I'm trying to integrate Google as an IdP in our existing Cognito UserPool. Everything is set up so far, and I can SignUp/SignIn using Google, which creates the new user. I'm using the PreSignUp Lambda trigger to Link an existing user or create a new native one if there's no existing one. Now I was expecting that the event.Request.UserAttributes['name'] contains the user's name as provided by Google or at least seeing the attribute in the id_token. But I see no possibility to get those values at the moment. We started using Cognito just as the store for username/password, and none of the userAttributes are filled nor marked as required.
I have set up the Google integration with the following scopes:
.../auth/userinfo.email
.../auth/userinfo.profile
openid
In the UserPoolClient I:
marked name as read- and writeable attribute (along with others)
Checked the following allowed OAuth scopes email, openid, and profile. Those are also defined in the Web-Client in charge of the OAuth flow.
In the Federation section, I configured the attribute mapping:
Testwise, I mapped the name attribute to a custom attribute I used to test stuff. But neither this nor the mapping name to name worked.
Payload I get in the event:
{{PreSignUp_ExternalProvider .... Google_11...} {map[cognito:email_alias: cognito:phone_number_alias: email:m...#...m email_verified:true] map[] map[]} {false false false}}
id_token content:
{
"at_hash": "..",
"sub": "52...",
"email_verified": true,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/...",
"cognito:username": "52..",
"origin_jti": "..",
"aud": "...",
"identities": [
{
"userId": "11...",
"providerName": "Google",
"providerType": "Google",
"issuer": null,
"primary": "false",
"dateCreated": "1648828708886"
}
],
"token_use": "id",
"auth_time": 1648828717,
"exp": 1648830828,
"iat": 1648830228,
"jti": "...",
"email": "m...#...m"
}
access_token content:
{
"origin_jti": "02...",
"sub": "52...",
"token_use": "access",
"scope": "openid profile",
"auth_time": 1648828717,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/....",
"exp": 1648829317,
"iat": 1648828717,
"version": 2,
"jti": "..",
"client_id": "...",
"username": "52..."
}
Now it's working, even though I cannot state the error. I recreated the whole test set again and ensured the correct values of the following:
attribute mappings
authorized scopes
Allowed OAuth scopes
Scopes selected by the frontend
I added the scopes email, profile, and openid to be sure, and now I get the name attribute within the pre signup trigger lambda and in the ID-Token.
Related
I have setup AWS Cognito with an OIDC federated identity provider. When logging in through the federated identity provider, two tokens are generated - ID token and access token. ID token contains the user specific claims where the access token contains the group specific claim.
Access Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669187153,
"aud": [
"group",
"identity provider URL/resources"
],
"scope": [
"openid",
"email",
"profile",
"group"
],
"amr": [
"external"
],
"client_id": "...............",
"sub": "..........",
"auth_time": 1669183545,
"idp": "..............",
"username": "John Doe",
"group": [
"admin"
],
"tenant": "Tenant",
"sid": "xxxxxxxxxxxxxxxx"
}
ID Token
{
"iss": "identity provider URL",
"nbf": 1669183553,
"iat": 1669183553,
"exp": 1669183853,
"aud": "..............",
"amr": [
"external"
],
"at_hash": "PlXvXPmIGRyX6e8V0U67BQ",
"sid": "xxxxxxxxxxxxxxxx",
"sub": "...............",
"auth_time": 1669183545,
"idp": "..................",
"username": "johndoe",
"name": "John Doe",
"email": "johndoe#gmail.com"
}
The nameinfo endpoint of the OIDC identity provider contains some user specific information, but not the group information.
I have tried using pre token generation lambda trigger but the event parameter also does not contain access token specific information.
Is there any other way by which I can get the access token claims to add it to the token generated by AWS Cognito?
I have deployed WSo2 API Manager 4.1.0 on a Debian 10 machine using the ZIP archive.
I have configured my Keyrock instance as an external identity provider in the Management Console.
When I log in with the Keyrock admin account, I can access the Publisher of the API Manager.
However, with any other account, I get the following error:
Error 403 : Forbidden - The server could not verify that you are authorized to access the requested resource.
After many verifications, I think I have correctly configured WSo2:
WSo2 API Manager configuration:
Basic Claim Configuration
Role Configuration (I also tried to give all roles to the user)
Federated Authenticators / OAuth2/OpenID Connect Configuration
Just-in-Time Provisioning
Keyrock configuration:
Application configuration
Users authorization
I have no log for WSo2 when the error is displayed.
