Using AWS I have a lot of Chrome tabs open with multiple services. When I switch between them I am constantly getting signed out. Sometimes it's a matter of just few minutes.
AWS minimum session duration is one hour, so that's probably not the problem. How can I tackle this? Getting logged out of Lambda makes it lose all the undeployed code, this is very inconvenient.
Edit:
Answering the question in a comment: I do have multiple accounts and when I want to open a tab with a new service I just click management console (screenshot) and follow on from there. It appears to cause the actual logout.
But here's the thing - I am currently using resources only from the first account. So (since I'm within one account all the time) it shouldn't log me out right?
I see this message when I use AWS one one Account, then login to a different account in a different tab. If I return to the original tab, it recognises that I am no longer logged-into the first account and asks me to reload.
It seems that you are using SSO to login and it is generating a different set of temporary SSO credentials. Instead of using that link, select the AWS service from the search field at the top of the console, then right-click the service and "Open in New Tab". That will open the other service in a new tab, using the same login credentials.
Related
I have created a Gmail/Calendar add-on in Google Apps Script and I want to publish it to the marketplace.
I am following the steps at https://developers.google.com/workspace/marketplace/configure-oauth-consent-screen#fill_out_the_oauth_consent_screen. I am on the "Submit for OAuth verification" step which leads to https://support.google.com/cloud/answer/9110914#submit-howto. It says:
Click the Edit App button.
Enter the information required on the configuration page, and then click Submit for verification. If the submit for verification button does not appear at the end of the configuration pages, save what you have completed and repeat steps 1-4.
I have gone through all the steps but the Submit for verification never comes up. I'm not sure what I am doing wrong?
Your first problem is that you do not have a domain name that you own/control. gmail.com and github.com are not owned by you.
Verify your site ownership
Your second problem is that you are requesting restricted scopes. Google will probably demand a security audit. Sensitive scopes can also trigger an audit.
To verify, create another client and remove the sensitive and restricted scopes and add a domain name that you own/control. To read more about the effect of scopes and possible exceptions:
Sensitive and Restricted Scopes
I'm trying to create my first project in google cloud with organization's administrator account. I have access to the administrator's email and passwords and I am logging in with that account to do so. The problem is that when I click on create new project I receive the following error:
There was an error while loading /home/dashboard?project=proven-now-305315&authuser=1.
You are missing at least one of the following required permissions:
Project
resourcemanager.projects.get
Check that the project ID is valid and you have permissions to access it. Learn more
Send feedback
The detail is that in my resource administration panel I already gave the permission that they ask me to the resource as shown in the following image:
As I have read, the project IAM Admin role should grant the resourcemanager.projects.get role and as you can see in the image the resource rcv # .. which is the administrator has it activated, however I keep trying to create a new project and it doesn't allow me to do it. Any idea?
In case anybody else, like me, reaches this answer, I want to point out that the accepted answer is correct, but for me I had to also make sure that within the settings, I ensured that Project Creation Settings on the right pane and under the section of Cloud Resource Manager Api Settings was set to on. It was turned off by default. Many people on my team overlooked this as it is significantly smaller text.
This may be an option that was not present before or it was turned on by default in the past. For us, it was turned off.
Please refer to the included image for a visual representation of the
settings that need to be turned on.
The problem was for some reason the Google Cloud was disable for all users, I solved following this instructions. Solved with this!
To activate this service, please follow the steps:
Access the admin console and go to Apps -> Additional Google Services
Look for the service “Google Cloud Platform” and click on the box next to it
In to top right corner click in “ON”
Confirm you want to turn it on in the pop-up box.
I am able to logout and login but there is 1 particular scenario which I am not able to achieve.
Scenario:-
User logs in using federated social login (Google), using hosted UI directly.
Now the user clicks on logout it directs it to AWS Cognito logout URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/logout?
response_type=token&client_id=xxxxxxxxx&logout_uri=https://abc/logout.html
it logs out the user success and successfully redirects the user to logout page as mentioned in URL.
Now when the user tries to log in again by a different account, he is forced to use his previous google login only.
I want to have such functionality that user can log out and log in again if he wants then he can log in with the same account or with different depend on choice.
The important point to note is I can't use AWS-Amplify or any javascript framework, only plain javascript.
The reason you are always forced to log in with the same user seems to be that the /logout? endpoint only logs out the user on Cognito, but Cognito does not communicate to Google that it should log you out of your device. Thus, every time you sign back in and the Google Authentication screen is launched Google still remembers the device and sees that you're still logged in. As a result, the redirect URI is triggered without you ever being prompted to choose a new account.
