Merge pull request #13 from avantifellows/feature/cognito-support

Support for AWS Cognito

.env.example

@@ -25,7 +25,7 @@ CUBEJS_SCHEDULED_REFRESH_TIMER=false
 
 # authentication in production mode
 CUBEJS_JWK_URL=
-CUBEJS_JWT_AUDIENCE=
 CUBEJS_JWT_ISSUER=
 CUBEJS_JWT_ALGS=
 CUBEJS_JWT_CLAIMS_NAMESPACE=
+CUBEJS_JWT_AUDIENCE=

docs/AUTHENTICATION.md

@@ -1,11 +1,14 @@
 ## Authentication
-Plio Analytics uses Auth0 authentication to manage access tokens and valid API requests from a client app.
+Plio Analytics is based on Cube.js for analytical data storage and querying. As Cube.js relies on external Identity Providers (IdP) for authentication, so does Plio Analytics.
 
-Plio Analytics relies on client credentials API which is suitable for machine-to-machine data exchange without any user consent. This generates access token for the client app instead of per-user access token.
+The following IdP supports are available:
+- [Auth0](#auth0)
+- [AWS Cognito](#aws-cognito)
 
-For more details on Auth0 configuration, check out the [official documentation from Cube.js](https://cube.dev/docs/security/jwt/auth0).
+Plio Analytics relies on client credentials API which is suitable for machine-to-machine data exchange without any user consent. This generates access token for the client app instead of per-user access token.
 
-### Configurating Auth0
+### Auth0
+Use the steps below to configure Auth0:
 1. Sign up or log into your [Auth0 account](https://auth0.com/).
 2. Create a new tenant with the name `plio-analytics-staging` (or `plio-analytics-production` for production).
 3. From the left navigation, go to APIs and create a new API.
@@ -16,10 +19,11 @@ For more details on Auth0 configuration, check out the [official documentation f
    1. You will see an application was created automatically with your api name and `(Test application)`.
    2. Select this app and go to settings tab. Rename by removing the (Test Application) part and save.
 5. To test your set up, go to Quick Start tab and copy the example code for "Getting an access token for your API". Run the command in your shell. It should return a valid response with access token, expiry time and token type.
-6. Make sure you have updated the Plio backend repository [environment variables](https://github.com/avantifellows/plio-backend/blob/master/docs/ENV.md#auth0-for-plio-analytics) with the Auth0 app settings.
+6. Make sure you have updated the Plio backend repository [environment variables](https://github.com/avantifellows/plio-backend/blob/master/docs/ENV.md#identity-provider-for-plio-analytics) with the Auth0 app settings.
 
+For more details on Auth0 configuration, check out the [official documentation from Cube.js](https://cube.dev/docs/security/jwt/auth0).
 
-### Configuring CUBE_JS environment variables
+#### Configuring CUBE_JS environment variables for Auth0
 Add the following environment variables for this CubeJS project after replacing the `<>` parts with your configs.
 ```sh
 CUBEJS_JWK_URL=https://<AUTH0-SUBDOMAIN>.auth0.com/.well-known/jwks.json
@@ -29,17 +33,86 @@ CUBEJS_JWT_ALGS=RS256
 CUBEJS_JWT_CLAIMS_NAMESPACE=<CLAIMS_NAMESPACE>
 ```
 
-#### `CUBEJS_JWK_URL`
+##### `CUBEJS_JWK_URL`
 This is the url to fetch the JSON web keys details. Replace the `<AUTH0-SUBDOMAIN>` by the domain name for your account. The domain can be determined from `Your app > Settings > Domain`.
 
-#### `CUBEJS_JWT_AUDIENCE`
+##### `CUBEJS_JWT_AUDIENCE`
 This is the unique identifier that was set when configuring the API in Auth0. Should be the url for your app.
 
-#### `CUBEJS_JWT_ISSUER`
+##### `CUBEJS_JWT_ISSUER`
 JWT issuer should be the domain for your Auth0 app. Replace the `<AUTH0-SUBDOMAIN>` by the domain name for your account. The domain can be determined from `Your app > Settings > Domain`.
 
-#### `CUBEJS_JWT_ALGS`
+##### `CUBEJS_JWT_ALGS`
 This should be set to RS256 to decode the access token generated by same algorithm.
 
