Processing JWT generated by AWS Cognito
236 views
Skip to first unread message
Dhavan V
Jun 26, 2018, 2:55:16 AM6/26/18
to rabbitmq-users
Hello everyone,
I am using AWS Cognito to authenticate the users. Cognito generates OAuth2.0 JWT (follows OpenID standards).
Can I use https://github.com/rabbitmq/rabbitmq-auth-backend-uaa to parse the JWT ? Or may be https://github.com/rabbitmq/uaa_jwt ?
Both of them are experimental, not sure if I should use them (may be not compatible either?)
If these are not good options, what should I use instead?
Thanks.
Michael Klishin
Jun 26, 2018, 1:28:01 PM6/26/18
to rabbitm...@googlegroups.com
They are about to undergo a lot of changes. What are you trying to achieve? Surely "parsing a JWT token" is not the end goal?
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Dhavan V
Jun 27, 2018, 12:41:33 AM6/27/18
to rabbitm...@googlegroups.com
Michael Klishin writes:
> They are about to undergo a lot of changes. What are you trying to achieve?
> Surely "parsing a JWT token" is not the end goal?
>
I am trying to authenticate and authorize users over Cognito's user
> They are about to undergo a lot of changes. What are you trying to achieve?
> Surely "parsing a JWT token" is not the end goal?
>
pools. And as I said, they use OAuth2.0 standard to generate their
tokens.
Here is the flow I am thinking of in brief:
Clients will authenticate itself with AWS Cognito and receive oauth
tokens.
When the clients want to interact with RabbitMQ, they'll use this token
to authenticate and authorize the requests.
It is worth noting that Cognito allows us to add custom
scopes. Therefore, I can add custom scopes as specified in UAA's docs.
--
Dhavan
Michael Klishin
Jun 27, 2018, 6:38:53 AM6/27/18
to rabbitm...@googlegroups.com
OAuth 2 tokens will be supported by RabbitMQ 3.8.0. We don't have anything but an experimental
plugin (that was never tested with/against Cognito) at the moment.
One alternative is to use [1] and make your external HTTP service request and authenticate/authorize
based on the access token issued by Cognito.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send an email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dhavan V
Jun 27, 2018, 6:45:48 AM6/27/18
to rabbitm...@googlegroups.com
Thanks!
Do we have a roadmap kind of thing? I and my friends can help with the
plugin because why not! And we can test it against Cognito, so that's
added.
I have thought of using HTTP plugin to authenticate/authorize against
after getting OAuth token, but this is how it will look like:
Client gets a token from Cognito using AWS SDK.
Client requests RabbitMQ
RabbitMQ contacts API Gateway
API Gateway executes a lambda function (AWS Lambda, bleh)
Lambda function contacts cognito
You see, the trip is so long now! And ugly, I would say.
Michael Klishin writes:
> OAuth 2 tokens will be supported by RabbitMQ 3.8.0. We don't have anything
> but an experimental
> plugin (that was never tested with/against Cognito) at the moment.
>
> One alternative is to use [1] and make your external HTTP service request
> and authenticate/authorize
> based on the access token issued by Cognito.
>
> 1. https://github.com/rabbitmq/rabbitmq-auth-backend-http
>
--
Dhavan
Do we have a roadmap kind of thing? I and my friends can help with the
plugin because why not! And we can test it against Cognito, so that's
added.
I have thought of using HTTP plugin to authenticate/authorize against
after getting OAuth token, but this is how it will look like:
Client gets a token from Cognito using AWS SDK.
Client requests RabbitMQ
RabbitMQ contacts API Gateway
API Gateway executes a lambda function (AWS Lambda, bleh)
Lambda function contacts cognito
You see, the trip is so long now! And ugly, I would say.
Michael Klishin writes:
> OAuth 2 tokens will be supported by RabbitMQ 3.8.0. We don't have anything
> but an experimental
> plugin (that was never tested with/against Cognito) at the moment.
>
> One alternative is to use [1] and make your external HTTP service request
> and authenticate/authorize
> based on the access token issued by Cognito.
>
> 1. https://github.com/rabbitmq/rabbitmq-auth-backend-http
>
Dhavan
Michael Klishin
Jun 27, 2018, 6:50:25 AM6/27/18
to rabbitm...@googlegroups.com
OAuth 2 support has to be coordinated with a number of other teams at Pivotal so while we appreciate
the interest in helping, we believe only our team at Pivotal can do some initial design (nearly done) and implementation.
We don't plan on supporting Cognito at least initially but anything that uses JWT and can follow a certain convention
in how token scopes are named should work. So you can definitely help with testing that in a few months.
--
Dhavan
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send an email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dhavan V
Jun 27, 2018, 6:58:13 AM6/27/18
to rabbitm...@googlegroups.com
Michael Klishin writes:
> OAuth 2 support has to be coordinated with a number of other teams at
> Pivotal so while we appreciate
> the interest in helping, we believe only our team at Pivotal can do some
> initial design (nearly done) and implementation.
>
Fair enough!
> OAuth 2 support has to be coordinated with a number of other teams at
> Pivotal so while we appreciate
> the interest in helping, we believe only our team at Pivotal can do some
> initial design (nearly done) and implementation.
>
> We don't plan on supporting Cognito at least initially but anything that
> uses JWT and can follow a certain convention
> in how token scopes are named should work. So you can definitely help with
> testing that in a few months.
>
go on some other route.
Thanks a lot.
--
Dhavan
Reply all
Reply to author
Forward
0 new messages