oi5n
+    OAUTH2_CLI_CLIENT_ID=2vmc93kj4fiul8uv40uqge93m5
+    OAUTH2_LOGOUT_URL=https://login.nextstrain.org/logout
+    OIDC_USERNAME_CLAIM=cognito:username
+    OIDC_GROUPS_CLAIM=cognito:groups
 
 Outputs are stored and tracked in the remote state and may be updated when
 applying configuration changes.  We cache non-sensitive outputs in JSON config

diff --git a/env/outputs.tf b/env/outputs.tf
@@ -6,14 +6,26 @@ output "COGNITO_USER_POOL_ID" {
   value = module.cognito.COGNITO_USER_POOL_ID
 }
 
-output "COGNITO_BASE_URL" {
-  value = module.cognito.COGNITO_BASE_URL
+output "OIDC_IDP_URL" {
+  value = module.cognito.OIDC_IDP_URL
 }
 
-output "COGNITO_CLIENT_ID" {
-  value = module.cognito.COGNITO_CLIENT_ID
+output "OAUTH2_CLIENT_ID" {
+  value = module.cognito.OAUTH2_CLIENT_ID
 }
 
-output "COGNITO_CLI_CLIENT_ID" {
-  value = module.cognito.COGNITO_CLI_CLIENT_ID
+output "OAUTH2_CLI_CLIENT_ID" {
+  value = module.cognito.OAUTH2_CLI_CLIENT_ID
+}
+
+output "OAUTH2_LOGOUT_URL" {
+  value = module.cognito.OAUTH2_LOGOUT_URL
+}
+
+output "OIDC_USERNAME_CLAIM" {
+  value = "cognito:username"
+}
+
+output "OIDC_GROUPS_CLAIM" {
+  value = "cognito:groups"
 }
diff --git a/env/production/config.json b/env/production/config.json
@@ -1,6 +1,9 @@
 {
-  "COGNITO_BASE_URL": "https://login.nextstrain.org",
-  "COGNITO_CLIENT_ID": "rki99ml8g2jb9sm1qcq9oi5n",
-  "COGNITO_CLI_CLIENT_ID": "2vmc93kj4fiul8uv40uqge93m5",
-  "COGNITO_USER_POOL_ID": "us-east-1_Cg5rcTged"
+  "OIDC_IDP_URL": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_Cg5rcTged",
+  "OAUTH2_CLIENT_ID": "rki99ml8g2jb9sm1qcq9oi5n",
+  "OAUTH2_CLI_CLIENT_ID": "2vmc93kj4fiul8uv40uqge93m5",
+  "OAUTH2_LOGOUT_URL": "https://login.nextstrain.org/logout",
+  "COGNITO_USER_POOL_ID": "us-east-1_Cg5rcTged",
+  "OIDC_USERNAME_CLAIM": "cognito:username",
+  "OIDC_GROUPS_CLAIM": "cognito:groups"
 }
diff --git a/env/testing/config.json b/env/testing/config.json
@@ -1,6 +1,9 @@
 {
-  "COGNITO_BASE_URL": "https://nextstrain-testing.auth.us-east-1.amazoncognito.com",
-  "COGNITO_CLIENT_ID": "6qiojrhr8tibt0f6hphnm1osp1",
-  "COGNITO_CLI_CLIENT_ID": "9opa27o74f4jsq8g4a34e1mqr",
-  "COGNITO_USER_POOL_ID": "us-east-1_zqpCrjM7I"
+  "OIDC_IDP_URL": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_zqpCrjM7I",
+  "OAUTH2_CLIENT_ID": "6qiojrhr8tibt0f6hphnm1osp1",
+  "OAUTH2_CLI_CLIENT_ID": "9opa27o74f4jsq8g4a34e1mqr",
+  "OAUTH2_LOGOUT_URL": "https://nextstrain-testing.auth.us-east-1.amazoncognito.com/logout",
+  "COGNITO_USER_POOL_ID": "us-east-1_zqpCrjM7I",
+  "OIDC_USERNAME_CLAIM": "cognito:username",
+  "OIDC_GROUPS_CLAIM": "cognito:groups"
 }