the issuer in the tokens from google is: "accounts.google.com"
but the jwt-authorizer config requires an issuer url with "https://" in front
That means the google tokens never be accepted by the authorizer since the token iss claim is missing: https
Any one solved this?
if using some of the legacy oauth flow to authorize your app. you may get a token with the issuer above, make sure to use the OIDC config:
https://accounts.google.com/.well-known/openid-configuration
Then the issuer in the id-token should match the format required by AWS JWT-Authorizer (and specified in the OIDC spec ).
Related
How to get AWS token form by providing username and password of a configured user?
What I want to do is to have a URL that accepts user/pass as a post params and returns a token.
None of three "Allowed OAuth Flows" documented here does this or any other URL
EDIT:
How do I do that from Postman ? I am looking for something like :
Call aws url and provide user/pass for one of the users in the pool
AWS returns a token
Include the token with every request to the resource server
Resource server validates the token
1.
Before you are able to request a login you first have to receive temporary credentials by calling GetCredentialsForIdentity.
You need those credentials to sign your actually login request.
2.
Now start an InitiateAuth with AuthFlow USER_PASSWORD_AUTH.
Send a POST request to this URL:
https://cognito-idp.< REGION >.amazonaws.com/
(You can find your regional endpoints here, scroll down to "Amazon Cognito Your User Pools")
Containing the following body:
{"ClientId":"<CLIENT_ID>",
"AuthFlow":"USER_PASSWORD_AUTH",
"AuthParameters":
{"USERNAME":"<USERNAME>","PASSWORD":"<PASSWORD>"}}
And send the necessary Common Parameters in the header.
(Sign with temporary credentials)
I suggest to use an AWS SDK because setting all needed parameters can be tricky.
You can use the OAuth 2.0 compliant TOKEN Endpoint to achieve this use-case.
We are using AWS Cognito Federated Identities to obtain a Session Token from the AWS Security Token Service, then leverage for securing our APIs via API Gateway. This is working well.
But within our web service, we sometimes must obtain the issuer and subject from the JWT token used to derive the Session Token. For this, we are exploring AWSSecurityTokenServiceClient.
But my question is whether it's possible to simply decode the Session Token without invoking the Security Token Service for every API call. Thoughts?
Here is an example of the response provided by AWS Security Token Service, via API Call to Cognito Federated Services:
{"IdentityId":"us-east-2:4628a310-f743-43bb-8808-6123c744c664","Credentials":{"AccessKeyId":"ASIATTD56AWGXWG2GGES","SecretKey":"0TOwO2JMgWQLd6FvVrX5m9UKsDcFfQW3goG3NQ8Z","SessionToken":"AgoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMiJHMEUCIQDDTKUnIQtIcztLVmpTsif9b9rj5yUOiBgfPNN3z16S6gIgUAlRFD8V9bpVokR0sqrtxN/5uPtaLf4vHGPAtUokj/kqpgUIehABGgwyNDcyMjQ3MzEwMjEiDE7afe4LMcTOdqF3niqDBbwZENnBEw3XyIdGz1AEPVY51gZ0KxkC7YgoAxpZVedZZUbIeAiGy+Ez2PtTzsVhO1WPiM5DqwTqb3/iuV2XsTXGf43qpTc2WsYypFUI51scF1J+pSGT58yAayTf5wwPi9I1kFWiBcDpuyemLwI2yfZB8hIuAvdr0MW6a7GVHR93xDfsx0T7aCFqZriUQTOpc9clpkQfygdhf7mHeYdMnD/HthZCh3mllS4I86Zzjr8wIypCqrV0A2OhVVvsLddjF8WF4WS0WhNEEQHoUs/jMkDjnrcvPBIeuU/hE2x+UfECmH5vDs0QarfsHR1HiLVL+EghINNF9eG4CzpVu0FBz8meJhPEJLlQMK9MdZ7ZGgtx7ZzT/7a/azoCpriOK9KganXsMfHbwLqnR96bXEC3ebFYtL638y25KZyn7rL/z5Ise/D5KjihQOuuRoxufgUWKoi6Or0r56bSpLhq7KCd0ZUweoKKvX/9RLF2YU0h+FYV4NRxar93jzKEYX63so/gxCaWWb7gRde/qca3fEZHHh0I26/DflrvWar6HDHu3Ee7aYJB/m5n4u1ko6SRvAdwmQ/hn1ttDgvUSpVq28IyxR4Ic9cBaS81ohRInM7i6NTSGHhpd6ij0l0F1Br8Vtr5UJe96xK7aNir3sspYqrSzd6y1DO6fnZKVaFpWDnWo4/SCdSp3F9bM4Q+GNICaT9Rcvyx1nJgofuqY4gdHdxv1PoIL8KEXz72U8aZ/immlhZ5kNrc/aM5KEJ4weE04mZ4u1t3GmN5xLFd7wqOCPUvrzamiEy4GMtm+kBF5rsa+eVRp+YpN2R6CsUpCqw8EEhE3w6RMV578Ah3sO0nBwXQXNQ7nKQwxoa57AU6tAHGr89nNR/Br3UahFBK5o9mQ297nbWB5C6PqCSShsheXzkJww0OdqMwmZgIfvikqnWNZC5KrfobiSancqCXKIRbuLtWcWT6+F9Q+eJQ50Rj1ctdN18H84cfQZYNjHRQVf7iTTcgfq8oqlJtmEavs8T2rvp3a9gp1QQEwjIHdCUQJRwM8h2RYFvLd6s48/XT9sxQj8OAmq8q/gw6/fOiRPFj9yq/Pw38IusTE0MFFwgAJWgUSAo=","Expiration":"2019-09-27T18:13:42.000Z"}}
Note the SessionToken is fairly lengthy, but does not decode when pasting into https://jwt.io
Yes, JWT token can be decoded without Security Token Service for every API call.
