Unlocking Seamless Authentication with Liferay OIDC Connector and AWS Cognito

In today’s digital ecosystem, secure and seamless user authentication is a cornerstone for any robust enterprise application. Leveraging OpenID Connect (OIDC) simplifies this by providing a secure and standardised way to authenticate users across various applications. Liferay Digital Experience Platform (DXP) can be deployed into various infrastructures and cloud-based environments, including Amazon Web Services. Many customers deploying Liferay on AWS cloud, would like to use AWS Cognito as their IAM solution.

One powerful combination is using the Liferay OIDC connector with AWS Cognito. This blog will walk you through the process of integrating these technologies to enhance your authentication setup.

What is OpenID Connect (OIDC)?

OIDC is an identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on the authentication performed by an Authorization Server. It also obtains basic profile information about the user in an interoperable and REST-like manner.

Why AWS Cognito?

AWS Cognito is a robust user management and authentication service that scales to millions of users. It supports OIDC, making it an excellent choice for integrating with various applications, including Liferay, to manage user authentication and authorization.

Why Liferay?

Liferay is a leading open-source Digital experience platform that enables the creation of sophisticated low code solutions such as partner portals, customer portals, intranets, Digital commerce, Enterprise websites with connected experiences etc. It supports various authentication mechanisms, including OIDC, making it a flexible and powerful choice for enterprises.

Setting Up the Integration

Here’s a step-by-step guide to integrating AWS Cognito with Liferay using the OIDC connector:

Step 1: Set Up AWS Cognito

  1. Create a Cognito User Pool:

    • Sign in to the AWS Management Console.
    • Navigate to Amazon Cognito.
    • Choose "Create a User Pool."
    • Configure the pool name and settings as per your requirements.
    • Under "App clients," create a new app client. Make sure to note down the App client ID and secret.


 

   2. Configure App Client Settings:

  • Enable the "Cognito User Pool" as a provider.
  • Add the callback URL that will handle the response from Cognito. This should be your Liferay URL followed by /c/portal/login/openidconnect
  • Select the necessary OAuth 2.0 flows such as Authorization code grant.
  • Specify the scopes like openidprofile, and email. You can pass additional scopes based on attributes configured and mapping.


 

Step 2: Configure Liferay

There are two ways to create the connection: the standard way and the new way. 

New interface is for those who want granular control over their client connection. All configuration is done through the provider’s Well-Known Configuration Endpoint, as defined in the OpenID Connect configuration specification. You can access this interface at Global Menu → Control Panel → Security → OAuth Client Administration.

For standard way, you can access Control Panel → Instance Settings → Security → SSO and add your OIDC provider configuration manually. This also works for the providers who does not provide Discovery endpoint and you may need to enter different URLs manually.

I am using new interface to configure OIDC with AWS Cognito. 

  • Provide the Well known endpoint in Authorization server well known URI field. You can refer to this article for AWS Cognito well known endpoints and other urls. 
  • Add required client name in Oauth client information field, this will appear in your login screen.
  • Provide Client Id and client secret details as received from AWS Cognito client registration.
  • Specify the scope as per the requirement. I will use openId email and profile as configured.
  • Make sure to map the user attributes correctly in openID connect user information mapper JSON field. This should be as per response from user info endpoint. This is needed to import users in Liferay with required attributes.


 

After saving the Oauth client configurations, you will need to enable to OpenID connect to activate the login flow. You can access Instance settings > SSO > OpenID Connect to enable it.


 

Step 3: Testing the Integration

  1. Initiate Login:

    • Navigate to your Liferay login page.
    • You should see an option to log in via your configured OIDC provider ( Name as per client name provided, AWS Cognito).
  2. Authenticate via Cognito:

    • Clicking the OIDC login option should redirect you to the AWS Cognito UI.
    • Enter your credentials and authenticate.
  3. Redirection and Access:

    • Upon successful authentication, you should be redirected back to Liferay as an authenticated user. User will be imported into Liferay with defined attribute mapping.

Note: As of now, User attributes including groups are synced only at first login and any changes to attributes in Cognito will not flow to Liferay in subsequent logins. You can build a post login action logic to achieve the same.

Conclusion

Integrating Liferay with AWS Cognito using the OIDC connector not only simplifies user management but also enhances security by leveraging AWS’s robust authentication capabilities. This seamless integration ensures a secure and user-friendly authentication process, empowering your enterprise with reliable access control mechanisms.