AWS cognito allows 2fa after username, password login but not after social signin.
Is there any way to enforce user for two factor authentication after google or any other identity provider login?
If you allow your users to use 3rd party Auth options like Google, Facebook, etc. Then it's up to those providers to mandate MFA/2FA. If you want to enforce MFA for whatever reason, then don't allow federated authentication. Documentation on how to add MFA with cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
Related
Can we find that the AWS IAM User is valid using oAuth or some other authentication flow, from third pary application?
There are several examples of how you can authenticate your users in the AWS documentation. IAM supports Identity Federation in various ways depending on your use case.
For IAM users there is AWS Single Sign-On, integration with Microsoft Active Directory, configuration of SAML 2.0 Federated Users, AD FS, etc.
For non-IAM users, typically the end users of your application, you can create an Cognito User Pool and then configure Identity Providers for Your User Pool. Options include Facebook, Google and Amazon accounts, as well as OIDC (OpenID Connect) and SAML IdP (Identity Provider).
Please see the links above to find more information, references and examples.
I have an authentication service currently integrated with CA layer 7 API Gateway. When user presents username/password to L7, it forwards the call to the auth-service, which returns JWT and session id if credentials are valid.
I am looking to integrate this auth service with AWS API gateway through cognito federated identities. I am not clear on how to integrate this set up and migrate the existing users to the user pools. I am looking for an option to eliminate the need of saving credentials in internal database. Is it possible once I migrate the users to user pools? Also, what all the features my auth-service should be able to support as added to federated identities.
It would be really helpful if you could share the relevant implementation samples.
You can import users into the cognito user pool. This will transfer all information except for the password. All users will need to create a new password when they try to log in for the first time.
If you don't want to use user pools you can just add your current authentication as a federated identity provider.
I think you should stick to just using federated identity unless you are not satisfied with your authentication app since cognito user pool requires passwords. It will be far simpler to just created a federated identity pool and configure your app with it.
Will Amazon Cognito Provide any control over the federated identities?
I want to able to block a google or Salesforce user.
I don't to allow some federated guy entering.
Yes, developers configure the federated identity providers they want to use for each User Pool, and they can choose for each app client, which identity providers are offered. (Assuming you are asking federation with Cognito User Pools)
So my app authenticates user using aws cognito and facebook login, I manage to make the authentication work, now my problem is I need to disable or deactivated user from authenticating from my app, for cognito users I can just use my userpool and disable the account, but how can I do the same for facebook users? Is it possible to disable/deactivate users using the federated identity?
i am using AWS Cognito to manage my app Sign In and Log In, on this way i authenticate my user against the user pool and obtain the jwt tokens (id token, access token and refresh token), i am using the id token to authenticate my app against the backend.
Now i want to integrate my app to make Sign in and Log in with Facebook, Gmail and others, as far as i know i should use the AWS Federated Identities, but i dont know how can i create my user in the user pool using the Facebook Login (p.eg) and obtain the tokens, may someone help me?
The way to federate identities into AWS is by using AWS Cognito Federated Identity as you mentioned. Your user pool can be configured as an identity provider for your identity pool, similar to Facebook, and Google. So all these options function as identity providers for your identity pool in order to federate identities into AWS.