I'm running into the same issues on a React Native project, but have yet to find any evidence that Cognito offers an endpoint to force it to also sign you out of the Identity provider (i.e. Google).
PS: Here's another stackoverflow discussion with more info: AWS Cognito - How to force select account when signing in with Google
One of the responses in that thread mentions calling Google's logout endpoint directly as part of the signout flow. It's definitely not pretty, but since you're using plain Javascript it might be a sufficient solution.
If you find a cleaner solution please make sure to share it, as I'd be interested to hear what you find :)
Well, I got it working but I don't think so its an issue but a kind of behaviour that every developer should know who is trying to integrate google login in the there application. Here are the few scenarios I am have checked and their respective behaviour.
My AWS Cognito Login URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/oauth2/authorize?
identity_provider=Google&redirect_uri=https://xxxxxx/login.html&response_type=TOKEN
&client_id=xxxxxxxxxxxxxxxxx&scope=phone%20email%20openid%20profile
My AWS Cognito Log out URL
https://xxxxxxxxx.auth.us-east-2.amazoncognito.com/logout?
client_id=xxxxxxxxxxxxxxxxxxxx
&logout_uri=https://xxxxxxxxxxxxx/logout.html
By using the above URL when I log out, I don't get logged out from chrome browser.
This behaviour is an issue for many people
So when your chrome browser has only 1 account logged in, at that time AWS Cognito google login won't redirect to a page where you can select the different user, because you have only single user through which it gets logged indirectly.
Found out how we can show multiple logins:- So if you want another user to log in then he needs to first sign in chrome browser, and when he clicks on google login from the website at that time he will be able to select user, as in chrome we have now 2 users logged in google, from where he can select which user want to use for access.
I won't be accepting this as an answer because it's not how everyone want this behaviour, will wait for few days if someone can suggest better way.
I think so, for now, we have to go with this.
I'm working with a client to setup service account credentials, for the purpose of reading G-Suite Directory information over API.
I've done this a dozen times before with no issues, and now I'm having a problem with a setting not showing up for the client.
Below is an image that shows what I would see normally. The area circled in read is where the ability to enable Domain-Wide Delegation exists.
However, the client does now see that section. Instead they see this button. And clicking the button just displays the Client ID's, but doesn't have an option to Enable Domain-Wide Delegation.
We haven't gone through the entire setup to test if this service account works, and I haven't been able to duplicate this UI interface with my testing accounts. I always get the "Show Domain-Wide Delegation" from the first image, and not the button.
The client says they are a Super Admin on the G-Suite Admin Console. I have detailed instructions for all the steps prior, which they said are exactly correct. The only difference is when they get to this page.
I was hoping someone would have some insight into why this interface would be different, and what might be some ways around fixing it?
If you don't see the checkbox, it means you don't need to enable it. You can get the client ID from the UI or by looking at the JSON private key you downloaded, and use that to authorize your scopes in the Admin console.
(thanks #kspearrin who also mentioned that in the comments)
I want to use Cognito for my WebExtension for Chromium and Firefox.
I have two problems.
1) Hosted UI from Cognito not at my domain - so users may think why:
For branding and security I want to host UI from Cognito on my domain. Because my product is the browser extension - I think that I can embed UI for login in iframe to the popup-ui (that shows if user push to the button of the extension).
2) Redirect after Google to the AWS - because of that user will see Choose an account to continue to amazoncognito.com but the correct text must be Choose an account to continue to <domain-of-my-project>:
Looks like this is not possible to redirect to my domain with saving automation of Cognito about exchanging of code from Google to access token from Google for getting email of user. In the documentation about domain for user pools mentioned only sub-sub-sub domain under amazoncognito.com. If this is not possible - would be useful to mention it in documentation.
Add customized domain is not available now. We have heard this request from multiple customers and would look into adding it into our future releases.
I'm confused about your second question, can you explain more about it?
With regards to your 2nd question. It's true that ideally you would want to be able to have a custom domain, but the fact google is showing amazoncognito.com is a problem with your configuration in your GCP account.
Under the API->Credentials tab in GCP console, you can adjust the product name and logo to be displayed. The problem is that you need to pass a review of your app before google starts showing them. This was changed by google after some phishing hacking attempts (https://developers.googleblog.com/2017/05/updating-developer-identity-guidelines.html).
To submit your app for a review: https://support.google.com/code/contact/oauth_app_verification