You can customize the login page as per Spring docs. I have not tried that.

You can checkout some vides on OAuth basics. But, I don't have a detailed video on OAuth, OIDC or SAML basics. I wanted to post a series of videos. I will try to work on that in future. Please like, subscribe & share this video to support this channel !! Thanks in advance.

All these validations are taken care by SpringBoot security classes. You can customize this which is generally not required. Refer this documentation for more details : docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-idtoken-verify Please like, subscribe & share this video to support this channel !! Thanks in advance.

Welcome! Please like, subscribe & share this video to support this channel !! Thanks in advance.

Thanks for the feedback. I will try my best to keep improving the quality of audio & video. Please like, share & subscribe to support this channel.

You can try changing the token lifetime as mentioned here learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes and that should change the exp claim accordingly. I have not tried that. But, I think it should work. Please like, subscribe & share!! Thanks in advance.

You can pass the identity_provider parameter to /authorize endpoint as mentioned here docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html. If this value is passed, Cognito will not display the hosted UI login page. Instead, it will redirect to that IdP. Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 Thanks it worked

Glad it helped. Sure, I will post a video in future on how to integrate multiple OIDC providers.

Is there any reason for not using spring security? I think some details are available in this documentation docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html

It's Authorization for APIs.

@@securityinaction1018 As i have to implement both Authentication and authorization both in my one api what do i follow? shall i implement this for authorization and kzbin.info/www/bejne/pWOsfmylfpt4p80 for authentication?

Yes, that's right. You can integrate your web app using OIDC and secure APIs using access token Please like, subscribe & share!! Thanks in advance.

Sure, will do that in future videos.

I have not tried that. I think if you enable the option to allow other organization users, it might work.

Yes, you can do that. You have to configure a custom lambda authorizer for Auth0. Check out this blog on how to configure a lambda authorizer aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/ Please like, subscribe & share!! Thanks in advance.

Yes, you can use this approach to map the roles.

Refer this learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-implicit-grant-flow Implicit flow allows that, but strictly not recommended. In authorization code grant flow, both ID and Access tokens will be returned. As per this doc learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow, client secret is not mandatory for public apps.

@@securityinaction1018 If I don't need the application to access protected resources in my AAD tenant, do I still need to complete the authorization code flow with access token and client secret? I just need the application to leverage OpenID to authenticate the users. Do you think implicit flow using ID token is enough for my requirement? I want to take a hint in OIDC Playground, they have the OpenID-only mode in their options. Unfortunately, the OpenId-only mode is still not available:( I'm not really good at coding so I don't fully understand how to build an authorization code grant flow. I just need to protect my AAD environment and keep the setup as simple as possible. Not requiring a client secret would help so I don't need to renew these secrets every now and then.

Implicit flow is not recommended since it is not secure. I am not sure which framework you are using for your app. If it is java, you can refer this video kzbin.info/www/bejne/i5_ag2COareepdE on how to integrate a Java spring boot app with AzureAD using OIDC

@@securityinaction1018 Thank you. Your videos are great by the way!

Thank you. Please like, subscribe & share!! Thanks in advance.

Userid or email is available in the ID token. I think you can customize the Auth0 access token to include these claims as well. The other question on "requested user is logged in + matches the one logged in" is not clear. Can you elaborate the scenario? Without authenticating in Auth0, the application cannot get the tokens like ID, Access token

Facebook login won't work without Hosted UI. You can check this blog aws.amazon.com/blogs/security/use-the-hosted-ui-or-create-a-custom-ui-in-amazon-cognito/. Please like, subscribe & share!! Thanks in advance.

Thank you!! Please like, subscribe & share!! Thanks in advance.

Glad it was helpful! Please like, subscribe & share!! Thanks in advance.

I will check and upload the code in Git if it is still available. Meanwhile, if you face any issues in setting up the workspace and code from scratch, please post your questions here. Please like, subscribe & share!! Thanks in advance.

I have a query, In Azure ad we are able to get the access_token from OAouth2AuthorizedClient object in my spring boot application, if the user is using my application continuously in that case we have to increase the access token time limit accordingly right, so how to implement this could you please provide info 🙂

I know we can get new token using refresh_token but I want to get a new token without refresh token

Is there any reason why you don't want to refresh the tokens? The best practice is to refresh the token periodically. I don't know if AzureAd has an option to increase the timeout for Access token. I know Cognito has that option.

Sorry, actually in the msal4j library, the acquire token silently method is there, that's why I asked you , but just now I realised that we can refresh access token using refresh token. Could you please provide reference how to implement this in spring cloud gateway ?

I am not sure if there is an option to do that. You can check this official documentation learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/app-integration/error-code-AADSTS50020-user-account-identity-provider-does-not-exist on what needs to be done based on your use case.

Thanks for sharing this info!!

