https://consumerdatastandardsaustralia.github.io/standards/#security-profile
I am trying to setup AWS Cognito as an OIDC provider. Able to create User pool however there are lots of custom data needed. Such as ".well-known/openid-configuration" of Cognito returns few details but missing introspection_endpoint, revocation_endpoint, claims_supported etc.
Similary, customization of /authorize endpoint with additional claims is needed.
Any help or suggestions would be really helpful.
Regards & Thanks
Claims can be somewhat customised with a lambda: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
introspection_endpoint and revocation_endpoint are not core oauth and are extensions. I have found Cognito does not generally implement extensions, there are many parts of oauth2 core not implemented also.
Cognito is missing many many features you may expect to get out of the box, there is a seemingly large and opaque backlog which support constantly reference when you point out that a standard feature is missing.
no silent refresh capability in the hosted UI, so no safe way to store the refresh token.
no support for custom auth flow in the hosted UI
no passwordless support in the hosted UI
no ability to pre-populate a field in the hosted UI (e.g. username)
no ability to customise the plethora of obscure error messages in the custom UI
fixed now, but for years the email addresses were case sensitive!
If you choose not to use the hosted UI there is no way to get any oauth scopes.
There are many non-oauth cognito idp calls that you may be able to use with the access token: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/index.html
If these don't fit your needs, I would suggest you consider other auth services, or adjust your expectations if you choose to move forward with Cognito. Good luck!
Related
I'm currently working on a way to hand off creation of users in a Userpool to my product team so that I don't need to handle user creation and password resets anymore. The key here is that the tool I give them needs to be simple and non-technical, and not require them going into was with permissions, knowing how to use Cognito and make the users within Cognito. This also needs to not be a public facing signup (i.e. the folks using the page need to never see the signup form). This is for my team's developer documentation which integration partners cannot see until they meet with us.
Looking at all the possibilities and the AWS API documentation has been making my head spin, though. I'm not sure what the best way to create this tool - the Cognito SDK? The AWS AdminCreateUser API? Or is there a way to set this up with the built in signup page UI provided by Cognito but host the signup page elsewhere (somewhere that people who look at our documentation will never see a signup page)?
Please let me know what your approach would be if given this problem. I'm a pretty green jr. developer and don't have much experience with AWS.
If you really don't want to use the built-in Cognito UI to create users, you would need to come up with an alternative custom solution. Mind you will need to implement all features you expect from such user administration tool, including login for administrators into the tool itself.
With AWS Cognito APIs you can do everything native UI can do (and even more, like setting user attributes which is not available at Cognito console).
Quick google search led me to this project: https://github.com/jzoric/cognito-user-manager-ui which may be a good starting point if you decide to go this route.
Alternatively you may want to explore other SAAS solutions (Auth0 or Okta) which may provide better native UI out of the box.
I want to use AWS services into my app for authentication and basic functionalities which include : Login, Register, Forgot Password, Change Password, Delete account, etc.
I have searched a lot and found that there are many ways :
By using Amplify Framework
AWS Mobile client
By Amazon Cognito
By Identity Provider
Actually, I am little confused, what is the difference between all these ? Which one is the best way to implement ? And while go for documentation, there are so many official documentation about it on google. Which can be consider ?
https://github.com/awslabs/aws-sdk-ios-samples/tree/master/CognitoYourUserPools-Sample/Swift
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSMobileClient/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSCognito/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSAuthCore/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSCognitoAuth/index.html
What are all these use for ? Can anyone differentiate ?
these are all abstractions on top of the lower level generated Cognito Client designed to make it easier on the developer to call Cognito API's. The lowest level ones are AWSCognito, AWSAuthCore, and AWSCognitoAuth. The AWSMobileClient is a higher level abstraction built on top of all of these to make it easier to hit the Cognito API's in a way most developers can understand (Cognito can be fairly complex) and is the one the Mobile SDK teams here at AWS recommend using. Amplify will have an Auth category which will be an even higher level abstraction and will also be generic to any auth provider when it is done but right now it's still in progress( you can track PR's for the Auth category here and here) thus Amplify is depending on the AWSMobileClient for auth at the moment.
Looking for insight into a use case in Django REST Framework (DRF) and supporting customer defined authentication method: TokenAuthentication (by default), SAML 2.0 SSO, OAuth2 federated login. The method is set per customer account. I know I would enable SAML 2.0 support for all users in DRF, but I don't see how to have each user account in our software use their own Auth engine, method and settings. DRF seems to want an all or nothing configuration.
I'm aware of both django-saml2-auth plugin and this StackOverflow question SAML SSO Authentication with Django REST Framework
django-saml2-auth is a great plugin and is likely involved in the solution, but I see no examples of how to have multiple different authentication methods on a per account in your app.
More details:
I want to allow a per customer method of supporting account settings enabling the option to select one of multiple authenticate methods such as TokenAuthentication (by default), or SSO and providing SAML 2.0 or Oauth2 setting. Every account could select from the enabled methods. DRF seems to expect a single authentication provider to be enabled. Not grokking how to do this in this framework yet. Currently using TokenAuthentication as the default authentication system. TokenAuthentication would remain the default provider for most accounts. I need to be able to allow more sophisticated enterprise customers to switch authentication methodology. That's the challenge. Adding SAML2 is simple. Using OAuth2 is simple. Allow any of them to be chosen by accounts, with each account having their own authentication workflow. This is quite a different requirement than the use case that django-saml2-auth solves. That plugin may be involved in the solution, but the limitation here seems to be the model DRF uses to define the authentication provider. I've scanned the DRF, and django-saml2-auth docs, code and examples. Nothing I've seen anticipates this.
