feat: add OIDC federation support (Entra ID / external IdP)#302
Open
varadhan06 wants to merge 1 commit intoaws-solutions:mainfrom
Open
feat: add OIDC federation support (Entra ID / external IdP)#302varadhan06 wants to merge 1 commit intoaws-solutions:mainfrom
varadhan06 wants to merge 1 commit intoaws-solutions:mainfrom
Conversation
Add support for external OIDC identity providers (e.g., Microsoft Entra ID) federated through Amazon Cognito. This enables three capabilities: 1. OAuth/OIDC redirect login: When OAuthDomain and OAuthRedirectUrl are present in aws-exports.json, Amplify is configured with loginWith.oauth so users are redirected to the external IdP instead of seeing the default Cognito login form. 2. Display federated user name: The top navigation bar now reads the user's name from the ID token payload (idToken.payload.name), falling back to username. For federated users, Cognito auto-generates a random username, so the ID token claim provides the actual display name. 3. Fix IoT policy attach for federated users: fetchUserAttributes() fails for OIDC-federated users, and the IoT policy attach was in the same try block after it, causing real-time metrics to silently break. Moved IoT policy attach before fetchUserAttributes and wrapped the latter in its own try/catch. All changes are backward-compatible - when OAuthDomain is not configured, behavior is identical to the current implementation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using an external OIDC identity provider (e.g., Microsoft Entra ID) federated through Amazon Cognito, three issues occur:
No OAuth redirect — The Amplify config doesn't include
loginWith.oauth, so users see the default Cognito username/password form instead of being redirected to the external IdP.Random username displayed — For federated users, Cognito auto-generates a username like
EntraID_SfmQzRfm.... The top navigation bar shows this instead of the user's actual name.Real-time metrics broken —
fetchUserAttributes()fails for OIDC-federated users. Since the IoT policy attach runs after it in the same try block, it gets silently skipped, breaking the MQTT connection for live test metrics.Solution
4 files changed, 43 insertions, 6 deletions. All changes are backward-compatible.
source/infrastructure/lambda/aws-exports-handler/index.tsOAuthDomainandOAuthRedirectUrlinaws-exports.jsonwhen provided by CloudFormationsource/webui/src/main.tsxloginWith.oauthto the Amplify config whenOAuthDomainis presentsource/webui/src/components/navigation/TopNavigationBar.tsxname(oremail) fromidToken.payloadviafetchAuthSession()and display it, falling back touser.usernamesource/webui/src/contexts/UserContext.tsxfetchUserAttributes()fetchUserAttributes()in its own try/catch so its failure doesn't block IoT setupBackward Compatibility
When
OAuthDomainis not configured (no external IdP), all behavior is identical to the current implementation:user.username