Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: iauth updates #57

Merged
merged 23 commits into from
Jun 20, 2024
Merged

feat!: iauth updates #57

merged 23 commits into from
Jun 20, 2024

Conversation

suhussai
Copy link
Contributor

@suhussai suhussai commented Jun 13, 2024
edited
Loading

Issue # (if applicable)

Closes #54 , #53

Reason for this change

The objective of this PR is to simplify the IAuth interface.

Description of changes

  • replace REST API GW with HTTP API GW
  • update custom resource in cognito-auth to only create resources that cannot be created in CDK
  • replacing custom authorizer with jwtAuthorizer
  • enabling PUT /tenants to be protected with JWT Auth instead of IAM. This means that it is available via sync for saas Admin and async for eventBridge target
  • added another client for m2m flow. This is used for eventBridge to APIGW authZ
  • removed ControlPlaneIDPDetails -- too cryptic/vague
  • add pagination for GET /tenants and GET /users
  • update sbt-aws cli to allow updating tenants and pagination for GET /tenants and GET /users
  • simplified user-mgmt APIs and standardized responses
  • added tests for /users functionality

Description of how you validated changes

Checklist

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@suhussai suhussai marked this pull request as ready for review June 13, 2024 20:04
@suhussai suhussai requested a review from tobuck-aws June 14, 2024 02:42
tobuck-aws
tobuck-aws reviewed Jun 14, 2024
View reviewed changes
Copy link
Contributor

@tobuck-aws tobuck-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments. Lmk if you want to chat.

@suhussai suhussai requested a review from tobuck-aws June 19, 2024 18:42
suhussai and others added 20 commits June 19, 2024 18:43
@suhussai
replace REST API GW with HTTP API GW
21929e5 
- replacing custom authorizer with jwtAuthorizer
- update custom resource in cognito-auth to only create resources that cannot be created in CDK
- enabling PUT /tenants to be protected with JWT Auth instead of IAM. This means that it is available via sync for saas Admin and async for eventBridge target
- added another client for m2m flow. This is used for eventBridge to APIGW authZ
- removed ControlPlaneIDPDetails -- too cryptic/vague
@suhussai
chore: self mutation
0746357 
Signed-off-by: github-actions <[email protected]>
@suhussai
remove unnecessary code and rename username to userId for user API
a43195e
@suhussai
update API.md file
19e9183
@suhussai
set flag to indicate whether scopes should be set
044e927
@suhussai
add updated API.md
1e5cd6b
@suhussai
set flag to disable setting scopes for cognitoAuth when testing
9ce0950
@suhussai
update iauth interface to include function for creating admin user
636d1f2
@suhussai
add updated API.md
ab5437f
@suhussai
enable pagination for GET /tenants
98ec3cc
@suhussai
fix tests and use powertools to validate query params for pagination
969834b
@suhussai
add pagination for GET /users, update sbt-aws cli and clean up code
dc914f9
@suhussai
fix hardcoded typo in state name for triggering codebuild project
aaa7e5f
@suhussai
update marketplace constructs to be region-aware and export sample we…
a5f77ba 
…b page construct
@suhussai
standardize user-mgmt api responses, clean up code and add annotations
9622baa
@suhussai
make auth optional for control-plane and add admin name as parameter …
4ac321c 
…for creating new admin users
@suhussai
update scripts to test for user mgmt functionality
982e6cc
@suhussai
remove unnecessary console.log lines
d55007f
@suhussai
add back deleted tests for api logging toggle
38a4217
@suhussai
minor changes and updates to API.md file
7259ddf
@suhussai suhussai changed the title feat: iauth updates feat!: iauth updates Jun 19, 2024
tobuck-aws
tobuck-aws approved these changes Jun 20, 2024
View reviewed changes
github-actions and others added 2 commits June 20, 2024 15:38
@suhussai suhussai merged commit 72ea312 into main Jun 20, 2024
8 checks passed
@suhussai suhussai deleted the iauth-updates branch June 20, 2024 15:57
@suhussai suhussai mentioned this pull request Jun 21, 2024
Closed
2 tasks
@PeterGFernandez
Copy link

Appreciate the addition of support for pagination here; thank you 😎

PeterGFernandez
PeterGFernandez reviewed Jun 28, 2024
View reviewed changes
resources/functions/user-management/index.py
user_details = {}
user_details['idpDetails'] = idp_details
user_details['userName'] = username
user_details['userName'] = userId
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The use of userId provides a more unique way of identifying a user - especially with something like Auth0. So, using userId rather than username is a better approach. However, I don't think that the username claim for a user should be set to a userId value; username and userId are separate entities, and both are valid for a user 😎

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I definitely agree that username and userId are two separate entities.

The thing to consider here is that the Cognito API uses username for API operations. For example, if you look at the enable_user(...) function

sbt-aws/resources/functions/user-management/cognito_user_management_service.py

Lines 133 to 143 in f699f38

def enable_user(self, event):
user_details = event
user_pool_id = user_details['idpDetails']['idp']['userPoolId']
user_name = user_details['userName']
response = client.admin_enable_user(
Username=user_name,
UserPoolId=user_pool_id
)
return response
you can see that the username is used as part of the API call:

sbt-aws/resources/functions/user-management/cognito_user_management_service.py

Line 139 in f699f38

Username=user_name,

Docs for admin_enable_user API: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp/client/admin_enable_user.html

So, in order to conform to the new Users API schema, what I'm doing here is using the userId (which end-users will pass in for lookups and other API calls) and mapping that internally to the userName so it can work with the Cognito API.

As I write this, one improvement that I think we need to make is to clarify to end-users what the value they should use for userId. This might require us to map the userName we get from a call such as admin_get_user(...) that we make as part of this function

sbt-aws/resources/functions/user-management/cognito_user_management_service.py

Line 74 in f699f38

def get_user(self, event):
to userId and pass that back to the user. The result would be that the end-user sees userId wherever they would typically see userName and so we avoid confusion. That's something we can iron out, though. Appreciate the comment!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

created issue: #63

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PeterGFernandez PeterGFernandez PeterGFernandez left review comments

@ujwalbukka ujwalbukka ujwalbukka left review comments

@tobuck-aws tobuck-aws tobuck-aws approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(IAuth): (use userId instead of username)
4 participants
@suhussai @PeterGFernandez @ujwalbukka @tobuck-aws