authenticate: add aws cognito

authenticate/handlers.go

@@ -273,20 +273,23 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
 	}
 
 	endSessionURL, err := authenticator.LogOut()
-	if err == nil && redirectString != "" {
+	if err != nil {
+		if !errors.Is(err, oidc.ErrSignoutNotImplemented) {
+			log.Warn(r.Context()).Err(err).Msg("authenticator.LogOut")
+		}
+		return httputil.NewError(http.StatusOK, errors.New("user logged out"))
+	}
+
+	if redirectString != "" {
 		params := url.Values{}
 		params.Add("id_token_hint", rawIDToken)
 		params.Add("post_logout_redirect_uri", redirectString)
 		endSessionURL.RawQuery = params.Encode()
-		redirectString = endSessionURL.String()
-	} else if err != nil && !errors.Is(err, oidc.ErrSignoutNotImplemented) {
-		log.Warn(r.Context()).Err(err).Msg("authenticate.SignOut: failed getting session")
 	}
-	if redirectString != "" {
+	redirectString = endSessionURL.String()
+
 	httputil.Redirect(w, r, redirectString, http.StatusFound)
 	return nil
-	}
-	return httputil.NewError(http.StatusOK, errors.New("user logged out"))
 }
 
 // reauthenticateOrFail starts the authenticate process by redirecting the

internal/identity/oidc/cognito/cognito.go

@@ -0,0 +1,63 @@
+// Package cognito provides support for AWS Cognito
+package cognito
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/pomerium/pomerium/internal/identity/oauth"
+	pom_oidc "github.com/pomerium/pomerium/internal/identity/oidc"
+	"github.com/pomerium/pomerium/internal/urlutil"
+)
+
+var defaultScopes = []string{"openid", "email", "profile"}
+
+const (
+	// Name identifies the Auth0 identity provider
+	Name = "cognito"
+)
+
+// Provider is an Cognito implementation of the Authenticator interface.
+type Provider struct {
+	*pom_oidc.Provider
+}
+
+// New instantiates an OpenID Connect (OIDC) provider for Auth0.
+func New(ctx context.Context, opts *oauth.Options) (*Provider, error) {
+	var p Provider
+
+	if opts.Scopes == nil {
+		opts.Scopes = defaultScopes
+	}
+
+	genericOIDC, err := pom_oidc.New(ctx, opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed creating oidc provider: %w", err)
+	}
+	p.Provider = genericOIDC
+
+	cognitoProvider, err := genericOIDC.GetProvider()
+	if err != nil {
+		return nil, fmt.Errorf("failed getting cognito provider: %w", err)
+	}
+
+	cognitoURL, err := urlutil.ParseAndValidateURL(cognitoProvider.Endpoint().AuthURL)
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse cognito auth url: %w", err)
+	}
+
+	// https://docs.aws.amazon.com/cognito/latest/developerguide/revocation-endpoint.html
+	p.RevocationURL = cognitoURL.ResolveReference(&url.URL{Path: "/oauth2/revoke"}).String()
+
+	// https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
+	p.EndSessionURL = cognitoURL.ResolveReference(&url.URL{
+		Path: "/logout",
+		RawQuery: url.Values{
+			"client_id":  []string{opts.ClientID},
+			"logout_uri": []string{opts.RedirectURL.ResolveReference(&url.URL{Path: "/"}).String()},
+		}.Encode(),
+	}).String()
+
+	return &p, nil
+}

internal/identity/providers.go

@@ -16,6 +16,7 @@ import (
 	"github.com/pomerium/pomerium/internal/identity/oidc"
 	"github.com/pomerium/pomerium/internal/identity/oidc/auth0"
 	"github.com/pomerium/pomerium/internal/identity/oidc/azure"
+	"github.com/pomerium/pomerium/internal/identity/oidc/cognito"
 	"github.com/pomerium/pomerium/internal/identity/oidc/gitlab"
 	"github.com/pomerium/pomerium/internal/identity/oidc/google"
 	"github.com/pomerium/pomerium/internal/identity/oidc/okta"
@@ -58,6 +59,8 @@ func NewAuthenticator(o oauth.Options) (a Authenticator, err error) {
 		a, err = onelogin.New(ctx, &o)
 	case ping.Name:
 		a, err = ping.New(ctx, &o)
+	case cognito.Name:
+		a, err = cognito.New(ctx, &o)
 	case "":
 		return nil, fmt.Errorf("identity: provider is not defined")
 	default: