From 86c56db28a52441aa86e228ba7cdc889a6d266c9 Mon Sep 17 00:00:00 2001
From: Josh Hart <josharj@amazon.co.uk>
Date: Wed, 6 Nov 2024 14:31:08 +0000
Subject: [PATCH] Add OIDC support

---
 cdk/src/cdk.ts  | 26 ++++++++++++++++++++++++++
 env.sh.template | 12 ++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/cdk/src/cdk.ts b/cdk/src/cdk.ts
index 067f83b..f88ea66 100644
--- a/cdk/src/cdk.ts
+++ b/cdk/src/cdk.ts
@@ -36,11 +36,15 @@ export class BackendStack extends cdk.Stack {
 
     const domain = Utils.getEnv("COGNITO_DOMAIN_NAME");
     const identityProviderName = Utils.getEnv("IDENTITY_PROVIDER_NAME", "");
+    const OIDCProviderName = Utils.getEnv("OIDC_PROVIDER_NAME", "");
 
     const identityProviderMetadataURLOrFile = Utils.getEnv(
       "IDENTITY_PROVIDER_METADATA",
       ""
     );
+    const OIDCClientId = Utils.getEnv('OIDC_CLIENT_ID')
+    const OIDCClientSecret = Utils.getEnv('OIDC_CLIENT_SECRET')
+    const OIDCIssuerUrl = Utils.getEnv('OIDC_ISSUER_URL')
 
     const appFrontendDeployMode = Utils.getEnv("APP_FRONTEND_DEPLOY_MODE", "");
 
@@ -319,6 +323,28 @@ export class BackendStack extends cdk.Stack {
       supportedIdentityProviders.push(identityProviderName);
     }
 
+    if (OIDCProviderName && OIDCClientId && OIDCClientSecret && OIDCIssuerUrl) {
+      const oidcProvider = new cognito.UserPoolIdentityProviderOidc(this, 'OidcProvider', {
+        userPool,
+        name: OIDCProviderName,
+        clientId: OIDCClientId,
+        clientSecret: OIDCClientSecret,
+        issuerUrl: OIDCIssuerUrl,
+        attributeRequestMethod: cognito.OidcAttributeRequestMethod.GET,
+        scopes: ['openid', 'profile', 'email'],
+        attributeMapping: {
+          email: cognito.ProviderAttribute.other('email'),
+          givenName: cognito.ProviderAttribute.other('given_name'),
+          familyName: cognito.ProviderAttribute.other('family_name'),
+          custom: {
+            [groupsAttributeClaimName]: cognito.ProviderAttribute.other('groups'),
+          }
+        },
+      });
+  
+      supportedIdentityProviders.push(OIDCProviderName);
+    }
+
     // ========================================================================
     // Resource: Cognito App Client
     // ========================================================================
diff --git a/env.sh.template b/env.sh.template
index a03b395..be21e97 100644
--- a/env.sh.template
+++ b/env.sh.template
@@ -56,6 +56,7 @@ export APP_URL=http://localhost:3000
 ## 5. optional - for IdP integration
 ## ====================================================================================================================
 
+### SAML
 ## the name you want for the Identity Provider
 
 # export IDENTITY_PROVIDER_NAME=IdP
@@ -64,6 +65,17 @@ export APP_URL=http://localhost:3000
 
 # export IDENTITY_PROVIDER_METADATA=<https://example.com/metadata.xml or $(cat path/to/metadata.xml)>
 
+### OIDC
+## the name you want for the Identity Provider
+
+# export OIDC_PROVIDER_NAME=OIDC
+
+## the IdPs OIDC configuration settings
+
+# export OIDC_CLIENT_ID=<client id>
+# export OIDC_CLIENT_SECRET=<client secret>
+# export OIDC_ISSUER_URL=<issuer url>
+
 ## ====================================================================================================================
 ## 6. other optional configuration
 ## ====================================================================================================================