{"id":22268232,"url":"https://github.com/curityio/aws-authenticator","last_synced_at":"2026-05-01T10:32:06.930Z","repository":{"id":52158184,"uuid":"114043907","full_name":"curityio/aws-authenticator","owner":"curityio","description":"AWS Cognito oauth authenticator that can be used with any Java-based Web API","archived":false,"fork":false,"pushed_at":"2021-05-06T19:38:03.000Z","size":536,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-01-14T05:59:41.629Z","etag":null,"topics":["authenticator","aws","cognito","curity","login","oauth2","plugin"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/curityio.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-12T22:04:52.000Z","updated_at":"2023-04-27T11:06:03.000Z","dependencies_parsed_at":"2022-08-28T15:51:53.275Z","dependency_job_id":null,"html_url":"https://github.com/curityio/aws-authenticator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/curityio/aws-authenticator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Faws-authenticator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Faws-authenticator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Faws-authenticator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Faws-authenticator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/curityio","download_url":"https://codeload.github.com/curityio/aws-authenticator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/curityio%2Faws-authenticator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32494270,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticator","aws","cognito","curity","login","oauth2","plugin"],"created_at":"2024-12-03T11:11:59.797Z","updated_at":"2026-05-01T10:32:06.905Z","avatar_url":"https://github.com/curityio.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"Amazon Cognito Authenticator Plugin\n===================================\n \n.. image:: https://img.shields.io/badge/quality-demo-red\n :target: https://curity.io/resources/code-examples/status/\n \n.. image:: https://img.shields.io/badge/availability-source-blue\n :target: https://curity.io/resources/code-examples/status/\n\nThis project provides an open source Amazon Cognito Authenticator plug-in for the Curity Identity Server. This allows an administrator to add functionality to Curity which will then enable end users to login using their StackOverflow, SuperUser, ServerFault or other Amazon Cognito credentials. The app that integrates with Curity may also be configured to receive the Amazon Cognito access token, allowing it to manage Amazon Cognito resources.\n\nSystem Requirements\n~~~~~~~~~~~~~~~~~~~\n\n* Curity Identity Server 2.4.0 and `its system requirements \u003chttps://developer.curity.io/docs/latest/system-admin-guide/system-requirements.html\u003e`_\n\nRequirements for Building from Source\n\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\n* Maven 3\n* Java JDK v. 8\n\nCompiling the Plug-in from Source\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nThe source is very easy to compile. To do so from a shell, issue this command: ``mvn package``.\n\nInstallation\n~~~~~~~~~~~~\n\nTo install this plug-in, either download a binary version available from the `releases section of this project's GitHub repository \u003chttps://github.com/curityio/aws-authenticator/releases\u003e`_ or compile it from source (as described above). If you compiled the plug-in from source, the package will be placed in the ``target`` subdirectory. The resulting JAR file or the one downloaded from GitHub needs to placed in the directory ``${IDSVR_HOME}/usr/share/plugins/aws``. (The name of the last directory, ``aws``, which is the plug-in group, is arbitrary and can be anything.) After doing so, the plug-in will become available as soon as the node is restarted.\n\n.. note::\n\n The JAR file needs to be deployed to each run-time node and the admin node. For simple test deployments where the admin node is a run-time node, the JAR file only needs to be copied to one location.\n\nFor a more detailed explanation of installing plug-ins, refer to the `Curity developer guide \u003chttps://developer.curity.io/docs/latest/developer-guide/plugins/index.html#plugin-installation\u003e`_.\n\nCreating an App in Amazon Cognito\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo create a new app in Amazon Cognito, follow `Amazon Docs \u003chttps://docs.aws.amazon.com/cognito/latest/developerguide/getting-started.html\u003e`_.\nAfter you create the App, take note of the ``Client ID``, ``Secret key`` and ``Domain/Url``. These will be needed when configuring Curity.\n\nAmazon Cognito will also display the Authorization callback URL in the new app's configuration. This needs to match the yet-to-be-created Amazon Cognito authenticator instance in Curity. This should be updated to some URL that follows the pattern ``$baseUrl/$authenticationEndpointPath/$awsAuthnticatorId/callback``, where each of these URI components has the following meaning:\n\n============================== =========================================================================================\nURI Component Meaning\n------------------------------ -----------------------------------------------------------------------------------------\n``baseUrl`` The base URL of the server (defined on the ``System --\u003e General`` page of the\n admin GUI). If this value is not set, then the server scheme, name, and port should be\n used (e.g., ``https://localhost:8443``).