Tulip Connectors on a AWS serverless backend using OAuth2 and Cognito

I wondered about making a connector for Tulip that runs serverless on AWS. I’m not super familiar with Amazon Cognito but I actually got it to work. There are a few things that behave a little strangely, the main one being that after you set up the AWS side you have to hit the Test button on the connector setup. This redirects you to a login page in amazon (one that you can customize if you want to). This login has to be done manually, and if the OAuth refresh token expires you will have to do it again in the Connector setup. From the perspective of the player the connector will just fail if all the tokens have expired.

Fortunately, in Cognito you can set a really long Refresh token expiration time:

In some ways I wonder whether or not this is all worth it. As an alternative, you could just set the backend service up to use basic auth and be done with it.

There are a bunch of things you have to set up on the AWS side:

  • In the user pool, create an app for Tulip. This authorizes Tulip to use this user pool. The app needs to have the allowed redirects in the hosted UI section - it should allow just Tulip if you only want Tulip to use it.
    • Under App Client Information note the Client ID and Client Secret. This identifies the app (which is Tulip) - you will need these numbers in the connector setup
  • Also i the User Pool setup note the Cognito domain. You can customize the prefix of this domain. You’ll need that later, too.
  • Create a Cognito “user pool” that holds your users/passwords. The username is used for initial connector setup, when you push the Test button in the Headers section of the connector configuration.
  • The user pool must have, at least, the “OpenID” scope. The remaining scopes are really optional.
  • Create your Lambda function. I wrote mine in go
  • Create an API Gateway configuration that
    • Maps paths to the Lambda function you created using an Integration
    • Uses the user pool you created earlier (Authorizations section)

Connector Setup:


Scope setup in App:

This setup is somewhat involved. I would say that if you’re pretty familiar with AWS you could set the whole thing up in an hour, if you know exactly what you’re doing. There are quite a few settings you need to get just right for it to work.

However, I am happy to report that it does work, and pretty well. What’s really nice about the serverless approach is that the total cost of ownership is pretty low - there’s no servers or operating systems to maintain, and this Cognito approach takes care of the authentication for you.

I would love to fully document this but I can’t take the time right now. But if anybody else has the urge to set this up, ask me questions here - I’ll help if I can. I’m mainly writing this to get it into the zeitgeist, in case someone is searching for how to do this months from now when I’ve forgotten most of it :slight_smile: If Tulip is super interested I will set up a zoom and walk you through a configuration.