Package com.cloudforge.core.oidc

Class IdentityCenterOidcConfiguration

java.lang.Object
com.cloudforge.core.oidc.IdentityCenterOidcConfiguration
All Implemented Interfaces:
OidcConfiguration
public class IdentityCenterOidcConfiguration extends Object implements OidcConfiguration
OIDC configuration for AWS IAM Identity Center (formerly AWS SSO).

IAM Identity Center is an enterprise single sign-on (SSO) service that provides:

  • Centralized access management across AWS accounts
  • Integration with external identity providers (Active Directory, Okta, etc.)
  • SAML 2.0 and OIDC support
  • Fine-grained permissions
  • Multi-account access

Important: IAM Identity Center and Cognito are completely separate systems.

  • IAM Identity Center: Enterprise SSO, integrates with corporate directories
  • Cognito: Standalone user directory for customer-facing apps

IAM Identity Center OIDC Setup:

  1. Create a custom OIDC application in IAM Identity Center console
  2. Configure redirect URLs for your application
  3. Note the client ID and client secret
  4. Store client secret in AWS Secrets Manager
  5. Use this configuration to wire up application OIDC

Identity Center OIDC Endpoints:

  • Authorization: https://{tenant}.awsapps.com/start/oauth2/authorize
  • Token: https://{tenant}.awsapps.com/start/oauth2/token
  • UserInfo: https://{tenant}.awsapps.com/start/oauth2/userInfo
  • JWKS: https://{tenant}.awsapps.com/start/.well-known/jwks.json
See Also:

  • Constructor Details

    • IdentityCenterOidcConfiguration

      public IdentityCenterOidcConfiguration(String region, String identityStoreId, String tenant, String clientId, String clientSecretArn, String redirectUrl, String adminGroupName)
      Creates an IAM Identity Center OIDC configuration.
      Parameters:
      region - AWS region where Identity Center is configured
      identityStoreId - Identity Store ID (e.g., d-1234567890)
      tenant - Identity Center tenant/portal URL prefix
      clientId - OAuth 2.0 client ID from Identity Center application
      clientSecretArn - Secrets Manager ARN for client secret
      redirectUrl - Application callback URL
      adminGroupName - Admin group name from Identity Center for role mapping

  • Method Details

    • getProviderType

      public String getProviderType()
      Description copied from interface: OidcConfiguration
      Returns the OIDC provider type.
      Specified by:
      getProviderType in interface OidcConfiguration
      Returns:
      provider type (cognito, identity-center, external)

    • getIssuerUrl

      public String getIssuerUrl()
      Description copied from interface: OidcConfiguration
      Returns the OIDC issuer URL. This is the base URL for the OIDC provider.

      Examples:

      • Cognito: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
      • Identity Center: https://{tenant}.awsapps.com/start
      Specified by:
      getIssuerUrl in interface OidcConfiguration
      Returns:
      issuer URL

    • getAuthorizationEndpoint

      public String getAuthorizationEndpoint()
      Description copied from interface: OidcConfiguration
      Returns the OIDC authorization endpoint.

      This is where users are redirected to authenticate.

      Specified by:
      getAuthorizationEndpoint in interface OidcConfiguration
      Returns:
      authorization endpoint URL

    • getTokenEndpoint

      public String getTokenEndpoint()
      Description copied from interface: OidcConfiguration
      Returns the OIDC token endpoint.

      This is where applications exchange authorization codes for tokens.

      Specified by:
      getTokenEndpoint in interface OidcConfiguration
      Returns:
      token endpoint URL

    • getUserInfoEndpoint

      public String getUserInfoEndpoint()
      Description copied from interface: OidcConfiguration
      Returns the OIDC userinfo endpoint.

      This is where applications retrieve user profile information.

      Specified by:
      getUserInfoEndpoint in interface OidcConfiguration
      Returns:
      userinfo endpoint URL

    • getJwksUri

      public String getJwksUri()
      Description copied from interface: OidcConfiguration
      Returns the OIDC JWKS (JSON Web Key Set) endpoint.

      This is where applications retrieve public keys to verify JWT signatures.

      Specified by:
      getJwksUri in interface OidcConfiguration
      Returns:
      JWKS endpoint URL

    • getClientId

      public String getClientId()
      Description copied from interface: OidcConfiguration
      Returns the OAuth 2.0 client ID.

      This is the application identifier registered with the OIDC provider.

      Specified by:
      getClientId in interface OidcConfiguration
      Returns:
      client ID

    • getClientSecretArn

      public String getClientSecretArn()
      Description copied from interface: OidcConfiguration
      Returns the AWS Secrets Manager ARN for the client secret.

      The client secret is stored securely in AWS Secrets Manager. Applications retrieve it at runtime using IAM permissions.

      Specified by:
      getClientSecretArn in interface OidcConfiguration
      Returns:
      Secrets Manager ARN for client secret

    • getRedirectUrl

      public String getRedirectUrl()
      Description copied from interface: OidcConfiguration
      Returns the redirect URL for this application.

      This is the callback URL where the OIDC provider redirects after authentication. Typically: https://{application-domain}/oauth2/callback or similar.

      Specified by:
      getRedirectUrl in interface OidcConfiguration
      Returns:
      redirect URL

    • getScopes

      public String getScopes()
      Description copied from interface: OidcConfiguration
      Returns the OAuth 2.0 scopes requested by this application.

      Common scopes: openid, profile, email, groups

      Specified by:
      getScopes in interface OidcConfiguration
      Returns:
      space-separated list of scopes

    • getUsernameClaim

      public String getUsernameClaim()
      Description copied from interface: OidcConfiguration
      Returns the claim name for username mapping.

      This JWT claim is used as the application username.

      Common values: preferred_username, email, sub

      Specified by:
      getUsernameClaim in interface OidcConfiguration
      Returns:
      username claim name

    • getGroupsClaim

      public String getGroupsClaim()
      Description copied from interface: OidcConfiguration
      Returns the claim name for group membership.

      This is used for role-based access control in applications.

      Common values: cognito:groups, groups

      Specified by:
      getGroupsClaim in interface OidcConfiguration
      Returns:
      groups claim name (optional)

    • getAdminGroupName

      public String getAdminGroupName()
      Description copied from interface: OidcConfiguration
      Returns the admin group name for role mapping.

      Users in this group receive admin privileges in the application.

      Specified by:
      getAdminGroupName in interface OidcConfiguration
      Returns:
      admin group name (optional)

    • getIdentityStoreId

      public String getIdentityStoreId()
      Returns the Identity Store ID.
      Returns:
      identity store ID

    • getRegion

      public String getRegion()
      Returns the AWS region.
      Returns:
      region

    • getTenant

      public String getTenant()
      Returns the Identity Center tenant.
      Returns:
      tenant ID

    • toString

      public String toString()
      Overrides:
      toString in class Object