\n``authenticationEndpointPath`` The path of the authentication endpoint. In the admin GUI, this is located in the\n authentication profile's ``Endpoints`` tab for the endpoint that has the type\n ``auth-authentication``.\n``awsAuthenticatorId`` This is the name given to the Amazon Cognito authenticator when defining it\n (e.g., ``cognito1``).\n============================== =========================================================================================\n\nOnce the redirect URI is updated, the only thing left is to configure scopes. You need to configure at least one scope `openid`.\n\n.. figure:: docs/images/aws-scope-manage-user.png\n :align: center\n :width: 500px\n\n\n It could be helpful to also enable additional scopes. Scopes are the AWS-related rights or permissions that the app is requesting. If the final application (not Curity, but the downstream app) is going to perform actions using the Amazon Cognito API, additional scopes probably should be enabled. Refer to the `Amazon Cognito documentation on scopes \u003chttps://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html\u003e`_ for an explanation of those that can be enabled and what they allow.\n\n.. warning::\n\n If the app configuration in Amazon Cognito does not allow a certain scope (e.g., the ``Profile`` scope) but that scope is enabled in the authenticator in Curity, a server error will result. For this reason, it is important to align these two configurations or not to define any when configuring the plug-in in Curity.\n\n\nCreating an Amazon Cognito Authenticator in Curity\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nThe easiest way to configure a new Amazon Cognito authenticator is using the Curity admin UI. The configuration for this can be downloaded as XML or CLI commands later, so only the steps to do this in the GUI will be described.\n\n1. Go to the ``Authenticators`` page of the authentication profile wherein the authenticator instance should be created.\n2. Click the ``New Authenticator`` button.\n3. Enter a name (e.g., ``cognito1``).\n4. For the type, pick the ``Aws`` option:\n\n .. figure:: docs/images/authenticator-type-in-curity.png\n :align: center\n :width: 600px\n\n5. On the next page, you can define all of the standard authenticator configuration options like any previous authenticator that should run, the resulting ACR, transformers that should executed, etc. At the bottom of the configuration page, the Amazon Cognito-specific options can be found.\n\n .. note::\n\n The Amazon Cognito-specific configuration is generated dynamically based on the `configuration model defined in the Java interface \u003chttps://github.com/curityio/aws-authenticator/blob/master/src/main/java/io/curity/identityserver/plugin/aws/config/AWSAuthenticatorPluginConfig.java\u003e`_.\n\n6. Certain required and optional configuration settings may be provided. One of these is the ``HTTP Client`` setting. This is the HTTP client that will be used to communicate with the Amazon Cognito OAuth server's token and user info endpoints. This will only be required if the calls to Amazon Cognito are made through a forwarding proxy or there is an benign SSL Man-in-the-Middle that uses some untrusted SSL certificate. To define this, do the following:\n\n A. click the ``Facilities`` button at the top-right of the screen.\n B. Next to ``HTTP``, click ``New``.\n C. Enter some name (e.g., ``awsClient``).\n D. Toggle on the ``Use Truststore`` or ``Proxy`` options as needed. When finished, click ``Apply``.\n\n .. figure:: docs/images/create-http-client.png\n :align: center\n :width: 600px\n\n\n7. Back in the Amazon Cognito authenticator instance that you started to define, select the new HTTP client from the dropdown if you created one; otherwise, leave this setting blank.\n\n .. figure:: docs/images/select-http-client.png\n :align: center\n :width: 400px\n\n8. In the ``Client ID`` textfield, enter the client ID from the Amazon Cognito app configuration. This is the auto-generated ID that was shown after you register it. Also enter the matching ``Client Secret`` and ``Domain`` (Domain is the URL to your Cognito App).\n9. If you have enabled any scopes or wish to limit the scopes that Curity will request of Amazon Cognito, toggle on the desired scopes (e.g., ``Profile`` or ``Email``).\n\nOnce all of these changes are made, they will be staged, but not committed (i.e., not running). To make them active, click the ``Commit`` menu option in the ``Changes`` menu. Optionally enter a comment in the ``Deploy Changes`` dialogue and click ``OK``.\n\nOnce the configuration is committed and running, the authenticator can be used like any other.\n\nLicense\n~~~~~~~\n\nThis plugin and its associated documentation is listed under the `Apache 2 license \u003cLICENSE\u003e`_.\n\nMore Information\n~~~~~~~~~~~~~~~~\n\nPlease visit `curity.io \u003chttps://curity.io/\u003e`_ for more information about the Curity Identity Server.\n\nCopyright (C) 2017 Curity AB.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Faws-authenticator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcurityio%2Faws-authenticator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcurityio%2Faws-authenticator/lists"}