Single-Sign-On By Vouch Proxy And AWS Cognito

Single-Sign-On By Vouch Proxy And AWS Cognito


3 min read


  • For Kubernetes cluster, we have many observability and monitoring tools which are built-in with separated dashboard/console UIs with login-authentication. We don't want to create many domains as well as multiple accounts to handle them. This post introduces vouch proxy as a solution to provide single-sign on which supports many OAuth and OIDC login providers and can enforce authentication to AWS Cognito user pool.

Table Of Contents

๐Ÿš€ Vouch Proxy Overview

  • Vouch Proxy - An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once.

  • Vouch Proxy supports many OAuth and OIDC login providers and can enforce authentication to... This blog introduces applying vouch-proxy with AWS Cognito userpool

  • In this blog post, we apply this solution for Applications such as Solr Cloud, AKHQ, and glowroot in Kubernetes cluster where vouch proxy and nginx are also deployed on.

๐Ÿš€ What Exactly Vouch Proxy Does

๐Ÿš€ How does vouch-proxy protect the domains?

  • Vouch-proxy (VP) supports many OAuth and OIDC login providers to authentication

  • Furthermore, vouch-proxy whitelists the domains, not only the access domain but also the domain of email login. The cookie domain, the domain that VP is served from and the protected app must all be the same domain. For example, if we just whitelist the app domain such as but the email is it will not authorize the user

      2022-07-07T15:58:12.716Z        WARN    /auth User is not authorized: verifyUser: Email is not within a Vouch Proxy managed domain . Please try again or seek support from your administrator

๐Ÿš€ Setup AWS Cognito as authorised provider

  • Pre-requisite: You already create login to user for login authentication.

  • Cognito userpool application client

  • Setup vouch-proxy config with AWS Cognito, replace the URLs with one's setup from Cognito

        logLevel: debug
        port: 9090
          secure: false
        domains: # app domain and mail domain only
        provider: oidc
        client_id: AWS_COGNITO_VOUCH_CLIENT_ID
        auth_url: <https://{yourCognitoDomain}>
        token_url: <https://{yourCognitoDomain}>
        user_info_url: <https://{yourCognitoDomain}>
        - openid
        - email
        - profile
        callback_url: <https://{callbackURL}/auth>

๐Ÿš€ Deploy vouch-proxy and nginx

  • Go to nginx to get Dockerfile, nginx config files to build the nginx-gw image

  • Use the image to start vouch-proxy by mounting the config file to /config/config.yml

๐Ÿš€ Troubleshooting

  • Getting started to align between Nginx, Vouch Proxy and your identity provider (IdP) can be tricky, vouch-proxy provides a config to enable the testing mode

        testing: true
        logLevel: debug
  • With testing enable, the UI will step us to each phase of redirecting

๐Ÿš€ Conclusion

  • Now we have SSO domain to access all the services conveniently and it's possible to add any more subpath for other services. The session with Cognito userpool token has expired time and we can update this timeout through Cognito attributes.