AWS Cognito Guide

In this guide, you'll learn how to integrate AWS Cognito authentication with a Cube.js deployment. If you already have a pre-existing Cognito User Pool in AWS that you'd like to re-use, please skip ahead to Configure Cube.js.

If you haven't already created a User Pool, please follow the instructions in the AWS Cognito documentation to create one, along with enabling the Hosted UI.

To add custom claims to the JWT, you will need to associate a Lambda function to the Pre Token Generation event trigger available on your User Pool.

First, go to the AWS Lambda Console and create new a Lambda function:

Add the following code to the Lambda function:

exports.handler = (event, context, callback) => {
  event.response = {
    claimsOverrideDetails: {
      claimsToAddOrOverride: {
        'http://localhost:4000/': JSON.stringify({
          company_id: 'company1',
          user_id: event.request.userAttributes.sub,
          roles: ['user'],
        }),
      },
    },
  };
  callback(null, event);
};

Then navigate to the Amazon Cognito User Pools Console, select Triggers from the left sidebar and associate the Lambda function you created previously:

You can find more examples of modifying claims in JWTs here.

Now we're ready to configure Cube.js to use AWS Cognito. Go to your Cube.js project and open the .env file and add the following, replacing the values wrapped in <>.

CUBEJS_JWK_URL=https://cognito-idp.<AWS_REGION>.amazonaws.com/<USER_POOL_ID>/.well-known/jwks.json
CUBEJS_JWT_AUDIENCE=<APPLICATION_URL>
CUBEJS_JWT_ISSUER=https://cognito-idp.<AWS_REGION>.amazonaws.com/<USER_POOL_ID>
CUBEJS_JWT_ALGS=RS256
CUBEJS_JWT_CLAIMS_NAMESPACE=<CLAIMS_NAMESPACE>

Go to the OpenID Playground from Auth0 to and click Configuration.

Change the Server Template to Custom, and enter the following values:

  • Discovery Document URL: https://cognito-idp.<AWS_REGION>.amazonaws.com/<USER_POOL_ID>/.well-known/openid-configuration
  • OIDC Client ID: Retrieve from App Client settings page in AWS Cognito User Pool Console
  • OIDC Client Secret: Retrieve from App Client settings page in AWS Cognito User Pool Console

Click 'Use Discovery Document' to auto-fill the remaining values, then click Save.

If you haven't already, go back to the AWS Cognito App Client's settings and add https://openidconnect.net/callback to the list of allowed callback URLs.

Now click Start; and in a separate tab, go to the App Client's settings page and click the Launch Hosted UI button.

If the login is successful, you should be redirected to the OpenID Connect Playground. Click on the Exchange button to exchange the code for your tokens:

Click Next, and continue on to the next section and click the Verify button to verify the JWT signature as well as decode the identity token:

Now open the Developer Playground (at http://localhost:4000) and on the Build page, click Add Security Context.

Click the Token tab, paste the id_token from OpenID Playground and click the Save button.

Close the popup and use the Developer Playground to make a request. Any schemas using the Security Context should now work as expected.