I use AWS stack in BE for mobile App. I have an AWS Cognito User Pool and already has organized authentication throw Google, Facebook and Apple. Now I need to implement/configure authentication throw VK social network. VK doesn't support OpenID but it supports OAuth 2.0.
Unfortunately, I don't understand how can I implement it. Please share you experiance.
OAuth is only about authorization. There is no authentication here. So to implement what you need you either have to implement the authentication yourself (and expose an OIDC token to Cognito), or use a third-party solution that can do it for you (whether it's paid or not).
While describing how to build you own OIDC wrapper for OAuth would be a topic for at least a few blog posts, what I can suggest is to use an existing solutions that could integrate with VK.
On of those solutions is Auth0 (and no, I'm not associated with them in any way). It has a connector for vKontakte.
You basically need to chain the flow like that:
Configure Auth0 to authenticate with VK
Configure Cognito with Identity Pool and an OIDC connector with Auth0
This will work as follows:
You call Cognito's UI which will redirect you to Auth0
On Auth0 you will have a button to redirect to VK
After successful sign in you will be redirected to Auth0 and there you will have a new user
Auth0 will redirect back to Cognito and it will sync user data from Auth0 to your User Pool
That's just an example and there are probably more providers that could do the same thing.
Related
I am working on a project where we have existing Google Sign-in and we would like to convert to AWS Cognito so we can get username and password authentication as well as other social logins such as Facebook in the near future. In a feature branch of our API, we have working Cognito authentication via JWT. My current issue is exchanging the Google authentication response payload for Cognito's JWT.
In our JavaScript, I am able to get a Google authentication response object that has the tokenId field. It is my understanding that I should be able to exchange that with Cognito for their JWT that I can use for interacting with my API. I have the Google app created and configured in the Cognito User Pool.
What has been frustrating in trying to figure this out is that all the documentation seems to focus on new apps or just on the hosted UI for Cognito. I have dug through GitHub issues and blog posts that claim this should be easy. I'm hopeful I'm missing something easy.
For reference, here is the code I have to sign in with Cognito and extract the JWT.
const user = await Auth.signIn(username, password);
dispatch(addToken(user.signInUserSession.idToken.jwtToken));
This is the library we've used for Google Sign-in: https://www.npmjs.com/package/react-google-login.
You cannot use third party tokens on your client side and exchange them with Cognito for Userpool tokens.
You can exchange client side third party tokens for an Identity pool token.
I think this page on common scenarios might help you visualise the processes
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html
You probably need to do one of two things;
Setup an identity pool and then exchange your google token for an identity pool token. Keep in mind an identity pool can only provide authorisation (not authentication), so if you need Userpool data out of Cognito this is not the option for you.
Change your approach so that Cognito does the exchange with Google. It will return you a code which you then exchange with your Userpool Token endpoint for Userpool tokens.
Have you configured Google as a federated IdP in your Cognito user pool? https://aws.amazon.com/premiumsupport/knowledge-center/cognito-google-social-identity-provider/
I deployed AWS application load balancer to route requests to my backend service. And I'd like to add authenticate on it via cognito basic username and password.
I have read this doc https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html and it only mentions about OIDC, SAML, LDAP etc. How can I use username/password to authenticate ALB?
The ALB itself provides direct integration with Cognito as an authenticator.
First, you need a Cognito User Pool. Within it, you need to create an App Client. This will then be used by the ALB when it uses OpenID Connect as a relying party in order to authenticate users against Cognito using the Authorization Code Flow.
So, for every route in your listener rules, you can add an "Authenticate using Cognito" step, where you then select your Cognito User Pool and the App Client Id.
After that, every request for this listener rule will first redirect the user to the Cognito login page.
Since Cognito itself can also federate authentication to other Identity Proviers, such as Facebook, Google, etc., this is also an option. But if you only want username/password authentication, then Cognito already gives this as an option for users in your user pool.
Basically, all the steps are explained in your mentioned AWS documentation page.
AWS Cognito provides two services: user pools and identity pools. Both are similar but different concepts, ok so far.
I want to use the feature federation of a user pool.
I do NOT want to use this feature with the hosted UI.
I do NOT want to use this feature with identity pool.
I would like to use the federation login of a user pool of facebook or google of a user pool in a reactive native application. For example only with AWS sdk, for example, auth SDK from amplify.
However, I find no possibility to use the federation login of the user pool over the API (not hosted UI).
A synonym to Auth.signIn but with federation facebook using react native, for example with expo.
