Community
Select to view content in your preferred language

OpenID Connect login based group membership with AWS Cognito

335
3
09-19-2024 04:41 PM
SiCasley
by
Occasional Contributor
‎09-19-2024 04:41 PM

Does anybody have group membership working with a Cognito login? I have set up the oidc login and it works fine, but it wont automatically add my user to a group.

I've set up the group whose membership is controlled by being a member of an OpenID Connect group, and the group name is the same as my group in Cognito.

Here's the groups claim value from the Cognito token:

     'cognito:groups': [ 'test_group' ],
 
My group in AGOL is called test_group
 
Any help would be much appreciated!
0 Kudos
3 Replies
MaggieWoo
by
Emerging Contributor
‎12-31-2024 12:56 PM

We are also trying to get this working (on Enterprise Portal v11.4). 

In AWS, we followed the general guidance (using a lambda) to modify the access token claims so that it looks like `"groups": ["test_group"]`. See https://aws.amazon.com/blogs/mobile/how-to-use-cognito-pre-token-generators-to-customize-claims-in-i... 

I wonder if there is an ESRI Blog article somewhere that has an example where this works with any OIDC IdP. What does the JWT token look like when it works? Is it using the access_token? or the id_token? What is the attribute name, and is it namespaced?

AWS doesn't allow you to use "groups" as one of its scopes. By any chance, is the portal expecting the scopes attribute in the token to include this?

We also eliminated the possibility that user permissions are an issue by testing this with a user with Administrator role.

In short, I wish this was open source so I could look at the code and answer my own questions. 

Thanks for any attention!

0 Kudos
SiCasley
by
Occasional Contributor
‎01-02-2025 09:47 AM

I think it's using the id_token (but I can't say for sure!). Working with tech support we've been able to get a bug logged for this: "BUG-000172874 - Enable OpenID Connect login-based group membership does not work when single sign-on is configured with Amazon Cognito as the IdP", so hopefully it'll get fixed in the near future. 

MaggieWoo
by
Emerging Contributor
Thursday

Just updating that on our side, we've gotten a bug and an enhancement logged for this:

  • BUG-000174090-Integrate OpenID groups when using AWS Cognito for Portal for ArcGIS
  • ENH-000169368-Provide Documentation for Configuring OpenID via API
0 Kudos