Merge pull request #182 from aws-samples/oidc

Add OIDC support

Author: jhart0

cdk/src/cdk.ts

@@ -36,11 +36,15 @@ export class BackendStack extends cdk.Stack {
 
     const domain = Utils.getEnv("COGNITO_DOMAIN_NAME");
     const identityProviderName = Utils.getEnv("IDENTITY_PROVIDER_NAME", "");
+    const OIDCProviderName = Utils.getEnv("OIDC_PROVIDER_NAME", "");
 
     const identityProviderMetadataURLOrFile = Utils.getEnv(
       "IDENTITY_PROVIDER_METADATA",
       ""
     );
+    const OIDCClientId = Utils.getEnv('OIDC_CLIENT_ID')
+    const OIDCClientSecret = Utils.getEnv('OIDC_CLIENT_SECRET')
+    const OIDCIssuerUrl = Utils.getEnv('OIDC_ISSUER_URL')
 
     const appFrontendDeployMode = Utils.getEnv("APP_FRONTEND_DEPLOY_MODE", "");
 
@@ -319,6 +323,28 @@ export class BackendStack extends cdk.Stack {
       supportedIdentityProviders.push(identityProviderName);
     }
 
+    if (OIDCProviderName && OIDCClientId && OIDCClientSecret && OIDCIssuerUrl) {
+      const oidcProvider = new cognito.UserPoolIdentityProviderOidc(this, 'OidcProvider', {
+        userPool,
+        name: OIDCProviderName,
+        clientId: OIDCClientId,
+        clientSecret: OIDCClientSecret,
+        issuerUrl: OIDCIssuerUrl,
+        attributeRequestMethod: cognito.OidcAttributeRequestMethod.GET,
+        scopes: ['openid', 'profile', 'email'],
+        attributeMapping: {
+          email: cognito.ProviderAttribute.other('email'),
+          givenName: cognito.ProviderAttribute.other('given_name'),
+          familyName: cognito.ProviderAttribute.other('family_name'),
+          custom: {
+            [groupsAttributeClaimName]: cognito.ProviderAttribute.other('groups'),
+          }
+        },
+      });
+  
+      supportedIdentityProviders.push(OIDCProviderName);
+    }
+
     // ========================================================================
     // Resource: Cognito App Client
     // ========================================================================

env.sh.template

@@ -56,6 +56,7 @@ export APP_URL=http://localhost:3000
 ## 5. optional - for IdP integration
 ## ====================================================================================================================
 
+### SAML
 ## the name you want for the Identity Provider
 
 # export IDENTITY_PROVIDER_NAME=IdP
@@ -64,6 +65,17 @@ export APP_URL=http://localhost:3000
 
 # export IDENTITY_PROVIDER_METADATA=<https://example.com/metadata.xml or $(cat path/to/metadata.xml)>
 
+### OIDC
+## the name you want for the Identity Provider
+
+# export OIDC_PROVIDER_NAME=OIDC
+
+## the IdPs OIDC configuration settings
+
+# export OIDC_CLIENT_ID=<client id>
+# export OIDC_CLIENT_SECRET=<client secret>
+# export OIDC_ISSUER_URL=<issuer url>
+
 ## ====================================================================================================================
 ## 6. other optional configuration
 ## ====================================================================================================================