With expo i get the facebook tokens via
const { type, token, expires } = await Expo.Facebook.logInWithReadPermissionsAsync(aws_exports.aws_facebook_id, {
permissions: ['public_profile'],
});
How to use federated Auth using aws-amplify API without hosted UI?
Amplify does not use a User Pool API for signing in via a third-party provider, and the APIs offered for third-party providers are just for Identity Pools. Currently, there's a feature request with the AWS Amplify SDK team for the same.
A workaround would be to use the AUTHORIZATION Endpoint directly, and make suited HTTP requests to achieve your requirements.
Here's a post that shows how to use Google and Facebook to authenticate with the user pools. It's way too much to repeat here, so check out the link.
https://dev.to/dabit3/the-complete-guide-to-user-authentication-with-the-amplify-framework-2inh
Hope this helps.
I searched all over, tutorials, web, everybody jumps away without explaining(I understand why) the checkboxes in app client settings:
Enable sign-in API for server-based authentication
Only allow Custom Authentication
Enable username-password (non-SRP) flow for app-based authentication
The learn more link does not help me, lots of information and not so easy to understand, grasp. Can someone explain this settings?
Here is my take on the matter.
App client has several Auth Flow Configurations.
1. Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH)
This enables Server-Side Authentication Flow. If you don't have an end-user app, but instead you're using a secure back end or server-side app.
2. Enable lambda trigger-based custom authentication (ALLOW_CUSTOM_AUTH)
This enables the Custom Authentication Flow. This can help you create a challenge/response-based authentication model using AWS Lambda triggers.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
Under User Pools -> Triggers you can see many lambda functions. You can use Create Auth Challenge, Define Auth Challenge and Verify Auth Challenge Response functions to create a custom authentication flow.
3. Enable username password based authentication (ALLOW_USER_PASSWORD_AUTH)
This enables Client Side Authentication Flow that uses user password-based authentication. In this flow, Cognito receives the password in the request.
You can use AWS Mobile SDK for Android, AWS Mobile SDK for iOS, or AWS SDK for JavaScript to implement this.
4. Enable SRP (secure remote password) protocol based authentication (ALLOW_USER_SRP_AUTH)
This is similar to the above flow in section 3. except for the password verification. This flow uses the SRP protocol to verify passwords.
http://srp.stanford.edu/whatisit.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html
5. Enable refresh token based authentication (ALLOW_REFRESH_TOKEN_AUTH)
After successful authentication, Amazon Cognito returns user pool tokens(Three tokens) to your app. You can use the tokens to grant your users access to your own server-side resources, or to the Amazon API Gateway. Or, you can exchange them for temporary AWS credentials to access other AWS services.
The three tokens are ID Token(JWT), Access Token, Refresh Token. The refresh token can be used to retrieve new ID and access tokens. Once you login to a mobile app, you are not needed to log in each time when you close and open the application and this functionality is implemented using refresh tokens.
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
What about Amazon Cognito hosted UI ?
App clients can be configured to use built-in Cognito webpages for signing up and signing in users. When using the hosted UI you can enable both the Authorization code grant and the Implicit code grant, and then use each grant as needed.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
Here is my attempt at explaining these options. Before that I would like to briefly mention about Oauth2, which is the protocol on which AWS Cognito is based.
In the context of AWS Cognito, Cognito itself is the Authentication (OAuth) server and also the Resource server (because we create users in Cognito user pool) and your app would be the Client (which sends the authentication request). The client has to first register itself with the OAuth server - this is what is being done in the "App clients" section of Cognito.
The recommended OAuth2 flow is Authorization Code Grant flow. In this flow,
i) The Client sends username/password to the OAuth Server.
ii) The OAuth server validates and calls back the client with a
authorization code.
iii) The Client again sends this code back to the OAuth server
iv) The OAuth server sends the tokens to the Client.
Please read the above linked article for more explanation on OAuth2.
Now explaining the options in Cognito App Client settings:
1. Enable sign-in API for server-based authentication
With this option, your client app can directly receive the tokens without having the additional step of first getting the authorization code.
There are Cognito APIs like AdminInitiateAuth, Admin-* which does this. However, these APIs require AWS admin credentials. Hence usually these calls are done by the backend server of the client app. The front-end can pass the username/password to the backend and the backend server can communicate with AWS Cognito and authorize the user.
2. Only allow Custom Authentication
Here you don't use the OAuth provided authorization code grant flow. Instead, you can define your own steps and challenges. Your client app can ask a secret question etc, before authenticating and giving tokens.
3. Enable username-password (non-SRP) flow for app-based authentication
This is the least safe flow. This skips the part of returning the authorization code and directly returns the tokens back to the client.
I hope this explains.
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...