OIDC Configuration
Configure OpenID Connect (OIDC) authentication through AWS Cognito for enterprise single sign-on.
Overview
ASCEND supports OIDC authentication via AWS Cognito, which can federate with external OIDC providers.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Your OIDC │───▶│ AWS Cognito │───▶│ ASCEND │
│ Provider │ │ User Pool │ │ Platform │
└─────────────┘ └─────────────┘ └─────────────┘
Supported OIDC Providers
| Provider | Status |
|---|---|
| Auth0 | Supported |
| Okta | Supported |
| Azure AD | Supported |
| Supported | |
| OneLogin | Supported |
| PingIdentity | Supported |
| Custom OIDC | Supported |
Configuration Steps
1. Configure OIDC in AWS Cognito
In your Cognito User Pool:
- Navigate to Federation → Identity providers → Add provider
- Select OpenID Connect
- Configure:
| Setting | Value |
|---|---|
| Provider name | YourProvider |
| Client ID | Your OIDC client ID |
| Client secret | Your OIDC client secret |
| Authorize scope | openid email profile |
| Issuer URL | https://your-provider.com |
2. Attribute Mapping
Map OIDC claims to Cognito attributes:
| OIDC Claim | Cognito Attribute |
|---|---|
sub | username |
email | email |
given_name | given_name |
family_name | family_name |
groups | custom:groups |
3. Configure App Client
Enable the OIDC provider in your Cognito app client:
- Navigate to App integration → App client settings
- Enable your OIDC identity provider
- Configure callback URLs:
https://pilot.owkai.app/auth/callbackhttps://pilot.owkai.app/api/api/auth/callback
OIDC Flow
Authorization Code Flow
1. User clicks "Login with [Provider]"
2. Redirect to Cognito Hosted UI
3. Cognito redirects to OIDC provider
4. User authenticates with provider
5. Provider redirects back to Cognito
6. Cognito issues tokens
7. ASCEND validates tokens and creates session
Token Exchange
# Exchange authorization code for tokens
curl -X POST https://acme-corp.auth.us-east-2.amazoncognito.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=your-client-id" \
-d "code=authorization-code" \
-d "redirect_uri=https://pilot.owkai.app/auth/callback"
Create ASCEND Session
curl -X POST https://pilot.owkai.app/api/api/auth/cognito-session \
-H "Content-Type: application/json" \
-d '{
"id_token": "eyJhbGciOiJSUzI1NiIs...",
"access_token": "eyJhbGciOiJSUzI1NiIs..."
}' \
-c cookies.txt
Provider-Specific Configuration
Auth0
- Create Auth0 Application (Regular Web Application)
- Configure:
- Allowed Callback URLs: Cognito callback URL
- Allowed Logout URLs: Cognito logout URL
- Note: Client ID, Client Secret, Domain
Cognito OIDC Settings:
Issuer URL: https://your-tenant.auth0.com/
Authorize scope: openid email profile
Okta
- Create Okta Application (Web Application)
- Configure Sign-in redirect URI: Cognito callback URL
- Note: Client ID, Client Secret, Okta Domain
Cognito OIDC Settings:
Issuer URL: https://your-org.okta.com
Authorize scope: openid email profile groups
Azure AD
- Register Application in Azure AD
- Add redirect URI: Cognito callback URL
- Create client secret
- Configure API permissions:
openid,email,profile
Cognito OIDC Settings:
Issuer URL: https://login.microsoftonline.com/{tenant-id}/v2.0
Authorize scope: openid email profile
Token Claims
Required Claims
| Claim | Description |
|---|---|
sub | Subject identifier (user ID) |
email | User email address |
email_verified | Email verification status |
Optional Claims
| Claim | Description |
|---|---|
given_name | First name |
family_name | Last name |
groups | Group memberships |
roles | User roles |
Role Mapping
Map OIDC groups/roles to ASCEND roles:
{
"role_mapping": {
"oidc_admins": "admin",
"oidc_security": "security_admin",
"oidc_developers": "developer",
"oidc_viewers": "viewer"
},
"default_role": "viewer",
"groups_claim": "groups"
}
Security Considerations
Token Validation
ASCEND validates OIDC tokens via Cognito:
- Signature - RS256 signature against JWKS
- Issuer - Must match Cognito pool URL
- Audience - Must match client ID
- Expiration - Token must not be expired
- Nonce - Prevents replay attacks
Best Practices
- Use PKCE - Enable Proof Key for Code Exchange
- Secure secrets - Store client secrets securely
- Rotate secrets - Rotate client secrets regularly
- Audit logs - Monitor authentication events
- MFA - Enable MFA in your OIDC provider
Troubleshooting
Invalid Token
- Verify issuer URL is correct
- Check client ID matches
- Ensure token is not expired
Claims Missing
- Verify attribute mapping in Cognito
- Check OIDC scopes include required claims
- Review provider's claim configuration
Redirect Errors
- Verify callback URLs are correct
- Check for URL encoding issues
- Ensure HTTPS is used
Next Steps
- SSO Configuration - Complete SSO setup
- Authentication - API authentication
- Security - Security overview