|
| 1 | +# Authentication |
| 2 | + |
| 3 | +This document describes how to configure authentication providers to work with **Feldera**. |
| 4 | + |
| 5 | +## AWS Cognito |
| 6 | + |
| 7 | +To configure AWS Cognito as an authentication provider, follow these steps: |
| 8 | + |
| 9 | + |
| 10 | +### Create a Cognito User Pool |
| 11 | + |
| 12 | +In the AWS Console: |
| 13 | + |
| 14 | +- Navigate to **Amazon Cognito** and create a new **User Pool**. |
| 15 | +- Choose any settings appropriate to your organization (e.g., required user attributes, password policies). |
| 16 | + |
| 17 | + |
| 18 | +### Create an App Client |
| 19 | + |
| 20 | +Once the User Pool is created: |
| 21 | + |
| 22 | +- Go to the **App clients** section and create a new app client. |
| 23 | +- **Select "Single-page application (SPA)"** as the app client type. |
| 24 | +- In the **Return URL** field, add: `https://<your-domain>/auth/callback/` |
| 25 | + |
| 26 | +:::note |
| 27 | + |
| 28 | +**Important:** The trailing slash (`/`) at the end of the URL **must be included**. AWS Cognito requires exact URL matching, and omitting the slash may result in redirect errors. |
| 29 | + |
| 30 | +::: |
| 31 | + |
| 32 | +### Configure OAuth 2.0 Settings |
| 33 | + |
| 34 | +In the App Client's **Login Settings**: |
| 35 | + |
| 36 | +- Add `https://<your-domain>/auth/callback/` to the **Callback URLs**. |
| 37 | +- Enable the following **OAuth 2.0 grant types**: |
| 38 | + - `Authorization code grant` |
| 39 | + - `Implicit grant` |
| 40 | +- Select the following **OpenID Connect scopes**: |
| 41 | + - `email` |
| 42 | + - `profile` |
| 43 | + - `openid` |
| 44 | + |
| 45 | +### Set Up Domain and Branding |
| 46 | + |
| 47 | +Go to the **App integration → Domain name** section and set up a custom domain or use the AWS-hosted one (e.g., `your-app.auth.us-west-1.amazoncognito.com`). |
| 48 | + |
| 49 | +This domain will be used in your login and logout URLs. |
| 50 | + |
| 51 | +### Configure Helm Chart (`values.yaml`) |
| 52 | + |
| 53 | +In your Feldera Helm chart configuration (`values.yaml`), fill out the `auth` section with the information from the Cognito console: |
| 54 | + |
| 55 | +```yaml |
| 56 | +auth: |
| 57 | + enabled: true |
| 58 | + provider: "aws-cognito" |
| 59 | + clientId: "<your-client-id>" |
| 60 | + issuer: "https://cognito-idp.<region>.amazonaws.com/<user-pool-id>" |
| 61 | + cognitoLoginUrl: "https://<your-domain>.auth.<region>.amazoncognito.com/login?client_id=<your-client-id>&response_type=code&scope=email+openid" |
| 62 | + cognitoLogoutUrl: "https://<your-domain>.auth.<region>.amazoncognito.com/logout?client_id=<your-client-id>" |
| 63 | +``` |
| 64 | +
|
| 65 | +Replace all placeholders (`<your-client-id>`, `<region>`, `<user-pool-id>`, `<your-domain>`) with values from the AWS Cognito console. |
| 66 | + |
| 67 | +| Placeholder | Description | |
| 68 | +| ------------------ | ---------------------------------------------------------------------------------- | |
| 69 | +| `<your-client-id>` | Found under **App client information** in your Cognito User Pool. | |
| 70 | +| `<user-pool-id>` | Found in the User Pool's main page. | |
| 71 | +| `<region>` | The AWS region of your User Pool (e.g., `us-west-1`). | |
| 72 | +| `<your-domain>` | Your Cognito domain, under **Branding → Domain name**. | |
| 73 | +| `issuer` | Has the form of `https://cognito-idp.<region>.amazonaws.com/<user-pool-id>`. | |
0 commit comments