Using IDProvider with GraphQL

Enonic version: 7.10.0

I want to add an ID Provider to my NextXP-App and need some help to fully understand, how this works - especially with NextXP.

I started some Tests with the Auth0-Provider and was able to add this (for testing purposes) to the corporate-theme app.
I am using the following vHost-Config:

enabled = true

mapping.my-corporation.host = localhost
mapping.my-corporation.source = /test
mapping.my-corporation.target = /site/corporate-theme/master/my-corporation
mapping.my-corporation.idProvider.auth0 = default

mapping.website.host = localhost
mapping.website.source = /
mapping.website.target = /
mapping.website.idProvider.system = default


mapping.admin.host = localhost
mapping.admin.source = /admin
mapping.admin.target = /admin
mapping.admin.idProvider.system = default

My first question:
When I login to the corporate-site, I cannot use/log in to content-studio anymore. Is this by design - or is my configuration not correct ?

My second question:
How exactly should I implement this, when I use Next-Frontend.

Currently I would expect something like the following:

  1. I call the ID-Provider Endpoint (/_/idprovider/<idprovider-name>/login) from my client to get a token
  2. I add the token to my API-call (header or body?)

Does the GraphQL-API take care of access -rights which I added to the content? Or do I have to customize the API to achieve that?

My last question
Does someone have experience with AWS Cognito. I would like to use this Provider and write my own Provider for that.

I made some progress here. I guess that Open ID Connect JWT ID Provider should work, as Cognito provides the jwks_uri under https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json - I will give this a try.

But what about the implementation of GraphQL in this context. I found, that when I query content, where I do not have permission, i just get an empty response.

Can I extend GraphQL API to handle this in a better way?
I found the following Blog-Post about this topic:

What do you think?

I just want to give a short update.

Using the OPEN ID Connect JWT ID Provider works.
The uri of the “well known endpoint” has to be
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration

So far so good. When I try to fetch a protected page on my NextXP-Client I get a 404-response!

@tsi : Are there any plans to enhance the behaviour of the GraphQL-API ?

Hi Thomas.

We are soon starting to work on a “standard” security integration between Next.xp and Guillotine. Will get back with more details when there is anything to share.

Maybe you could explain a bit what you are making here, do you set permissions in the CMS for certain content, and want this directly reflected based on the logged in user in your front-end?

Hi Thomas,

yes - exactly what you described.

As mentioned, I successfully implemented AWS Cognito with JWT ID Provider.
I would set the permissions directly in the repository using Data Tools or if possible programatically.
I would like to get sth. back to render conditionally on the frontend (response code or/and error property)

Hi. Do you have updates or solutions for security integration between Next.XP and Guillotine. I am also trying to use OPEN ID Connect . Thanks**

Hi. Yes, these changes were shipped in Next.XP 2.0 - basically, it is related to supporting preview rendered in context of the user logged into Content Studio.

Also, the next release of Enonic XP will feature support for adding keys to system users - aka service accounts. Then you can access the API with this without setting up 3rd party authentication.