Laravel authorization guard for JSON Web Tokens issued by Amazon AWS Cognito
This package provides a Laravel authentication guard to validate JSON Web Tokens (JWT) issued by the configured AWS Cognitio User Pool. The guard accepts tokens passed through the Authorization header or set as a CognitoIdentityServiceProvider cookie.
Once the token has been validated against the pool’s public key the guard will look for a Laravel user with a cognito_uuid value equal to the username property contained in the token.
If a local Laravel user is found the guard will authenticate them for the duration of the request. If one is not found and Single Sign-On is enabled this package will create a new Laravel user.
Note that this package does not provide methods for exchanging a username and password for a token. As such it is intended to be used with Laravel API-driven applications where the client would either obtain the token directly from Cognito or through a dedicated application responsible for authentication.
You can install the package using composer
composer require benbjurstrom/cognito-jwt-guardNext publish the migration and the config/cognito.php config file with:
php artisan vendor:publish --provider="BenBjurstrom\CognitoGuard\CognitoServiceProvider"Next go ahead and run your migrations. This will add the required cognito_uuid property to your users table
php artisan migrateAdd your AWS Cognito user pool's identifier and region to the .env file
AWS_COGNITO_REGION=
AWS_COGNITO_USER_POOL_ID=You will also need to change the auth driver in your config/auth.php file
// config/auth.php
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'cognito', // This line is important
'provider' => 'users',
],
],Finally, depending on how you configured your Cognito User Pool's required attributes you may also want to make adjustments to your Single Sign-On settings in the published config/cognito.php file
// config/cognito.php
/*
|--------------------------------------------------------------------------
| Single Sign-On Settings
|--------------------------------------------------------------------------
| If sso is true the cognito guard will automatically create a new user
| record anytime the username attribute contained in a validated JWT
| does not already exist in the users table.
|
| The new user will be created with the user attributes listed here
| using the values stored in the given cognito user pool. Each attribute
| listed here must be set as a required attribute in your cognito user
| pool.
|
| When sso_repository_class is set this package will pass a new instance
| of the the auth provider's user model to the given class's
| createCognitoUser method. The users model will be hydrated with the given
| sso_user_attributes before it is passed.
*/
'sso' => env('SSO', false),
'sso_repository_class' => null,
'sso_user_attributes' => [
'name',
'email',
]Configuring an sso_repository_class is optional but doing so allows you to modify the new user record before it is saved or to dispatch events. An example sso_repository_class might look like this:
<?php
namespace App\Repositories;
use App\Models\User;
use App\Events\UserWasRegistered;
class UserRepository
{
public function createCognitoUser(User $user): User
{
$user->save();
event(new UserWasRegistered($user));
return $user;
}
}If you discover any security-related issues, please email [email protected] instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.