Suppose a user signs in with Google. Then later the user for some reason gets locked out of their Google account. Can they also sign in with Facebook and access the same Cognito account (Assuming they have the same email address registered with both Facebook and Google)?
Yes you can add multiple federated identities to a single User Pool. Just add multiple providers in cognito user pool settings. And yes the account is the same so if you lose your google account you will still have access through facebook as long as your email address for both of these services is the same.
Related
I'm a bit confused on which ID to use for the following purpose:
There is an online book store with books and users. Each user can have many books. Books are stored in a DynamoDB table alongside with their user IDs associated to them.
Question is, which user ID to be used? Pool user ID or Identity user ID? Thanks.
If you want the users to be able to read and write directly to the table you need to use the identity pool ID, because that's what's in the authentication context when IAM evaluates the request.
If that's not the purpose and you just want to keep track of the users for internal purposes it might be easier to use the user pool ID. With the user pool ID you can look up user attributes etc., which is not the case with identity pool IDs.
Another way of saying this is that if you want to leverage IAM for authorization (granting access to things) you need to use identity pool IDs (federated identities), but if you are going to handle authorization yourself in your application code and never let users access AWS resources directly, and not let users log in through other authentication mechanisms, then using user pool IDs makes more sense.
You can think of it this way: User Pool provides a login method (i.e. an authentication method).
Whereas Identity Pool provides a way to create a user identity based on a single or multiple login methods (e.g. Facebook login, Google login, Cognito User Pool login), and in turn, create IAM permissions tied to that identity. It's more about Authorization - what a user with this identity can do.
That said, you can still perform Authorization using just User Pool User Ids. You just have to write the custom logic yourself based on the information about that user stored under User Pool Attributes (e.g. their email or name), to allow or deny them access to certain books.
If you eventually want to enable the user to use multiple sources of logins (e.g. Facebook login, Google login, AWS Cognito login), then consider using Identity Pool user id.
In most cases, if you make users login via an app and access the resources (books in this case) via the app, storing the User Pool User Id makes things easier. Cognito generates a secure User Pool User IdToken which contains the User Id on login. The app can just pass this token along with the request for your backend to allow/ deny the request.
User pools stores the user records while identity pool has the necessary permissions available for the user. So in this case you need to use user pool Id
I don't get the difference between the User Pools > Identity providers and
Federated Identities > Authentication providers.
Can someone explain?
Identity pools (Federated identities) allow you to grant users authenticated by third parties (e.g. login with Google) temporary IAM credentials to use you AWS resources in a limited way. Identity pools are free of cost and you only pay for the resources your users use via the IAM credentials.
User pools allow you to store your own users, they can sign up directly to the user pool and not have to use a third party provider like Google or Facebook. Confusingly user pools also have a 'federation' option (Identity providers) but this will actually create externally federated users in the pool. User pools provide OpenID tokens (access, id, refresh), not IAM credentials, which you can use with your own endpoints (ec2, fargate, api-gateway). User pools have costs associated with them based on the active users per month.
I'm trying to build a web app that can be accessed by any user that signs up with facebook.
I want to use AWS Cognito to speed up the development for users management.
It has to have 3 type of users:
Normal users - any user that logs in with facebook
Editors - users that have a different access level (IAM role?), they can call a specific AWS Lambda function, that normal users can't call.
Administrators - users that can modify the status of normal users to make them editors or admins
Can someone please point me in the right direction? I've set up AWS Cognito Identity Pool but I'm not sure if I have to set up a User Pool or how do I assign a different role or policy to a user to make him an admin or editor (different access levels for other AWS resources), if I can get in my web app the users list from Cognito (only for an authenticated admin) and how do I allow him to modify other users roles.
Some tutorial, documentation or at least a short description of how can I do this would help me a lot.
Optional: let users to not only sign up with facebook but also with email/pass, and have the same functionality.
You should be able to use 'Role Based Access Control' feature of Cognito federated identities. This is the relevant part of the doc:
http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
If you are only using Facebook, you can use Facebook sub to assign appropriate role.
If you are using username and password based sign-in with user pool, you can use group support and create editors group and assign appropriate permissions.
Instead of managing Administrators with federated identities or user pool, probably directly using IAM user will be a better idea. This IAM user will have full permission to modify/add identity pool rules or user pool groups.
Account Locked claim works fine for basic authenticator, but for Facebook and Google identity providers I still can login into my application for locked users.
Please, help!
Account Locked claim is a local claim and can only be used for local users (users who are in a configured userstore). For federated users you may try associating user accounts and setting associated local user account's Account Locked claim.
We have implemented a Developer Identity Provider using our custom user auth service and we have an Identity Pool connected to it with many Identities saved. Right now, we're evaluating to move our user table to a User Pool connected to the same Identity Pool and use the mobile-hub library.
The question is: After the import, could Cognito detects if a user with a specific username already exists in the Identity Pool and doesn't create it again (with another Identity)? Self signup is activated.
UPDATE for clarification:
Our identity pool has near 1000 existing identities. All of them were created before the existence of User Pool feature. They were created using the "Developer Authenticated Identities Authflow" (check link), and the external "Developer Provider" is a simple user table. Each identityId in the Identity Pool is associated to an existing identity (record) in our external user table.
Now we want to use AWS Mobile-hub lib in our iOS app and a User Pool connected with the existing Identity Pool. We want to start adding new users to our User Pool but for existing users, they already have an identity created in the Identity Pool. What to do in that case?
Seems to be that, at the moment of first login, Cognito doesn't have a mechanism to detect if a user already has an IdentityId created by another auth flow (Facebook, Developer Provider).
You could do one of a few things, because as you noted, Cognito does not totally handle this for you.
If you're all in on user pools, you could use the import user feature to transfer your users.
Alternatively, on sign in, you could check if the username exists in your user table. If so, you could either sign them in by that, or you could transfer them over to user pools then and there with a lazy load.