Encoded Identity Token | Appsmith | Page 1

left birch Jul 10, 2023, 7:04 AM

#

We have a self hosted business edition instance running, in which we want to create an app that requests data from our API. Our API uses AWS AMI authentication, thus needing AWS V4 signatures to authenticate requests. While there is an issue open to add the AWS V4 Signature Auth Type, there has been no solution just yet (https://github.com/appsmithorg/appsmith/issues/16424).

This is not a problem, more a minor inconvenience, because using the AWS SDK the signature can be generated manually. To authenticate, we have to retrieve the identity id for the authenticated user (https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html). For this call, we need the Identity Token of the authenticated user. Our environment has been configured with OIDC to authenticate using AWS Cognito. The appsmith.user.idToken can be used to retrieve the contents of the identity token, but for our use case we need the 'encoded' identity token. Is there a way for us to retrieve the 'encoded' JWT identity token instead of the 'decoded' appsmith.user.idToken object?

GitHub

Issues · appsmithorg/appsmith

Framework to build admin panels, internal tools, and dashboards. Integrates with 15+ databases and any API. - Issues · appsmithorg/appsmith

dark fjordBOT Jul 10, 2023, 7:09 AM

#

Hey There,

We've registered your query, and our team will get back to you soon.

Regards,
Pranav

dark fjordBOT Jul 10, 2023, 11:26 AM

#

Hello Peter! I am checking with the team on this.

dark fjordBOT Jul 10, 2023, 4:02 PM

#

Our team confirmed that it is not possible to get the encoded JWT identity token
at this juncture. Could you please help us file a feature request using the
following link?- https://github.com/appsmithorg/appsmith/issues/new/choose
Please include your use case and how it will be useful for you. Once created,
please send us the link to the GitHub issue so our development team can take it
up.

GitHub

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects.

left birch Jul 11, 2023, 7:30 AM

#

Hi, thanks for your response!

I've created a feature request (https://github.com/appsmithorg/appsmith/issues/25293). Let me know if you need any more details 🙂

GitHub

Issues · appsmithorg/appsmith

Framework to build admin panels, internal tools, and dashboards. Integrates with 15+ databases and any API. - Issues · appsmithorg/appsmith

dark fjordBOT Jul 11, 2023, 8:26 AM

#

Thank you. I have forwarded it to our development team to evaluate it and take
it up.

Thank you for your continuous support and patience. You can track the GitHub
issue that addresses the matter further. Our development team will be taking
over from here.

We value your feedback and would appreciate hearing about your experience with
our support team.
https://survey.frontapp.com/v2/09a400bf433bc9676d67/622669662da733ebffd22ac7a4daa1ee

left birch Jul 11, 2023, 9:28 AM

#

Thanks!

Quick quesion, is there a way for me to look into it myself? I can't seem to find the authentication and decoding of the JWT token anywhere in the codebase

dark fjordBOT Jul 11, 2023, 9:53 AM

#

JWT is a feature that is available only on our Business/Enterprise Edition,
which is not open-source.

left birch Jul 11, 2023, 10:48 AM

#

That makes sense, a bummer, then I'll wait for the dev team to pick it up

dark fjordBOT Jul 11, 2023, 11:02 AM

#

Thank you and sorry for the inconvenience.

vivid prairie Jul 14, 2023, 3:52 AM

#

Hey @left birch - do you using a Cognito Identity Pool?

I wrote a lambda function that is triggered by an aws api gateway which returns the aws credentials. Not sure if that solves your issue or not.

left birch Jul 14, 2023, 7:05 AM

#

Hi @vivid prairie - That is indeed a possibility we haven't thought of!

Could you perhaps share the Lambda function? So we can check if it indeed fits our use case 🙂

vivid prairie Jul 14, 2023, 4:52 PM

#

left birch Hi <@758079066375979018> - That is indeed a possibility we haven't thought of! ...

this is Node.16

const { CognitoJwtVerifier } = require('aws-jwt-verify');
const AWS = require('aws-sdk');

const verifier = CognitoJwtVerifier.create({
  userPoolId: process.env.userPoolId,
  tokenUse: 'id',
  clientId: process.env.clientAppId,
});

exports.handler = async (event, context) => {
  const authorizationHeader = event.headers.Authorization;
  if (!authorizationHeader) {
    return {
      statusCode: 401,
      body: JSON.stringify({ message: 'Unauthorized - No Token' }),
      headers: {
        "Access-Control-Allow-Headers" : "Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token",
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "OPTIONS,POST"
      }
    };
  }

  const token = authorizationHeader.split(' ')[1]; // Extract the token from the Authorization header

  try {
    const verifiedToken = await verifier.verify(token);
    console.log('Authorization Header:', authorizationHeader);

    const cognitoidentity = new AWS.CognitoIdentity({apiVersion: '2014-06-30', region: process.env.region});
    
    const logins = {
        [`cognito-idp.${process.env.region}.amazonaws.com/${process.env.userPoolId}`]: token
    };

    const getIdParams = {
        IdentityPoolId: process.env.identityPoolId, // replace with your Identity Pool ID
        Logins: logins
    };

    const idResponse = await cognitoidentity.getId(getIdParams).promise();

    const getCredentialsParams = {
        IdentityId: idResponse.IdentityId,
        Logins: logins
    };

    const credentialsResponse = await cognitoidentity.getCredentialsForIdentity(getCredentialsParams).promise();

    return {
      statusCode: 200,
      body: JSON.stringify({ 
          message: 'Token validated successfully', 
          identityId: idResponse.IdentityId, 
          credentials: credentialsResponse.Credentials // Return AWS temporary credentials
      }),
      headers: {
        "Access-Control-Allow-Headers" : "Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token",
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "OPTIONS,POST"
      }
    };
  } catch (error) {
    console.log('Token validation error:', error);
    return {
      statusCode: 401,
      body: JSON.stringify({ message: 'Unauthorized - Invalid Token' }),
      headers: {
        "Access-Control-Allow-Headers" : "Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token",
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "OPTIONS,POST"
      }
    };
  }
};

left birch Jul 17, 2023, 12:22 PM

#

Alright thanks!

We tried to implement it but we were wondering how you are able to retrieve AWS credentials using AppSmith. For this call we need the identity token, which AppSmith does not provide when using OIDC. Did you use OAUTH2 as authentication for a datasource or did you use OIDC for your AppSmith instance?

vivid prairie Jul 18, 2023, 12:16 AM

#

left birch Alright thanks! We tried to implement it but we were wondering how you are able...

I built my own login page and called AWS Cognito's .InitiateAuth using a username / password. That response gives me an idToken

left birch Jul 18, 2023, 5:59 AM

#

Ah yeah we could go that route but we are hesitant of it getting a mess and unmaintainable. Thanks for your suggestions, we will definitely use the lambda for other clients we have and perhaps Appsmith as well!

#Encoded Identity Token