Auth using AWS Cognito

chrisj · October 12, 2022, 9:07am

Has anyone implemented auth with AWS Cognito??

Regards
Chris

justinwiley · May 29, 2024, 9:49pm

This is an old question, but wanted to mention this is possible. At a high level this involves:

creating a Cognito user pool
create an app client
set email and profile as read/write (profile is probably optional)
add sign in and logout urls:

http://localhost:/login
https:///login
http://localhost:/logout
https:///logout

OAuth grant types: Authorization code grant
OpenID Connect scopes: email, openid
ALLOW_REFRESH_TOKEN_AUTH and ALLOW_USER_SRP_AUTH flows

For panel you’ll need to configure it to use the ‘auth_code’ oauth_provider, and supply the following values as either env variables or in pn.serve():

OAUTH_KEY=<the cognito client id (not the user pool id)>
OAUTH_AUTHORIZE_URL=<one of the login callback urls you specified, localhost for local>
OAUTH_TOKEN_URL=

Note: there are plenty of additional steps and sharp edges depending on how your Panel app and Cognito can be configured, this will hopefully get you started.

justinwiley · May 29, 2024, 10:11pm

The default env variables I mentioned are actually slightly different (we read them in manually), they are prefaced with PANEL_, see Configuring OAuth — Panel v1.4.3

edu · June 6, 2024, 4:18am

I don’t recommend using AWS Cognito (inaccurate documentation, lots of hard-to-debug edge cases). I’ve had a much better experience with Auth0.

However, if you must use AWS Cognito, I recommend separating the authentication logic from your Panel app. I’ve done this by writing a reverse proxy that handles authentication on behalf of my Panel app, which allows for the easy re-use of the authentication logic for other apps. I’ve done it with Node.js, but there are other alternatives.

Essentially, you put a container in front of your app and add the authentication layer there; if a user provides the correct set of credentials, you let them pass (and pass any authentication data via HTTP headers).

My team develops an Auth0 plugin for Panel, so if that’s an option, check us out!

chrisj · July 25, 2024, 11:39am

Update… i was able to setup an Application Load Balancer which would take care of Cognito auth before the request is sent to the Holoviz Panel web app behind the load balancer. Now I require to provide a log-out button.

I’m able to configure the logout based on this documentation Logout endpoint - Amazon Cognito

but the session does not expire…

Regards
Chris

chrisj · July 25, 2024, 11:40am

Auth0 is not a option right now