Please copy-paste the JWT token https://jwt.io and you can see the details.
This image has a full payload of what you are looking for, session Token and JWT token. I hope this is what you are looking for.
However, please note that only JWT token will be passed in API gateway.
I've secured a Google App Engine Application behind Cloud IAP - the endpoint now requires Google Sign-in via the browser as expected and works fine once I've added the right permissions. However, when I try to use Postman / MS PowerApps OAuth2 authentication I get the following error: Expected JWT to have 3 parts separated by a '.' but there are 2 parts.
Here are my Postman settings:
Grant Type: Authorization Code
Callback URL: Authed Callback URL (added to list in console)
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
Client ID: IAP-App-Engine-app ClientID
Client Secret: IAP-App-Engine-app Client Secret
Scope: openid email
Client Authentication: Send as Basic Auth Header
Is there a solution for Cloud IAP OAuth2?
Thanks,
Google Cloud IAP requires an OAuth Identity Token. You are trying to use an OAuth Access Token.
I found the answer searching through the documentation for Identity Platform.
https://cloud.google.com/iap/docs/identity-howto
IAP also passes the user's identity to your backend service in the following HTTP headers. These headers should have the namespace prefix accounts.google.com.
If you change the Header Prefix from the default Bearer to accounts.google.com when requesting a token, the subsequent call to the IAP-secured resource will succeed.
I'm trying to use Shopify as an AWS Cognito User Pool "federated identity provider". Ostensibly, it seems to follow the OIDC protocol. However, there seems to be scant information on the format of the ProviderDetails field in the AWS API call, and I can't seem to figure out how to correctly pass the Issuer for Shopify. I've tried to do it through the console as well, but keep getting the message:
Discovery returned no results. Check the issuer and run discovery again or manually add the required fields below.
I suspect that, due to Shopify's multitenancy model, I'll never get a single set of OIDC parameters -- it seems to suggest there is a different URL for each shop.
Is there documentation on either (a) how to set up Shopify as an OIDC provider -- including Issuer, Authorization Endpoint, Token Endpoint, etc. -- or (b) why Shopify does not match the OIDC standard?
I am trying to use the OpenID framework supported by Paypal to tie the credentials in with the AWS Cognito service.
If I compare the configuration from Salesforce
https://login.salesforce.com/.well-known/openid-configuration
to the configuration at Paypal
https://www.paypal.com/.well-known/openid-configuration
the Paypal configuration is missing the jwks_uri element which is a REQUIRED element of the OpenID Provider metadata per OIDC specification and AWS uses the keys at that URI to verify the id tokens.
Is there a different url I should be using for login with Paypal to work with OpenID?
Is there any other way to get Login with Paypal to work with the AWS Cognito service with works well with other OpenID providers?
Paypal is not OpenID Connect compliant:
as you mention the Discovery document lacks required entries, but:
the ID token is signed with a symmetric key this means that no JWKS URI is actually needed since no public/private keys are used (and publishing the symmetric key on that URI defeats the purpose)
but apparently it is not the client secret that is used to sign the ID token as verification with that fails
there's no sub claim in the ID token
the exp claim is not set to an absolute timestamp but a relative timeout
Since Amazon Cognito works with OpenID Connect compliant providers, Paypal is not going to work.