I have integrated oauth2-proxy with AWS Cognito leveraging Istio as described in jetstack's article, all is running in K8S.
Now I am looking for an approach to get users' data and other attributes like gender
, phone_number
, or even get cognito:groups
value in my frontend app. All this info is present in a JWT payload but not on the frontend side.
Ideas:
- An API call to oauth2-proxy's
/auth2/userinfo
endpoint that returns users' email. Not much, right? - I found that Cognito's oauth2/userInfo should return much more but I don't like the idea to lock my frontend with the
aws-sdk
or have any deals with JWT on FE side. - Build a backend service that returns a JWT's payload output in custom header leveraging outputPayloadToHeader Istio's RequestAuthentication feature, like whoami does. But wait, one more microservice?
None of these seems right to me.
Is there a better approach that I should take? For example, to extend the oauth2-proxy's /auth2/userinfo
endpoint to return more than just an email
I would appreciate any help
Thanks!
Looks like you are using a
Backend for Frontend
approach, with OAuth Proxy performing the BFF role. A frontend should be able to ask for userinfo or information from the ID token, as in this Curity example.However, there seems to be a long outstanding issue with this implementation that you'll need to work around.
Feels like the cleanest workaround should be done in an existing API, in an endpoint such as
GET /userclaims
. The API receives access tokens so can send them to the Cognito userinfo endpoint, then return results to the client. This avoids the need to use JWTs in the client, or AWS libraries.Here is some API code of mine that calls Cognito's userinfo endpoint. This can also be a mechanism for including domain specific claims in the userinfo returned to the UI.