AUTH for AWS using NEXT.js - amazon-web-services

I am struggling to find good info on setting up auth for a web page. I need it to have three levels of access.
ADMIN, which can control everything i.e. allowing the other levels to exist.
Editor, which can see the posts made in a backend situation. Editors will have to be approved by the ADMIN.
Authors, who can put, read and delete (only their own posts).
I don't want the authors to have to wait to make posts on the site. But Editors and ADMINS need to be approved. I feel that making a separate site for Editors and ADMINS is the solution to this.
Can anyone point me in the right direction concerning this?
Questions I need to be answered:
How Do I set up the three levels?
Is there one login that the ADMIN has to view and approve? I need it to be secure but not CAPTCHA or MFA Secure. I know AWS and Amplify uses Cognito which is fine. I would prefer to not use a Social provider login. Just an email login.
Since this website will require a database (S3 bucket) for the info that will be uploaded by the authors, will the login info be stored in a different database (DynamoDB for instance)?
I want to use Amplify, Next.js, and AWS.
Sites I have been reading and I'm sure have the answer but I am not seeing.
https://docs.amplify.aws/cli/auth/overview/
https://nextjs.org/docs/authentication
https://next-auth.js.org/providers/cognito

Related

How to use AWS Cognito as a unified SSO?

I would like to have only one login screen, registration, profile and password recovery for all projects in my company. Basically a unified login or SSO.
So I made these screens using AWS Cognito and hosted them on the sso.mycompany.com domain and it's working fine.
But now I need to implement these screens in my other projects. How can I do this? I can't just copy the files, as this was done in Vue.js, and I would like to put these screens in projects done in Laravel, Wordpress, React, etc;
I thought of using an iframe loading sso.mycompany.com, but how do I return user data after login to the app that opened the iframe?
Basically that's it, I have authentication screens hosted on the sso.mycompany.com domain and I would like to use them on projectx.com, projecty.com, mycompany.com, etc.
Here is one solution that might work for you and might give you some ideas on how you could put together a solution. Unfortunately, Cognito out of the box doesn't come with a unified/universal login experience that you require. It also doesn't come with a lot of other features you might see from the big IdP platforms, but that is another discussion for another time :) The whole foundation of this solution is based off of a single domain, cookies and JWTs(access token, id token and a refresh token). It will still work for your apps on other domains, but the experience for your end users will be a bit sub optimal compared to if all your apps were on the same domain.
Because an app like projectx.com sits on a different domain then sso.mycompany.com, you have to somehow get a access token over to projectx.com after the user logs in through mycompany.com. You can simply just pass the access token through as a query param when you redirect the user back to projectx.com after a successful login on sso.mycompany.com.
I had a much longer answer with details, but stackoverflow won't let me post because it thinks my answer is spam??? Check my profile on how to contact me if you want the longer version with details.

Cognito: is it possible to host UI on my domain and redirect to my domain too?

I want to use Cognito for my WebExtension for Chromium and Firefox.
I have two problems.
1) Hosted UI from Cognito not at my domain - so users may think why:
For branding and security I want to host UI from Cognito on my domain. Because my product is the browser extension - I think that I can embed UI for login in iframe to the popup-ui (that shows if user push to the button of the extension).
2) Redirect after Google to the AWS - because of that user will see Choose an account to continue to amazoncognito.com but the correct text must be Choose an account to continue to <domain-of-my-project>:
Looks like this is not possible to redirect to my domain with saving automation of Cognito about exchanging of code from Google to access token from Google for getting email of user. In the documentation about domain for user pools mentioned only sub-sub-sub domain under amazoncognito.com. If this is not possible - would be useful to mention it in documentation.
Add customized domain is not available now. We have heard this request from multiple customers and would look into adding it into our future releases.
I'm confused about your second question, can you explain more about it?
With regards to your 2nd question. It's true that ideally you would want to be able to have a custom domain, but the fact google is showing amazoncognito.com is a problem with your configuration in your GCP account.
Under the API->Credentials tab in GCP console, you can adjust the product name and logo to be displayed. The problem is that you need to pass a review of your app before google starts showing them. This was changed by google after some phishing hacking attempts (https://developers.googleblog.com/2017/05/updating-developer-identity-guidelines.html).
To submit your app for a review: https://support.google.com/code/contact/oauth_app_verification

Login page responsible for different applications

I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.

Request additional permissions only for specific users in Meteor

I have an application allowing users to sign in using their Facebook and Twitter accounts. I only need a very basic information like their email address and full name. Everything works fine and as planned.
Accounts.ui.config({
requestPermissions: {
facebook: ['email'],
github: ['user:email']
}
});
But, now I need to implement a feature posting to a Facebook page and Twitter on behalf of the admin users only. So, I need to get additional permissions from specific users only.
Admin users are eligible to manage our page at Facebook. The app needs to request additional permissions to be able to post to the page. I wan't to keep those basic permissions for regular users.
How can I accomplish that?
One way you can do is,
If you know that logged in user is Admin, put the re-authenticate button in user-dashboard (or somewhere which makes sense) that will do authentication user of user for whatever permissions as required by application.
This will basically do, oauth with social service like usual and upon completion you will get aceess code and against this code get the re-newed access token from social service. (This is normal , how you basically do the oauth manually) Now, use this access token to post to social services.
For this, you will need to use node modules such as for facebook -fb_graph , for twitter- twiiter
Hope this helps

Django Open ID - Assign permissions to users who have never logged in by email

I'm using django-auth with the django-auth-openid extension to use OpenID (specifically, Google) to log users into my site. I have a user base of about 90 who will be using the site. All of them have Google accounts, and will be using them to access the site. Since the user base is set (there is no registration allowed, only admins can add users), I already have an exhaustive list of all of my users, including their email addresses and other information. How can I allow these users to login with their Gmail addresses without making them register first? Essentially, I'd like to make django-auth-openid match OpenID Gmail addresses to rows in the existing django-auth Users table. Is this possible?
Thanks!
I ended up using the python-social-auth library (which has Django support built in). The documentation for use with Django isn't great, but between the docs and the provided example it was relatively easy to integrate it with my existing django-auth setup. After that, I just deleted the 'create_user' pipeline from the SOCIAL_AUTH_PIPELINE tuple in my settings, and, that way, only users with existing OpenID connections were allowed in (no new registrations occurred from OpenID logins). This meant, though, that I had to create those connections (between OpenID identifiers and Users) manually, but that was pretty easy to do just using the Django Python shell.