I want to add an ID Provider to my NextXP-App and need some help to fully understand, how this works - especially with NextXP.
I started some Tests with the Auth0-Provider and was able to add this (for testing purposes) to the corporate-theme app.
I am using the following vHost-Config:
My first question:
When I login to the corporate-site, I cannot use/log in to content-studio anymore. Is this by design - or is my configuration not correct ?
My second question:
How exactly should I implement this, when I use Next-Frontend.
Currently I would expect something like the following:
I call the ID-Provider Endpoint (/_/idprovider/<idprovider-name>/login) from my client to get a token
I add the token to my API-call (header or body?)
Does the GraphQL-API take care of access -rights which I added to the content? Or do I have to customize the API to achieve that?
My last question
Does someone have experience with AWS Cognito. I would like to use this Provider and write my own Provider for that.
I made some progress here. I guess that Open ID Connect JWT ID Provider should work, as Cognito provides the jwks_uri under https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json - I will give this a try.
But what about the implementation of GraphQL in this context. I found, that when I query content, where I do not have permission, i just get an empty response.
Can I extend GraphQL API to handle this in a better way?
I found the following Blog-Post about this topic:
Using the OPEN ID Connect JWT ID Provider works.
The uri of the “well known endpoint” has to be https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
So far so good. When I try to fetch a protected page on my NextXP-Client I get a 404-response!
@tsi : Are there any plans to enhance the behaviour of the GraphQL-API ?
We are soon starting to work on a “standard” security integration between Next.xp and Guillotine. Will get back with more details when there is anything to share.
Maybe you could explain a bit what you are making here, do you set permissions in the CMS for certain content, and want this directly reflected based on the logged in user in your front-end?
As mentioned, I successfully implemented AWS Cognito with JWT ID Provider.
I would set the permissions directly in the repository using Data Tools or if possible programatically.
I would like to get sth. back to render conditionally on the frontend (response code or/and error property)
Hi. Yes, these changes were shipped in Next.XP 2.0 - basically, it is related to supporting preview rendered in context of the user logged into Content Studio.
Also, the next release of Enonic XP will feature support for adding keys to system users - aka service accounts. Then you can access the API with this without setting up 3rd party authentication.