Can we find that the AWS IAM User is valid using oAuth or some other authentication flow, from third pary application?
There are several examples of how you can authenticate your users in the AWS documentation. IAM supports Identity Federation in various ways depending on your use case.
For IAM users there is AWS Single Sign-On, integration with Microsoft Active Directory, configuration of SAML 2.0 Federated Users, AD FS, etc.
For non-IAM users, typically the end users of your application, you can create an Cognito User Pool and then configure Identity Providers for Your User Pool. Options include Facebook, Google and Amazon accounts, as well as OIDC (OpenID Connect) and SAML IdP (Identity Provider).
Please see the links above to find more information, references and examples.
Related
Using Auth0 as an example of what I want to achieve, it is possible to create an Auth0 application and configure a SAML trust relationship to a service provider by downloading Auth0's Identity Provider Metadata from a Auth0 SAML2 Web App and supplying that to the service provider, and also uploading the Service Provider metadata to Auth0. Supplying some other configuration options such as application callback URL to Auth0 then allows federation to be achieved into the test service provider via SP initiated SSO.
I would like to understand if it is possible to build such a relationship with AWS Cognito using either SAML or OIDC, where Cognito would be acting as the Identity Provider. There seems to be a lot of documentation available providing instructions on how to use SAML to create a relationship to a third-party identity provider for a user pool, but I'm struggling to find any documentation or options within the console to configure SSO to a test service provider, for example no reference to Cognito Identity Provider metadata. The assumption that I am making is that Cognito is a service only for authorisation with your own applications (such as user login) and does not support SSO into other services in the way that I describe, and that if you wanted to use Cognito as a Identity Provider then I would have to connect my user pools to a service such as Auth0 to then build out the SSO relationship. Am I correct in this assumption? and if not, please help me to understand where in the documentation/console I should be looking.
I'm also aware that AWS SSO exists and that I could potentially link a Cognito user pool to that, however the user pool will be made up of clients, and my assumption is that AWS SSO serves to specifically support (internal/affiliate) employee access to AWS services and resources, and should not be used as a way to enable SSO to another service for customers.
We're building an application using AWS App Sync, we're still in a very early stage.
Our application has a restricted area, through user sign-in, which is being managed via aws cognito users pool. And this is fine.
We're having issues on the public area which doesn't require any authentication.
How can we protect these public endpoints?
We're having some doubts about hard coding the api key (that we know can be rotated), is it a good practice (documentation page says that it isn't ideal for production)?
Is there any way to authorise the origin? (aka, any request coming from www.foobar.baz is ok)
I would suggest using Amazon Cognito Federated Identity to control authenticated and unauthenticated access to the api. In order to do use Amazon Cognito Federated Identity with AWS AppSync, you need to use AWS IAM based authorization.
For the authenticated access you can use Amazon Cognito User Pools and federated to Amazon Cognito Federated Identity and since the federated identity can also allow for unauthenticated users it will allow you to control some api's which can be made public via an IAM policy.
For more information please read the AWS IAM Section of our security guide here
Under your AppSync app's Settings menu, where you set the User Pool Configuration, there is an option to set a default action. You can change this to DENY and all unauthenticated requests will be rejected. The alternative approach is to ALLOW everything, and manually add #aws_auth directives to every query/mutation/subscription field that you care about restricting.
Question
Why AWS Cognito has two places to federate Identity Providers? I think Identity Pool is supposed to be federated with identity providers and wonder why User Pool also can. Kindly suggest the reason why having two locations.
Cognito Identity Pool can federate identity providers.
Cognito User Pool can federate identity provides as well.
User Pool
User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool (which is essentially a user directory in Amazon Cognito) or federate through a third-party identity provider (IdP), for example social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
After successfully authenticating a user, Amazon Cognito issues JSON web tokens (JWT) that you can use to secure and authorize access to your own APIs, or exchange for AWS credentials (here is where Identity Pool comes into play).
Use a user pool when you need to:
Design sign-up and sign-in webpages for your app.
Access and manage user data.
Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
Use a custom authentication flow for your app.
Identity Pool
Identity pools are for authorization (access control). With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.
Use an identity pool when you need to:
Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table.
Generate temporary AWS credentials for unauthenticated users (User Pools support anonymous guest users).
Identity pools provide AWS credentials to grant your users access to other AWS services. To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials.
Sources:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pools-identity-pools/
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
The Main Difference is how users are saved and what permissions are granted once they signin with idp's using user pool vs identity pool.
So, Federation through User Pool (by themselves) don’t deal with permissions at the IAM-level which doesn't allow for a much more granular set of permissions, with respect to AWS services.
However Identity Pools creates a user from an Identity Provider with unique identities such as an IAM role, they essentially allow you to delegate authorization for AWS resources to AWS itself.
Refer here for scenarios!!
A similar source of confusion is caused by the fact that you can integrate external social providers like Facebook and Google with User Pools directly, without using Federated Identities at all. Using this approach, users can sign up and sign in to your app with their Facebook login, but they never get assigned an IAM role. Instead, the User Pool service automatically assigns these users to a Facebook group, and then maps the attributes of their Facebook profile (e.g. name, email, location) to the user attributes you’ve defined in your User Pool. Again, the key distinction here is not whether the Identity Provider is internal or external, but rather if an IAM role is assigned to the user after authentication.
Hope it Helps.
Will Amazon Cognito Provide any control over the federated identities?
I want to able to block a google or Salesforce user.
I don't to allow some federated guy entering.
Yes, developers configure the federated identity providers they want to use for each User Pool, and they can choose for each app client, which identity providers are offered. (Assuming you are asking federation with Cognito User Pools)
Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.
My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ?
I'm a bit confused. Any help is greatly appreciated.
Thanks in Advance.
Cognito federated identities and Cognito user pools address different use cases.
With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.
With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.
To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.