We have AWS Api Gateway with developer portal. At this moment API developers can sign-up themselves to create a new user account to Cognito. AWS Cognito supports self-service sign-up and an invite mode. In self-service user can confirm account via email/phone. According Cognito documentation (https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html) this confirmation process is illustrated that confirmation can be admin confirmation Or Confirm via email/phone.
What we need is both combined. Registration have to be easy and verify users email, but ultimately admin makes decision if user will be allowed to get API Key and sign in Developer Portal . Process I have in mind;
First user registrates himself as a self-service confirmation via email, and after that account should be on hold unconfirmed state waiting for admin confirmation. Ideally Cognito will have an alarm to notify admin that there is new registration in queue waiting for admin confirmation.
Is this possible?
Related
I'm new to learning AWS and I'm trying to figure out if my use-case is possible. I want to create a mobile app where the user can login (email/facebook/google etc.) and then subscribe to a few MQTT topics on aws IoT to receive realtime sensor data for a gardening system. There are many tutorials on AWS that show you how to do this
(prime example: https://github.com/awslabs/aws-sdk-android-samples/blob/master/AndroidPubSub/README.md)
but all of them require you to download certificates, insert app IDs, secret keys etc. in the code/keystore itself. I'd really like to avoid all of this and just use the login as all the authorization you would need to subscribe to these topics.
is this possible? or do I need to build some custom system?
Short answer, Yes, it is possible. To do that you should do the following:
Create Cognito user pool. User Pool ID and App client id will be used in the next step. You can find more information here.
Create Cognito Identity pool. Under Authentication Providers you should give User Pool ID and App client id, more information here. When you create this, it will create two Roles for Authenticated and Unauthenticated users in IAM. You should add IoT access permissions (Connect, Publish, Subscribe and Receive) to those roles.
On client side (your App), after choosing your preferred AWS SDK (Android, iOS, React, JS, etc.) and configuring User pool ID, Identity pool and App client ID you should first authenticate the user by sending the user information (usually Email/Username and Password) to the Cognito user pool. In return, you will get some tokens.
Among those IdToken (JWT) will be sent to the Identity pool and in return you will get User Identity ID along with credentials (accessKeyId, secretAccessKey, sessionToken) needed to access AWS other services like IoT.
Last step would be using aws-iot-sdk for your App along with those credentials to publish and subscribe to your IoT topics. You can find more information about aws-iot-sdk here.
We have an application using AWS Cognito (+ hosted web UI) where users are only created by administrators. MFA with SMS is required. This is our current flow for new users:
Admin creates a new user using AdminCreateUser of aws-sdk. Email, name and phone number are given.
A new account is created with FORCE_CHANGE_PASSWORD status. Username and a temporary password are sent to the user via email.
User signs in for the first time with the temporary password.
Cognito asks for a new password.
User sets their new password and proceeds to log in.
MFA code is sent to user via SMS. However, Cognito does not ask for the MFA code. User simply gets logged in. Account status is now CONFIRMED but phone_number_verified is not set.
However, the MFA challenge works fine starting from the second login. In other words, user's phone number only gets verified if they manage to log in for the second time. This means that a user who forgets their password after the initial login is unable to reset their password (as it requires a verified phone number).
Any idea why this is happening and what settings should I look into? I'm aware I can avoid the main problem by programmatically setting phone_number_verified as true, but I'd like to know why the MFA challenge fails on first login.
I've been really disappointed in the AWS hostsed auth UI. It's ugly and very limited. As you've discovered, for example, it doesn't handle MFA at all.
The best alternative I've found is to use the Authenticator Amplify UI component. It's possible to use Amplify UI without using the Amplify CLI or hosting your site on AWS, so it's pretty well a drop-in solution. Authenticator handles setting up software TOTP tokens and the TOTP challenge as needed. I haven't used it for SMS, but this page implies it's supported.
You can learn how to use Amplify UI components standalone (without the CLI and AWS hosting) in this StackOverflow answer.
I am starting to implement federated authentication with AWS Cognito using AWS C++ SDK.
I want to authenticate a user with Cognito User Pool and Facebook, Twitter, Google.
I understand that I can link several logins under single user identifier (Cognito identityId), but it is possible only when such logins are added manually after first login.
In example, I see scenario:
A user is registered using Cognito UserPool.