What happens if you directly hit that URL in browser? What is the domain that you have configured?

Welcome!! 1. In a real time application, you can enable self-registration as mentioned here help.okta.com/en-us/content/topics/users-groups-profiles/usgp-self-service.htm and users can register themselves. If you don't want random users to register, then you can build an Admin UI where someone can login and create users. This Admin UI app can use Okta APIs to create users. 2. Client ID / secret is not per user. It is configured in the Spring Boot application. Please like, subscribe & share!! Thanks in advance.

As per this doc learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol, AzureAD SAML logout supports only redirect binding (HTTP GET), and not HTTP POST binding. Cognito uses POST binding for SAML logout and that is the reason why IdP session is not logged out. I have not tested Okta. If Okta supports HTTP POST binding for SAML logout, it should work. Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 I have tested with BOTH, indeed, cognito does not work with GET, Okta sends POST, but then okta session is still persisted, whereas AzureAD session is terminated, even though cognito returns with an error after the GET request, what a pitty

That's not good. Is Okta sending a successful response for SAML logout request from Cognito?

Glad it was helpful! Do you want to replace Java SpringBoot app with a React app? If so, I am sure React has some libraries for OIDC authentication similar to Java SpringBoot security libraries. I remember seeing something called NextAuth.js which supports OIDC for React apps. Please like, subscribe & share!! Thanks in advance.

This error means family_name and email is not set for this user profile. This can be due to AzureAD not properly configured to send these claims back to Cognito. You need to verify the AzureAD settings. Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 indeed, the account I was trying to login, did not had email addreess, neither first and last name, but how come? when I create a new user in AzureAD, I would expect to automatically generate these for me, but it doesn't. I need to manually fill in those fields, as you did What if the admin does not want to add those fields? maybe AD provides some custom attribute mapping wich evaluates to those fields?

It is entirely up to the Admin to decide whether to collect those details from the user. I don't know how AzureAD handles required fields. I guess there should be some way to make these fields mandatory or optional. In Cognito, you can set these fields as mandatory or optional

Glad it was helpful! Please like, subscribe & share!! Thanks in advance.

You can configure multiple OIDC identity providers in one cognito user pool pointing to different user pools and different clients. I am not sure if this is the scenario you are referring to. Please like, subscribe & share!! Thanks in advance.

Thank you!! I need to check that. As long as desktop app can open some inline browser, I think same flow should work. Please like, subscribe & share!! Thanks in advance.

When you say duplicate accounts, I assume you are referring to two accounts with same email address but different user names. Am I correct? In this case, you need to write a custom lambda function to link the federated user from AzureAD or Facebook with the local user profile which has the same email address. You can check this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 I got this error "InvalidParameterException: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser" Here is my sample code: const AWS = require("aws-sdk"); const cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider(); exports.handler = async (event, context, callback) => { console.log("Events: ", event); console.log("Context: ", context); try { const user = event.request.userAttributes; const email = user.email; // using the user email as the identifier // filter for query user pool const params = { UserPoolId: process.env.USER_POOL_ID, Filter: `email = "${email}"`, }; // fetch the user list by email // get list of users const cognitoUserListByEmail = await new AWS.CognitoIdentityServiceProvider() .listUsers(params) .promise(); console.log("Cognito user list by email: ", cognitoUserListByEmail); const userStatus = event.request.userAttributes["cognito:user_status"]; if ( cognitoUserListByEmail.Users.length === 1 && userStatus === "EXTERNAL_PROVIDER" ) { const sourceProviderDetails = event.request.userAttributes.identities[0]; const linkParams = { DestinationUser: { ProviderName: "Cognito", ProviderAttributeValue: cognitoUserListByEmail.Users[0].Username, // The Cognito username of the existing user }, SourceUser: { ProviderName: sourceProviderDetails.providerName, ProviderAttributeName: "Cognito_Subject", ProviderAttributeValue: user.sub, // The user ID from the social identity provider }, UserPoolId: process.env.USER_POOL_ID, }; await cognitoIdentityServiceProvider.adminLinkProviderForUser( linkParams, function (err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); } ); // .promise(); // console.log(result.$response); console.log("Params: ", params); } callback(null, event); } catch (error) { console.log(error); } }; I can't seem to figure out the parameter for AdminLinkProviderForUser API

Thank You!! Please like, subscribe & share!! Thanks in advance.

Thank you!! Please like, subscribe & share!! Thanks in advance.

I think it is still required assuming react frontend will call SpringBoot REST APIs in the backend

I am not sure. I still see in my azure developer account. If you are not seeing the option to add app roles, try manually modifying the manifest file to add app roles.

I modified the manifest and it worked like a charm

@@securityinaction1018 just a heads-up Microsoft's doc was updated to use the manifest vs app roles, so that has definitely changed but the rest of the steps are the same

Thanks for sharing this detail. When I recorded this video, I remember Microsoft docs talking about modifying manifest instead of adding through the admin console. Since the console option was available, I used it at that point of time. But, looks like modifying manifest file is the right option.

