awallef/cakephp-cognito-auth

CakePHP AWS cognito auth

cakephp-cognito-auth plugin for CakePHP

This plugin allows you auth cognito users, _(*1)

Installation

You can install this plugin into your CakePHP application using composer., _(*2)

The recommended way to install composer packages is:, _(*3)

composer require awallef/cakephp-cognito-auth

Configure

From

Configure your auth component with your aws credentials & info, _(*4)

'loginAction' => false, // as u want
'unauthorizedRedirect' => false, // as u want
'checkAuthIn' => 'Controller.initialize', // depends where u want it
'storage' => 'Session', // as u want

// Authenticate
'authenticate' => [
    'Awallef/CognitoAuth.Form' => [

        // AWS - REQUIRED
        'region'  => 'eu-central-1',
        'credentials' => [
            'key' => 'XX',
            'secret'  => 'XX',
        ],
        'userPoolId' => 'eu-central-1_XX',
        'clientId' => 'XX',
        'clientSecret' => 'XX',

        // traditional stuff - OPTIONAL ( here default values )
        'fields' => [
            'username' => 'username',
            'password' => 'password'
        ],
        'userModel' => 'Users',
        'scope' => [],
        'finder' => 'all',
        'contain' => null,
        'passwordHasher' => 'Default',

        // create users - OPTIONAL ( here default values ) see User model below
        'create' => false,

        // Groups management - OPTIONAL ( here default values ) whether you want to keep an array or not
        'groupImplode' => true,
        'groupImplodeGlue' => ',',

        // renaming - OPTIONAL ( here default values + sepcial is_superuser )
        'fieldsMapping' => [
          'Username' => 'username',
          'Enabled' => 'is_active',
          'UserStatus' => 'status',
          'sub' => 'id',
          'Groups' => 'role',
          'new key' => 'is_superuser', // in order to use cakeDC/Auth
        ]

        // values functions - OPTIONAL ( default value is [] ) triggered after fieldsMapping (renaming)
        'valuesPostOperations' => [
            'role' => function($user, $value){
                return empty($user['role'])? 'no role': $user['role'];
            },
            'is_superuser' => function($user, $value){
                return (is_string($user['role']) && $user['role'] == 'superuser');
            },
        ],
    ],
]

Basic

Configure your auth component with your aws credentials & info, _(*5)

'loginAction' => false,
'unauthorizedRedirect' => false,
'checkAuthIn' => 'Controller.initialize',
'storage' => 'Memory', // means you ask aws for each query... so I suggest you to use my plugin cakephp-redis

/* so once Basic grant access, you'll find X-Token header with your token
* then add this X-Token hader with value Bearer XXX ( the previous token )
* so storage keep you session in redis instead of asking for new grant access
'storage' => [
    'className' => 'Awallef/Redis.Redis',
    'redis' => [
        'prefix' => 'your_app_id:token:',
    ]
],
*/

// Authenticate
'authenticate' => [
    'Awallef/CognitoAuth.Basic' => [

        // AWS - REQUIRED
        'region'  => 'eu-central-1',
        'credentials' => [
            'key' => 'XX',
            'secret'  => 'XX',
        ],
        'userPoolId' => 'eu-central-1_XX',
        'clientId' => 'XX',
        'clientSecret' => 'XX',

        // traditional stuff - OPTIONAL ( here default values )
        'fields' => [
            'username' => 'username',
            'password' => 'password'
        ],
        'userModel' => 'Users',
        'scope' => [],
        'finder' => 'all',
        'contain' => null,
        'passwordHasher' => 'Default',

        // create users - OPTIONAL ( here default values ) see User model below
        'create' => false,

        // Groups management - OPTIONAL ( here default values ) whether you want to keep an array or not
        'groupImplode' => true,
        'groupImplodeGlue' => ',',

        // renaming - OPTIONAL ( here default values + sepcial is_superuser )
        'fieldsMapping' => [
          'Username' => 'username',
          'Enabled' => 'is_active',
          'UserStatus' => 'status',
          'sub' => 'id',
          'Groups' => 'role',
          'new key' => 'is_superuser', // in order to use cakeDC/Auth
        ]

        // values functions - OPTIONAL ( default value is [] ) triggered after fieldsMapping (renaming)
        'valuesPostOperations' => [
            'role' => function($user, $value){
                return empty($user['role'])? 'no role': $user['role'];
            },
            'is_superuser' => function($user, $value){
                return (is_string($user['role']) && $user['role'] == 'superuser');
            },
        ],
    ],
]

User Model

you can create a copy of the user in your system by setting create config argument to true, _(*6)

// auth settings
...
// create users - OPTIONAL
'create' => true,
...

So you will need a User Model that matches aws fields or by using fieldsMapping argument congito-auth needs to have write permission on id if you rename AWS 'sub' filed into id, _(*7)

// auth settings
...
'fieldsMapping' => [
    'Username' => 'username',
    'Enabled' => 'is_active',
    'UserStatus' => 'status',
    'sub' => 'id',
    'Groups' => 'role'
],
...

Model Entity:, _(*8)

protected $_accessible = [
    '*' => true,
    'id' => true
];

Challenge

if you recieve a challenge error such as:, _(*9)

SMS_MFA
PASSWORD_VERIFIER
ADMIN_NO_SRP_AUTH
NEW_PASSWORD_REQUIRED

redirect, or ask user to provide responses in request data object:, _(*10)

// + username + password => required 
// 'USERNAME' and 'SECRET_HASH' => will be filled for you
$request->data['Challenge']['responses'] // must be filled

please refer to : aws php SDK #adminrespondtoauthchallenge, _(*11)