Fork me on GitHub
#pedestal
<
2021-08-18
>
Ben Hammond16:08:48

Hi. I am trying to hook into AWS Cognito to exchange an authorization code for an id_token I have found that I can cobble something together using raw org.eclipse.jetty.client.HttpClient like this

(defn logged-in [request]
  (println "logged-in")
  (prn request)
  (let [cli (doto (HttpClient. (SslContextFactory$Client. true)) (.start))
        req (doto
            (.POST cli "")
              (.content (FormContentProvider.
                         (doto (Fields.)
                           (.add "grant_type" "authorization_code")
                           (.add "client_id" "*****")
                           (.add "code" (get-in request [:params :code]))
                           (.add "redirect_uri" ""))))
              )
        ^ContentResponse cr (.send req)
        ]
    (clojure.pprint/pprint cr)
    (println (.getContentAsString cr))
but this seems a bit ugly but I don't want to introduce a new clj-http library just to extract id_token; mostly I am using com.cognitect.aws/api libraries Is that a cognitect api library function that will exchange authorization codes for id_tokens (that I've not found)? Is there some more elegant way to run this code? I imagine it must be a fairly common thing to do...

Joe Lane16:08:14

Hi @U793EL04V, you should also ask this question over in #aws

👍 3
Joe Lane16:08:32

I'm a bit confused, where are you getting the request from in the above function? Are you going through APIGW?

Ben Hammond16:08:52

I am running a pedestal instance on localhost:8080

Ben Hammond16:08:21

eventually it will be running an a datomic ionic direct-http thingamy

Ben Hammond16:08:45

or maybe a plain old ion lambda if that turns out more satisfactory

Joe Lane16:08:31

I don't think ion lambda http-proxy will be more satisfactory for you 🙂

Ben Hammond16:08:48

i do try to stay open-minded

Joe Lane16:08:55

Good idea 🙂

Joe Lane16:08:15

Have you considered using a cognito authorizer for your APIGW route?

Ben Hammond16:08:50

what is that?

Ben Hammond16:08:24

ultimately, once api calls are getting made, i plan to use the built in cognito checking

Ben Hammond16:08:44

but I've only just got logging in working

Ben Hammond16:08:38

yes, that is my intention

Ben Hammond16:08:41

its all done using Http Headers rather than cookies

Joe Lane16:08:42

Not with the REST API though, with the latest release we use the HTTP API, not the REST API. I'm thinking something like https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

👀 3
Ben Hammond16:08:25

why does it use Headers rather than cookies? are cookies found to be insecure?

Joe Lane16:08:40

Which has an example of using cognito for the JWT authorizer. If you need more flexibility you can also use the previous access control mechanism which calls lambdas, AKA an ion.

Joe Lane16:08:35

Cookies are browser focused, headers are inclusive of mobile apps as well.

👍 3
emccue17:08:50

If you are going to cobble something together without a library, I would personally reccomend the new JDK http client

👀 3
👍 3
emccue17:08:24

Not that jetty's is broken or bad in any particular way