Then, staying authenticated, the user authenticate itself using Facebook. And Facebook tokens can are added to logins.
When further retrieving AWSCredentials call processes - the Facebook login will be added to the user identity at Cognito Identity Pool.
After, the user can login using UserPool credentials and through Facebook authentication under the same user identityId.
Firstly, I am not sure that my scenario is correct, but it is what I realized after reading many posts here and AWS docs.
And if the scenario is correct, then I am in stuck with another question: how to refresh tokens?
In AWS C++ SDK in order to refresh AWS Credential the call CognitoIdentityClient.GetCredentialsForIdentity is used, but it requires to pass user logins.
My more specific question: do I need to pass all logins? Does it require to have all access tokens in the logins no expired?
Adressing your first point, you can use federated identity without using cognito user pool. This means that you can simply autheticate a user directly with facebook, google etc and not add them to user pool. If you do want all users to be there in user pool then you will have to write the code to accept certain parameters from these authentication providers and then add them along with username and password to your user pool.
Now on to your question. To refresh token you have to use InitiateAuth. In auth flow you have to pass "REFRESH_TOKEN_AUTH" and in AuthParameters you pass the refresh token.
I am using the Cognito Hosted UI option to register and sign-in users for my website. Currently, users who register are immediately able to sign-in using their username/password. This is an issue because this allows anyone to register and then to access restricted parts of the site. What I would like to do is require that the ADMIN manually confirm every registered user before they can login.
Is this possible to achieve?
If you want to manually confirm every user that has registered using your Cognito User Pool, you could perform the following steps:
Step 1: Ensure that E-Mail/SMS verification requirement is unchecked in the "MFA and Verifications" sidebar in your Amazon Cognito User Pool console.
Step 2: To improve user experience, utilize a custom UI for your web/mobile application. After your users sign-up, redirect them to a different web-page which states that they would require admin verification. If you are using the Cognito default UI, the message "User Pool not configured properly for confirmation code delivery" which doesn't necessarily deliver a seamless user experience.
Step 3: Now, your signed up users should have the "UNCONFIRMED" state in the Amazon Cognito User Pool.
Step 4: To manually confirm the user, you can use the AdminConfirmSignUp API call[1], from your application code or from the CLI. This requires the user-pool-id and the username, and would also need Administrator credentials for it to run successfully.
I tested this out on my end, and I was able to manually confirm all the users that had registered to my Amazon Cognito User Pool.
The API call I tried on my end is as follows(tested via the CLI):
aws cognito-idp admin-confirm-sign-up --user-pool-id us-east-1_XXXX --username XXXX
After the AdminConfirmSignUp API call, your "UNCONFIRMED" users should have the "CONFIRMED" status.
References
[1]. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html
I am planning to write a mobile app with AWS handling the backend work. Like many common apps, mine will support user registration and login. All backend resources should be secure based on the user's role.
After reading AWS Cognito, it handles both Open authentication provider and Developer Authentication provider. This helps to support third party login. The capacity of syncing data is a big plus.
However, I have some questions about Cognito when I try further implementation.
What are the user credentials stored?
I need to add more user attributes (eg. email, profile image etc.) when a new user is created. Can Cognito handle this? Or do I need to use storage like S3 to store the entire user profile?
Does Cognito support email verification for user registration?
Does Cognito handle 'forgot password' feature?
All advices are welcomed.
There is now Amazon Cognito User Pools (currently in beta), allowing to store user credentials, see here
Update: Cognito has since added a new feature that does allow storing credentials. See Cognito User Pools for more information.
Amazon Cognito does not store credentials. Instead, it allows you to offload the task of securely storing credentials to any OpenID Connect-complaint credential provider such as, but not limited to, Facebook, Google, and Login With Amazon.
If you have a credential provider that is not OpenID Connect compliant, you can use the Developer Authenticated Identities capability to leverage another authentication system as a credential store (such as your own back-end service). Registration, email verification, and forgot password features would be handled by the Identity Provider: Either an OpenID Connect provider (e.g. Facebook) or your own provider via Developer Authenticated Identities.
Cognito's Sync capability gives you the ability to store profile information or any other information specific to the current user (referred to as "identity" in Cognito). There is a good blog post about using Cognito Sync to store & synchronize data here.