-#### `CUBEJS_JWT_CLAIMS_NAMESPACE`
+##### `CUBEJS_JWT_CLAIMS_NAMESPACE`
 The claim namespace should be your app url. In this case, it would be same as the `CUBEJS_JWT_AUDIENCE` variable.
+
+
+### AWS Cognito
+Use the steps below to configure Auth0:
+1. Log in to your [AWS console](https://aws.amazon.com/console/).
+2. Navigate to AWS Cognito console.
+3. Choose `Manage User Pools` and then create a new user pool.
+4. Enter the pool name and then click on `Review defaults`.
+5. Click on `Create pool`.
+6. On the navigation bar on the left-side of the page, choose `App clients` under General settings.
+7. Click on `Add an app client`.
+   1. Enter your app name. You can use `plio-analytics-staging` or `plio-analytics-production` based on the environment you are setting up.
+   2. (Optional) update settings for token expiration.
+   3. Make sure to keep the `Generate client secret` option checked.
+   4. Keep the default `Auth Flows Configuration` values selected.
+   5. Security configuration option should be `Enabled`.
+   6. Click on Create app client.
+   7. Note the `App client id` and `App client secret`. These will be used in later steps.
+8.  Choose `Resource servers` from the navigation bar on the left-side of the console page.
+   1.  Select `Add a resource server`.
+   2.  Set the name of your resource server. For example: `Plio Staging Analytics Resource server`
+   3.  Set the identifier to the `App client id` you had noted in previous step.
+   4.  Create the following scopes:
+       1.  Name: `post`, Description: `post requests`
+       2.  Name: `get`, Description: `get requests`
+   5.  Create the resource server by clicking on save changes.
+9.  Choose `App client settings` from the navigation bar on the left-side of the console page.
+    1.  Select Cognito User Pool as one of the Enabled Identity Providers.
+    2.  You can skip the `callback urls` and `signout urls` as they are not needed for client credentials type.
+    3.  Check the `client credentials` option under Allowed Oauth Flows.
+    4.  Select the custom scopes for `<client-id>/get` and `<client-id>/post` that you created in previous step.
+    5.  Click on save changes.
+10. Choose `Domain name` from the navigation bar on the left-side of the console page.
+    1.  Enter the domain prefix and click on save. For example: `plio-analytics`.
+    2.  The complete url will be used to generate access tokens.
+    3.  Note the url.
+11. To test your set up, run the following command in your shell. Make sure to update the values within `<>` as per your settings. It should return a valid response with access token, expiry time and token type.
+```sh
+curl --location --request POST \
+'https://<DOMAIN-URL>/oauth2/token?grant_type=client_credentials&client_id=<APP-CLIENT-ID>&client_secret=<APP-CLIENT-SECRET>' \
+--header 'Content-Type: application/x-www-form-urlencoded'
+```
+12. Make sure you have updated the Plio backend repository [environment variables](https://github.com/avantifellows/plio-backend/blob/master/docs/ENV.md#identity-provider-for-plio-analytics) with the Cognito app settings.
+
+For more details on Cognito configuration, check out the [official documentation from Cube.js](https://cube.dev/docs/security/jwt/aws-cognito).
+
+#### Configuring CUBE_JS environment variables for AWS Cognito
+Add the following environment variables for this CubeJS project after replacing the `<>` parts with your configs.
+```sh
+CUBEJS_JWK_URL=https://cognito-idp.ap-south-1.amazonaws.com/<USER-POOL-ID>/.well-known/jwks.json
+CUBEJS_JWT_ISSUER=https://cognito-idp.ap-south-1.amazonaws.com/<USER-POOL-ID>
+CUBEJS_JWT_ALGS=RS256
+CUBEJS_JWT_CLAIMS_NAMESPACE=<CLAIMS_NAMESPACE>
+```
+
+##### `CUBEJS_JWK_URL`
+This is the url to fetch the JSON Web Token details. Replace the `<USER-POOL-ID>` by the pool id of your user pool. This can be determined from `Your User Pool > General Settings > Pool Id`.
+
+##### `CUBEJS_JWT_ISSUER`
+JWT issuer should be the domain for your Auth0 app. Replace the `<USER-POOL-ID>` by the pool id of your user pool. This can be determined from `Your User Pool > General Settings > Pool Id`.
+
+##### `CUBEJS_JWT_ALGS`
+This should be set to `RS256` to decode the access token generated by same algorithm.
+
+##### `CUBEJS_JWT_CLAIMS_NAMESPACE`
+The claim namespace should be your app url. For example, if your Plio analytics app runs at `http://localhost:4000`, use this in the variable.
+
+##### `CUBEJS_JWT_AUDIENCE`
+This value is not needed for AWS Cognito setup. You can simply remove this from your `.env`.