Here is the content of the JWT token that Keyrock sends back to WSo2:
{
"organizations": [],
"displayName": "",
"roles": [
{
"id": "1a209432-7bfe-4055-9028-a42524fc5418",
"name": "publisher"
},
{
"id": "8192fef7-d77d-4389-a618-082ccddd33ad",
"name": "apim_publisher"
}
],
"app_id": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"trusted_apps": [],
"isGravatarEnabled": false,
"id": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"authorization_decision": "",
"app_azf_domain": "",
"eidas_profile": {},
"attributes": {},
"shared_attributes": "",
"username": "pierre.josselin",
"email": "email#example.com",
"image": "",
"gravatar": "",
"extra": "",
"iss": "http://localhost:3000",
"sub": "1a8f660f-d32f-46c1-a5f5-80a5cbffd219",
"aud": "babab169-10ea-4283-a64a-7fba4aca6ce9",
"exp": 1657904225,
"iat": 1657900625,
"at_hash": "9zTg2zPtFlbJpLmKE8Izsg=="
}
Thank you very much
I'm calling SCIM2 REST service to get user information based on ID but it doesn't return all user data.when I call https://localhost:9444/scim2/Users/8f9d1e34-c340-4ebe-af11-fa0c4575f676 passing username and password (BASIC) I get this payload:
{
"emails": [
{
"type": "home",
"value": "test#test.com"
}
],
"meta": {
"created": "2020-10-09T11:29:42.809803400Z",
"location": "https://localhost:9444/scim2/Users/8f9d1e34-c340-4ebe-af11-fa0c4575f676",
"lastModified": "2020-10-09T11:29:42.809803400Z",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"roles": [
{
"type": "default",
"value": "Internal/everyone"
}
],
"id": "8f9d1e34-c340-4ebe-af11-fa0c4575f676",
"userName": "test"
}
But this user has more attributes as seem below:
How do I return whole user data?
Thanks in advance
The SCIM GET request on /Users/{user-id} endpoint will return the SCIM user attributes which defined under urn:ietf:params:scim:schemas:core:2.0:User and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User claim dialects (mgt console -> Main Menu-> Identity tab -> Claims -> List). If the particular attribute (i.e local claim) is not mapped to a SCIM user attribute that value won't be returned in the SCIM user GET response.
In order to map such local attributes to SCIM attributes, you can follow the instructions in https://is.docs.wso2.com/en/latest/develop/extending-scim2-user-schemas/#extending-the-scim-20-api.
Moreover,
You can find SCIM core user attribute definitions here. If an attribute's returned characteristic is
Returned.ALWAYS -> Always returned in the response
Returned.DEFAULT -> Return in the response only if that attribute has a value
Returned.NEVER -> Never return in the response
I have created a custom attributes inside aws congnito pool, now adding Post authentication lambda and inside of lambda want to read "custom attributes" and loggedin username .
Inside Node.js lambda :
var email=event.request.userAttributes.email;
var refNumber=event.request.userAttributes.ref_number; //custom attribute
var loginid=event.request.userAttributes.username;//loggedin id in cognito
i am able to fetch email id properly however both loggedin username and custom attribute coming undefined .
The custom attributes are named custom:xxx where xxx is your custom attribute name:
{
"version": "1",
...,
"userName": "...",
"triggerSource": "PostAuthentication_Authentication",
"request": {
"userAttributes": {
"sub": "...",
"cognito:user_status": "CONFIRMED",
...
"locale": "en",
...
"custom:xxx": "yyy"
},
"newDeviceUsed": true
},
"response": {}
}
So for your ref_number, it should be event.request.userAttributes['custom:ref_number'].
The username is simply event.userName.
I can get id_token from WSO2 5.2 by hitting
https://localhost:9443/oauth2/token
The id_token can be customized by mapping local claim to OIDC claim in open id.
For instance, I can add role in the JWT token from WSO2. However, I can't get WSO2 user shows up in the token.
{
"at_hash": "VFjcb6kEgMrXIemmg7AAMQ",
"sub": "kramercecret",
"iss": "https://a2d92f278368:9443/oauth2/token",
"preferred_username": "Pikachu Jigglpuff",
"given_name": "Pikachu Jigglpuff",
"aud": [
"3j8Bf3bx_mdLagZgTjaZUeDHjAoa"
],
"azp": "3j8Bf3bx_mdLagZgTjaZUeDHjAoa",
"auth_time": 1467078553,
"scope": [
"Internal/everyone",
"Approver"
],
"name": "Pikachu Jigglpuff",
"exp": 1467082172,
"iat": 1467078572,
"email": "pikachu.jigglypuff#yahoo.com"
}
Has anyone done this before?
The purpose of this is to access the username in the ID_Token and let the spring security to decode the JWT token, then store the username in the database.
Thank you very much.