question: Where can we get configuration details for the AWS Cognito IdP?

[MrChadMWood]

Some useful links to get started:

• Authcrunch's documentation
• Caddy's documentation
• Github examples

Forgive my ignorance, as I'm not an expert with Caddy, Cognito, or OAuth2.0. I have some experience with all three, but I'm not quite comfortable with any yet. My goal is to utilize all three for network-level authentication and authorization. If an unauthorized visitor should visit any resource where authentication is required, Caddy should redirect them to a login portal. If the visitor successfully authenticates, Caddy should automatically redirect them to their original destination.

I'm struggling to understand the full set of configuration options available within the security component of the Caddy file (ref: Github examples). Second, I'm struggling to understand how each configuration option [present in the example] is used by Caddy. Which are optional, required, what acceptable values are, ...

Take the following snippet:

		oauth identity provider cognito-us-east-1 {
			driver cognito
			realm cognito-us-east-1
			client_id {env.COGNITO_US_EAST_1_CLIENT_ID}
			client_secret {env.COGNITO_US_EAST_1_CLIENT_SECRET}
			user_pool_id {env.COGNITO_US_EAST_1_POOL_ID}
			region us-east-1
			icon "AWS Cognito US" "aws"
		}

		authentication portal myportal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider cognito-us-east-1
			cookie domain myfiosgateway.com
			ui {
				links {
					"My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin keycloak
				action add role authp/user
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.myfiosgateway.com:8443/
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
		}

Much of the above is self-explanatory, I'm sure. For example, cookie domain myfiosgateway.com pretty much explains itself. For many other parts, I'm struggling. What is myportal.transform user, cognito-us-east-1.icon, doing. Whats going on in myportal.ui.links? Am I able to just use the AWS Cognito Hosted UI directly, without any other login portal created by this module (ref: Authcrunch's documentation)?

I feel like I have so many questions that I am probably missing some important documentation. Rather than work through all my questions here, could you kindly advise where I should be looking for more details on the Caddyfile configuration for Cognito? Thanks!

Edit: One other thing. The current AWS Cognito docs (ref: Authcrunch's documentation) make many highlights on various configuration details for Cognito. This is quite confusing for me, as I struggle to understand if the Caddy-Securty module requires such a setup or if I'm free to make some changes. For example, I want to allow users to signup themselves and I don't want to allow preferred usernames. As I'm sure this would be fine, I still struggle finding the boundary between what needs to be done for compatibility purposes and what is optional.

[MrChadMWood]

Here's a minimal example of the Cognito for more context:

# main.tf

provider "aws" {
  region = "us-west-1"
}

resource "aws_cognito_user_pool" "user_pool" {
  name = "user-pool"
  username_attributes = ["email"]
  
  password_policy {
    minimum_length    = 7
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
    temporary_password_validity_days = 7
  }

  device_configuration {
    challenge_required_on_new_device = true
  }
  
  verification_message_template {
    default_email_option = "CONFIRM_WITH_CODE"
  }

  email_configuration {
    reply_to_email_address = "[email protected]"
  }

  schema {
    name     = "email"
    attribute_data_type = "String"
    required = true
    mutable  = false
  }

  #lambda_config {
  #  create_auth_challenge = aws_lambda_function.lambda_email_domain_verifier.arn
  #}
}

resource "aws_cognito_user_pool_domain" "domain" {
  domain       = "mycompanybi-auth"
  user_pool_id = aws_cognito_user_pool.user_pool.id
}

resource "aws_cognito_user_pool_client" "client" {
  name = "user-pool-client"

  user_pool_id = aws_cognito_user_pool.user_pool.id
  generate_secret = true
  explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"]
  prevent_user_existence_errors = "ENABLED"

  callback_urls                        = ["https://mycompanybi.link"]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows                  = ["code"]
  allowed_oauth_scopes                 = ["email", "openid"]
  supported_identity_providers         = ["COGNITO"]
}