You are welcome. Here is the code : exports.handler = async (event, context) => { let response = { "isBase64Encoded": false, "statusCode": 200, "statusDescription": "200 OK", "headers": { "Set-cookie": "cookies", "Content-Type": "application/json" }, "body": JSON.stringify(event, null, 2) }; return response; }; Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 Thanks. I am currently working on in conjunction with oauth2-proxy on alb controller in EKS. I am trying to pass headers to an application "rundeck" that runs in EKS from oauth2-proxy which also runs in EKS but app won`t accept it. In rundeck application the settings I had to turn on from their documentation was: rundeck.security.authorization.preauthenticated.enabled=true rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS rundeck.security.authorization.preauthenticated.delimiter=, rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-Uuid rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles #sync user info headers rundeck.security.authorization.preauthenticated.userSyncEnabled=true #these are the default headers for passing user details rundeck.security.authorization.preauthenticated.userFirstNameHeader=X-Forwarded-User-FirstName rundeck.security.authorization.preauthenticated.userLastNameHeader=X-Forwarded-User-LastName rundeck.security.authorization.preauthenticated.userEmailHeader=X-Forwarded-User-Email any idea how can I pass oauth2-proxy headers from okta to upstream in oauth2-proxy? my setup: provider = "oidc" oidc_issuer_url = "mydev.okta.com" email_domains = [ "*" ] upstreams = [ "rundeck-backend.rundeck:4440" ] cookie_secure = true redirect_url = "mytestrundeck.com/oauth2/callback" skip_auth_regex= "^/api/\\d+/webhook/" pass_authorization_header = true pass_user_headers = true set_xauthrequest = true oidc_groups_claim = "groups" Thanks!

Unfortunately, I don't have knowledge on EKS and rundeck

You are welcome!! I will surely look into this custom UI sign flow and try to post a video. Are you referring to Cogntio custom login page UI? Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 yes, and not. I'm referring to integrate a OAuth federated sign in experience using Google, or any other OIDC provider, and a custom UI (e.g. a React or Vue.js custom login page) using Cognito. In your example you used the hosted UI from Cognito.

You need to make some configuration changes in Okta and pass groups scope from Cognito to Okta. Please refer this document developer.okta.com/docs/guides/customize-tokens-groups-claim/main/ Please like, subscribe & share!! Thanks in advance.

You're welcome! Please like, subscribe & share!! Thanks in advance.

Thank you!! I was planning to post a video on that and it is still pending from my side. I will post and let you know. Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 thank you for your quick reply, when we can expect the video, I need to implement it in my spring boot 3 app. Thanks in advance.

I will try my best to post it in near future.

Glad it was helpful! Are you trying to get the AzureAD groups claim in ID token? Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 I managed to get it done with Azure AD groups. There I used claims. groups: roles in Elastic user settings and sAMAccountName Emit groups as role claims options in Azure App registration token configuration.

Are you trying the same scenario with Active Directory groups?

@@securityinaction1018 I wanted to authenticate the Azure AD group users to Elastic cloud. I managed to figure out the issues and my config is working now.

Glad you liked it!! Please like, subscribe & share!! Thanks in advance.

Glad you liked it! Please like, subscribe & share!! Thanks in advance.

Thank you for subscribing. I will surely consider this and post a step by step video on how to use IAM Auth for APIGW.

Are you referring to the length of the authorization code?

@securityinaction1018 Hi, could you please look on this? I do not want create user name with google _random number . I want to create my users and the do auth

Yes, you can link the federated user i.e. google user with the local user which was created before the user logged in for the first time. This can be done when the user logs in for the first time through Google. Take a look at the this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html Please like, subscribe & share!! Thanks in advance.

@@securityinaction1018 thank you. Do you have any video tutorials regarding this to understand in easy way?

I don't have it at this point of time. But, I will try to post it in future.

Thanks for the feedback. I am constantly trying to improve the quality of the videos and will try my best.

Make sure you add the annotation @EnableMethodSecurity for @PreAuthorize to work. Refer this doc docs.spring.io/spring-security/reference/servlet/authorization/method-security.html

Can you elaborate? How is the authentication happening in your app?

@@securityinaction1018 I have created my own open id provided application using open id dict (it is new separate application for sso ). I want to configure this in cognito as identity provider. is this possible? we have tried but getting some errors like state: eb3625f9691a434b9534830ae4f623cd error: invalid_request

So, are you trying to configure the custom OIDC provider as a external OIDC identity provider in Cognito user pool?

@@securityinaction1018 yes correct.

That should work. Make sure the custom OIDC provider follows the OIDC RFC spec. Please make sure the token endpoint, userinfo endpoint works as expected.