Skip to content

Instantly share code, notes, and snippets.

@padajo
Created October 21, 2022 17:41
Show Gist options
  • Save padajo/42f709be820fb4c3e991473e5bdf08af to your computer and use it in GitHub Desktop.
Save padajo/42f709be820fb4c3e991473e5bdf08af to your computer and use it in GitHub Desktop.
A starter template for creating an OpenID Connect (OIDC) identity provider on Amazon Cognito using SAM/CloudFormation. This creates an identity provider and outputs the /.well-known/openid-configuration and /.well-known/jwks.json URLs for you in the Outputs.
AWSTemplateFormatVersion: "2010-09-09"
Description: >-
openid-connect-app
Testing creating an OpenID Identity Provider with Cognito
Transform:
- AWS::Serverless-2016-10-31
Resources:
IdentityUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: TestUserPool
UsernameConfiguration:
CaseSensitive: True
UsernameAttributes:
- email
####### Change the Domain name here or this is likely to fail #######
IdentityUserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: MAKE-THIS-UNIQUE-BECAUSE-IT-IS-GLOBAL # this is global so make sure it is unique even if only testing (e.g. use https://randomwordgenerator.com/)
UserPoolId: !Ref IdentityUserPool
# creating a user pool client - not OIDC but just a client
IdentityUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref IdentityUserPool
ClientName: TestUserPoolClient
GenerateSecret: False
ReadAttributes:
- email
WriteAttributes:
- email
# these four next attributes go together.
# The default redirect URI is required before the URI of the app will be live
AllowedOAuthFlowsUserPoolClient: True
AllowedOAuthFlows:
- code
AllowedOAuthScopes:
- email
- aws.cognito.signin.user.admin
- openid
- profile
# - custom/read
# - custom/write
CallbackURLs:
- http://localhost:8000/callback # purely a testing callback
DefaultRedirectURI: http://localhost:8000/callback # purely a testing callback
IdentityUserPoolClientCustomScopeResource:
Type: AWS::Cognito::UserPoolResourceServer
Properties:
Identifier: custom
Name: custom
Scopes:
- ScopeDescription: Read
ScopeName: read
- ScopeDescription: Write
ScopeName: Write
UserPoolId: !Ref IdentityUserPool
Outputs:
IdentityUserPoolId:
Description: "The Identity User Pool ID"
Value: !Ref IdentityUserPool
IdentityUserPoolProviderName:
Description: "The Identity User Pool Provider Name"
Value: !GetAtt IdentityUserPool.ProviderName
IdentityUserPoolProviderUrl:
Description: "The Identity User Pool Provider Url"
Value: !GetAtt IdentityUserPool.ProviderURL
IdentityDomain:
Description: "The Identity User Pool Domain"
Value: !Sub "${IdentityUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com"
OIDCWellKnownCOnfigurationUrl:
Description: "The OpenID Connect /.well-known/openid-configuration Url"
Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/openid-configuration"
OIDCJWKSJSONUrl:
Description: "The OpenID Connect /.well-known/jwks.json Url"
Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/jwks.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment