scorpio17 has asked for the wisdom of the Perl Monks concerning the following question:

Hello!
I desperately need help understanding AWS Cognito - specifically using it to login to a 3rd party site. My understanding is that once you login with Cognito, it should give you a JWT (JSON Web Token). And it does. And I know how to decode the token and access the info contained inside.

The problem is that I have a legacy webapp, with which I would like to enable the option of logging in with Cognito. For example, if a user has already logged in to Cognito, then when they visit the legacy webapp, I'd like for it to somehow know that they've already logged in and not display a login page. My plan to implement this was to store the Cognito generated JWT in a cookie. BUT - the cookie is generated in a different domain: one used by AWS Cognito that I have no control over. And so web browsers don't show that cookie to my legacy webapp.

I've been looking online for ways to circumvent the "same origin" policy, and it looks like there might be possible work-arounds using iframes... But I feel like I must be missing something really basic, because the "same origin" policy is intended to prevent cross-site scripting attacks, etc. I feel bad hacking my way around it. And I've seen many websites now using features like "login with google, facebook, amazon, etc." In each of these cases, you get redirected to an id provider, and somehow a token is returned that the original website trusts and uses. So what's the secret? How are they getting the JWT transmitted back to the original website?

The legacy app is written in perl, as is all my JWT decoding logic, etc.

Thanks!

Replies are listed 'Best First'.
Re: Need help with AWS Cognito
by pryrt (Abbot) on Jun 24, 2020 at 18:44 UTC
    caveat: I have never used Cognito, and I have never implemented Login With Google, Login With Amazon, or similar.

    But I have recently been thinking in the background about such things, so just did a quick search. This article does a reasonably good job of explaining how it works for Google. Specifically to your point, the Google form has homepage URLs and authorized JS origins. I am wondering whether your Cognito settings would have similar. The article also specifically shows how it retrieves the JWT from Google.

    What I would love to see, inspired by some of the recent discussions on Mojolicious::Lite login examples, is a similar mockup to those using Mojolicious::Lite, but with specifically using one or more of the public OAuth servers for authentication. (And maybe one page that requires full login, and another page that shows different content depending on whether you are logged in or not.)

    edit: add links to first steps with Mojolicious::Lite and RFC / Audit: Mojo Login Example /edit

[reply]
Re: Need help with AWS Cognito
by perlfan (Parson) on Jun 25, 2020 at 02:01 UTC
    Wow you wrote a lot, but I read it. What it reminds me of is CORS, which means cross origin resource sharing. I don't know if that's your issue, the term origin is pretty overloaded in our lives. I share https://en.wikipedia.org/wiki/Cross-origin_resource_sharing only because there are a lot of useful links in the references section of the article regarding headers and whatnot. Also a DDG search of "AWS Cognito + CORS" shows a bunch of interesting stuff.
[reply]

Back to Seekers of Perl Wisdom