Docs

Hydda Connect

Architecture

Hydda IdP serves as an identity provider (IdP) broker, leveraging the capabilities of a directory service, AWS Cognito, to handle authentication and authorization processes. By integrating with AWS Cognito, Hydda IdP enables seamless and secure access to protected resources for client applications.

Simple diagram of Hydda IdP architecture

The architectural diagram above illustrates the interaction between Hydda IdP and AWS Cognito. When a client application requests authorization to access protected resources, the request is directed to Hydda IdP. Upon successful client validation, Hydda IdP creates an OAuth session, stores it in the database, and redirects the user to the login page.

Users can authenticate using either username and password or initiate a SAML2 login through AWS Cognito. Upon successful authentication, the user obtains a JWT (JSON Web Token) from the master client in AWS Cognito.

Hydda IdP then facilitates a token exchange flow, which involves the following steps:

  1. The user sends their master token to Hydda IdP.
  2. Hydda IdP performs a custom authorization flow against AWS Cognito.
  3. If the authorization is successful, Hydda IdP receives a token from AWS Cognito, scoped to the requested resources by the client.
  4. The token is stored in the user's OAuth session.
  5. Hydda IdP redirects the user back to the client with an authorization code.
  6. The client retrieves the token using the authorization code and client secret.
  7. The client can now use the token to access the protected resources it originally requested authorization for, such as the Hydda API.

Considerations

Due to the tight integration with AWS Cognito, certain implementation details may be exposed, such as the issuer URL, which reflects an AWS Cognito address rather than a Hydda address. This is because AWS Cognito is responsible for issuing the tokens, while Hydda IdP manages the OAuth flow and token exchange process.

However, Hydda IdP enhances the tokens by incorporating unique Hydda-specific claims. It is recommended to use the user_id claim provided by Hydda IdP as the unique user identifier instead of relying solely on the subject claim.

On this page