AWS Notes

AWS - User Pool Authentication from Grails

Plenty of pages out there describing custom login providers via Cognito Identity Pools but seemingly none that use User Pools!? So without further ado, here's how to create a basic grails page that authenticates a user from a Cognito User Pool.

Note: This post assume you have grails, gradle, etc.. installed on your PC, and that you have already created an AWS Account.

1. Create a User Pool

This is the pool of users who have access to your application. Head to Your Cognito Page and perform the following steps:

1. Click the Manage User Pools button.
2. Click Create a User Pool
3. Give your User Pool a name and click Review defaults.
4. Click the Add app client... link in the App clients region
5. Click the Add an app client link
6. Give your application client a name and ensure the Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH) checkbox is ticked.

7. Click the Create app client button.

8. Click the Return to pool details link.

9. Click the Create pool button.

10. Take note of the Pool Id and Pool ARN strings at the top of the page (you will need these later).

11. Click the pen next to the App client you created in 1.7 then click the Show Details button.

12. Take note of the App client id and App client secret (you will need these later).

2. Create an Application User to test with.

1. Click the Users and Groups link in the menu to the left of screen.
2. Click the Create user button.
3. Fill in the Create user dialog.
   1. Uncheck the Send an invitation to this new user? checkbox.
   2. By default the User Pool makes the Email field mandatory (and API calls will verify the field is populated). Unfortunately, this dialog does not verify the User Pool configuration and so does not make the Email field mandatory. Please ensure you enter a value in the Email field.
   3. Take note of the username and temporary password (you will need these later).

3. Create a Policy to allow your IAM User to interact with the User Pool

This user is internal and used to call the various authentication API's. This is known to you only (ie it's not the end user's login) and we'll attach policies to it to allow it to interact with Cognito. Head to Your IAM Policies Page and perform the following steps:

1. Click the Create policy action.
2. Click the Choose a service link and select the Cognito User Pools service.
3. Expand the Write access level and select AdminInitiateAuth, AdminRespondToAuthChallenge and ChangePassword access levels.
4. Expand the Resources link.
5. Click the Add ARN link.
6. Enter the ARN you took note of in Step 1.10 and click Add.
7. Click the Review policy button.
8. Enter a name for the policy and click Create policy.

4. Create an IAM User to Connect to AWS.

This user is internal and used to call the various authentication API's. This is known to you only (ie it's not the end user's login) and we'll attach policies to it to allow it to interact with Cognito. Head to Your IAM Users Page and perform the following steps:

1. Click the Add user button.
2. Enter a username and tick the Programmatic access checkbox.

3. Click the Next: Permissions button.

4. Click the Create group button.

5. Provide a Group Name.

6. Use the search field to find the policy created in step 3 and tick the checkbox next to it.

7. Click the Create group button.

8. Ensure the checkbox next to the new Group is selected and click Next: Tags.

9. Click the Next: Review button.

10. Review the user information entered and click Create user button.

11. IMPORTANT On the following screen, click the Show link and make note of the Access key ID and Secret access key strings (you will need these later).

12. Click close

5. Create a grails app to test with

$ grails create-app authTest

| Application created at /tmp/authTest

6. Add the security information to application.yml

Use your favourite text editor to add the following to grails-app/conf/application.yml.

aws:

  userPool:

    poolId: <poolId from 1.10>

    authTest:

      clientId: <App client id from 1.7>

      clientSecret: <App client secret from 1.7>

7. Modify build.gradle

Add the following dependencies to the dependencies{} section:

    compile "com.amazonaws:aws-java-sdk-cognitoidp:1.11.490"

    compile "software.amazon.awssdk:cognitoidentity:2.3.9"

In the bootRun{} section, replace the default jvmArgs:

    jvmArgs('-Dspring.output.ansi.enabled=always')

with the following

    jvmArgs = ["-Dspring.output.ansi.enabled=always","-Daws.accessKeyId=<access key id from 4.11>","-Daws.secretKey=<secret access key from 4.11> "]

8. Modify UrlMappings.groovy

Modify grails-app/controllers/authtest/UrlMappings.groovy, replacing:

         "/"(view:"/index")

with

        "/"(controller:"aws")

9. Create AwsController.groovy

Download and install the following controller grails-app/controllers/authtest/AwsController.groovy

Change the following lines:

1. Line 47: Replace with the user name you assigned to your user pool user in 2.3
2. Line 48: Replace with the temporary password you assigned to the user in 2.3
3. Line 49: Replace with the password the user wishes to use moving forward (In a real scenario you would need to obtain this from them)
4. Line 52: Replace with the region your user pool is in.

Download and install the following view grails-app/views/aws/finish.gsp

Download and install the following view grails-app/views/aws/welcome.gsp

10. Startup the Demo

Execute gradle bootRun to startup the server. Navigate to http://localhost:8080/ and click the Login Test button.