I am trying to find out if I can combine standard out-of-the-box AWS Cognito authentication flow (username & password, Google Sign etc) with CUSTOM_AUTHENTICATION flow.
What I am trying to achieve is to implement Shopify OAuth2 as the identity provider. Trick is that URL changes per tenant/user, so I cannot add it as OAuth2 generic identity provider.
I found out article where some dev implemented Shopify with AWS Cognito.
I am trying to find out if it can be somehow combined
Thanks
Related
I use AWS stack in BE for mobile App. I have an AWS Cognito User Pool and already has organized authentication throw Google, Facebook and Apple. Now I need to implement/configure authentication throw VK social network. VK doesn't support OpenID but it supports OAuth 2.0.
Unfortunately, I don't understand how can I implement it. Please share you experiance.
OAuth is only about authorization. There is no authentication here. So to implement what you need you either have to implement the authentication yourself (and expose an OIDC token to Cognito), or use a third-party solution that can do it for you (whether it's paid or not).
While describing how to build you own OIDC wrapper for OAuth would be a topic for at least a few blog posts, what I can suggest is to use an existing solutions that could integrate with VK.
On of those solutions is Auth0 (and no, I'm not associated with them in any way). It has a connector for vKontakte.
You basically need to chain the flow like that:
Configure Auth0 to authenticate with VK
Configure Cognito with Identity Pool and an OIDC connector with Auth0
This will work as follows:
You call Cognito's UI which will redirect you to Auth0
On Auth0 you will have a button to redirect to VK
After successful sign in you will be redirected to Auth0 and there you will have a new user
Auth0 will redirect back to Cognito and it will sync user data from Auth0 to your User Pool
That's just an example and there are probably more providers that could do the same thing.
after some reading on Using multiple authorization types with AWS AppSync GraphQL APIs and The Complete Guide to User Authentication with the Amplify Framework , one thing I could not figure out is if I can have 3rd Party Application Tokens (e.g. like Twitter API) and use AppSync+Cognito to generate credentials for service-to-service mutations/query?
I already have a user flow via Cognito (type AMAZON_COGNITO_USER_POOLS). I want to centralize service-to-service calls using my AppSync. Limiting the service/token access would be great too (to only X Mutations, instead of the whole schema). Would that be possible?
I'm a bit lost around what are the current limitations.
do I need a Custom Authorizer in Cognito?
should I move everything to IAM credentials?
a Lambda Resolver with manual credentials check + AppSync call?
I can't do it and I need to store these tokens in a different place (DynamoDB, etc), with metadata/some id to have some kind of identity and always use Lambda Resolvers etc.
thoughts and insights are more than welcome,
thanks!
As of today, AppSync does support 4 types of user authentication
API key (no authentication)
IAM credentials
OpenID tokens
Cognito User Pool tokens
There is a request to add custom lambda authorisers as well, but nothing has been announced to date.
In your scenario, I would use Cognito User Pool authentication on the App Sync side and federate Cognito User pool with Twitter OIDC. I know a couple of years ago Twitter was only supporting a custom subset of Oauth2. I'll let you check if they do support OIDC now :-)
But you're not the only asking this question
https://forums.aws.amazon.com/thread.jspa?messageID=881666
User pools for users who register via twitter?
AWS Cognito provides two services: user pools and identity pools. Both are similar but different concepts, ok so far.
I want to use the feature federation of a user pool.
I do NOT want to use this feature with the hosted UI.
I do NOT want to use this feature with identity pool.
I would like to use the federation login of a user pool of facebook or google of a user pool in a reactive native application. For example only with AWS sdk, for example, auth SDK from amplify.
However, I find no possibility to use the federation login of the user pool over the API (not hosted UI).
A synonym to Auth.signIn but with federation facebook using react native, for example with expo.
With expo i get the facebook tokens via
const { type, token, expires } = await Expo.Facebook.logInWithReadPermissionsAsync(aws_exports.aws_facebook_id, {
permissions: ['public_profile'],
});
How to use federated Auth using aws-amplify API without hosted UI?
Amplify does not use a User Pool API for signing in via a third-party provider, and the APIs offered for third-party providers are just for Identity Pools. Currently, there's a feature request with the AWS Amplify SDK team for the same.
A workaround would be to use the AUTHORIZATION Endpoint directly, and make suited HTTP requests to achieve your requirements.
Here's a post that shows how to use Google and Facebook to authenticate with the user pools. It's way too much to repeat here, so check out the link.
https://dev.to/dabit3/the-complete-guide-to-user-authentication-with-the-amplify-framework-2inh
Hope this helps.
I created an API with AWS API gateway that triggers a lambda function. Now I want to restrict access to this API. I own an OpenID connect identity provider.
I want to require people to authenticate with my OpenID identity provider before accessing the API. What is the best way to do that? Apparently, I need an authorizer for my API. I read a lot of documentation, and from what is mentioned here, it seems that this would be possible with amazon cognito. However, here I can only find a way to use cognito user pools, while I want to use a cognito identity pool.
I want the typical authentication scenario, e.g. user calls the api, is redirected to my openid id provider, logs in, and can then access my api (which delivers html so all of this will be taking place in a web browser).
Is this actually possible with cognito, or do I need to write a custom lambda authorizer? If so, is there any documentation on writing an authorizer lambda that uses openid, prefereably in .NET?
You are mixing Authentication and Authorization.
Federated Identity Provider to Cognito:
You can use OpenID Federated Identity provider for Authentication.
Below documentation provides on how to configure it,
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
Once authenticated you can create a signed URL to protect your assets for the URL which you want to allow to.
Creating Signed URLs:
Below documentation providers on how to created signed URL's using C#.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateSignatureInCSharp.html
Custom Authorizer:
Following commit on github shows an example implementation of C# custom authorizer.
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/pull/13/commits/79d75fb7c5ee4f29fa06fd2ec28c704224cf8a7a
Hope it helps.
I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.