My current working theory is that I could make it possible with a little creative thinking. Perhaps there's a different URL mapping that utilizes different login/authentication method. The logged in data token that must be provided in subsequent calls could have a custom validation method that works with all supported protocols without large new blocks of code. So my instinct is the problem is mapping the login process to something that is not universal and requires some type of pre-fetching of account configuration. My proposed solution there is in the login URL for the enterprise cases. But still DRF seems to still be lacking a method for defining the authentication process per each account. Say I use SAML2 through Okta, You use OneLogin, Another person uses an OAuth2 provider, and most customers use the default native TokenAuthentication. We're all users in the same DRF app. But there isn't a way I see to define authentication engine based on account.
I know there is a possible brute force method of customizing the method being invoked to perform the login action that could be non-standard, query to configuration for a customer, then use either native or a federated identity provider. However, I'm hoping there are more DRF grokking folks that know of other strategies to enable this functionality.
I understand that there is a chicken and egg syndrome in that until you know something about the customer making the request you won't know what their configuration is. We will most likely need to support a different login URL for enterprise customers who enable SAML. That way you could load the customer's configuration. Perhaps we would do something like use a URL like so: www.myproduct/login/the_customer_company. Being new to Django REST Framework I am not super clear how to wire up different methods of authentication within the Django settings.py or urls.py? The default new user configuration would remain TokenAuthentication based but on request a customer could configure SAML and use a different URL including the company name. Hopefully my question is clear. I see how to configure DRF to use SAML SSO instead of TokenAuthentication, but I want to allow customer configured settings.
DRF and the django-saml2-auth approaches seem to be "all or nothing" and provide a single authentication provider mapping for the application. I would love to be wrong about that limitation!
One option to achieve this would be to use an Identity Provider (IdP) that can act as an identity broker, for example Keycloak. Configured this way, your Django app would be configured for SAML authentication with the single IdP. The IdP can then be configured for whatever upstream SAML / OAuth identity providers it supports depending on the customer requirements.
How you get the users to the right upstream identity provider and still have a good user experience would have a few options. The two most obvious ones would be to either configure a custom URL for each user group, and have that URL redirect to the correct IdP landing page when logging on. Alternately you could perhaps have a login page on the Django site that asked for their login / email address (without password), and when they entered that it looked up the IdP URL associated with that user and then to sent them to the right place.
While this is not a Django module / code solution for the problem, it simplifies the authentication on the Django side, and decouples the authentication to an external service specifically designed to do auth, providing the app with more flexibility (and probably more security).
Everything I searched for returns info about internal user SSO, not client facing websites.
I need an SSO implimentation that works with sitecore's asp.net membership api or has it's own sitecore security provider to enable users who log in to publicfacingwebsite1.com to be able to be logged in to publicfacingwebsite2.com and logging out of one will log out of the other. I would prefer sitecore's asp.net membership provider as that will probably have the least upgrade implications in the future.
The domains are different top level domains. The websites are separate sites on the same sitecore instance.
I also need the side ability to impersonate a user (log in as the user) from an admin user, but once I have the main implementation, I'm sure I can find a method for the impersonation.
Regards
I would use a third party framework for the SSO part. For instance IdentityServer3
Here is a good introduction on how to use it together with Sitecore
In regards to the membership provider and the profile data, if you are thinking upgradeability, I am not sure it will be so, if you use the native membership provider. Sitecore will most likely switch to ASP.Net Identity in the near future. The ASP.NET Identity is supported in IdentityServer3, so you might obtain a shared user profile by using IdentityServer for the profile as well. But this is all guessing the future.
If you want to use the membership provider and the standard Sitecore profile provider, I am sure you can customize the implicit flow to map the Identity to a Sitecore user.
In my application i am using AWS SDK for development. i am able to do all the operations except user registration(In Developer authentication). In AWS they mentioned that for user registration we have to write our own backend code. But i do not have any idea about backend. I am thinking that if amazon provides straight forward solution for user registration it would be helpful. And i gone through server side setup(amazon provided sample code), but there we can register the user through browser not through ios client.
In my application user registration contains emaild, username, password and photo selection options.
For user registartion (developer authentication), i have done more research, but i did not find any direct solution.
Can any one please provide direct solution or any good tutorial to implement our own backend for user registration.
Thanks in advance.
You have a couple options to use Amazon Cognito and providing a complete registration system for users without building a backend: OpenID Connect and Open Source.
OpenID Connect: Since Cognito Supports OpenID Connect-compliant identity providers, you can leverage products out there that federate/broker multiple social providers and expose the federated user via OpenID Connect which have special support for Cognito including Ping Federate, Auth0, and SecureAuth to name a few. I also understood that Okta provides an OpenID Connect identity provider so it might be worth looking into.
Open Source: LambdaAuth is a bare bones project that leverages Lambda and Cognito to provide a registration and authentication backend. Cognito Helper is another one that appears to have more features and be more developed. If one of those have the features you need, they should be easy to deploy and run on server-less Lambda, so they're easy to maintain and you pay only for what you use.
While the details of your registration process will depend on the needs of your application, you may want to consider using API Gateway to front the registration logic you write.
API Gateway will generate an SDK for you which you can use in your application to call your API.
You can have your application call your registration API which handles all of the logic for doing the backend portion of acquiring credentials: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/#developer-authenticated-identities-authflow