I have an existing suite of postman tests that previously ran against REST services hosted in Azure using Azure AD for Auth. Using the token endpoint (https://login.microsoftonline.com/{{tenantId}}/oauth2/token), I was able to obtain an Oauth token for an enterprise app (test app) that had deligate permissions for the application under test.
The apps have been moved to AWS and are now secured with Cognito. I have been unable to find an equivalent workflow that allows me to obtain a token without manual data being entered by the user.
The login endpoint requires me to manually enter the user name and password:
How do i integrate amazon cognito login in postman
and
I can setup an app and get an acceess token it does not give me permissions to the APIs, as I can not add the app to the user group with permissions.
https://lobster1234.github.io/2018/05/31/server-to-server-auth-with-amazon-cognito/
Related
I'm using AWS Amplify in my app backend. I want to use GoogleSignInOptions to sign in a user by passing the GoogleSignInaccount token to cognito userpool instead of signin with web UI.I tried it many times but it is showing an error provider is not from authorised identity provider.
When trying to login via my AWS Cognito's login page via Azure AD with email#live.com credentials, I'm being redirected to https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=51483342-xxx-xxx-xxx-xxxx... and the page is throwing a 404 error.
Steps:
Created an Azure AD Enterprise Non Gallery Application.
Added identifier to enterprise application: urn:amazon:cognito:sp:ap-southeast-1_xxxxx
Added reply url as: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Downloaded the SAML Signing Certificate > Federation Metadata XML and uploaded it on Cognito by adding a new SAML identity provider.
Mapped SAML attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Email under Cognito Attribute Mapping.
Enabled the AzureAd identity provider under App Client Settings on Cognito.
Allowed OAuth Flows: Authorization code grant, Implicit grant.
Invited an existing xxx#live.com user to Azure Active Directory and assigned a role to the user in the newly created Enterprise application.
Validated SSO from Enterprise Application > SSO > Validate. It's working as correctly, without any errors.
Problem:
When trying to login via Cognito's login url: https://xxxxx.auth.ap-southeast-1.amazoncognito.com/login?response_type=token&client_id=Cognito-App-Client-ID&redirect_uri=Callback-url-specified-in-cognito-app-client-settings --> AzureAd, I'm being redirected to https://login.microsoftonline.com/... where I enter the added user's email Id: xxx#live.com, after clicking next, instead of a password prompt the page throws a 404 error.
Also tried with inviting another user with email: xxx#mydomain.com, this also results in the same 404 error.
Tried in different browsers: chrome, firefox, safari. All result in the exact same error.
Azure AD SSO SAML2.0 integration doesn't work well with personal accounts.
Integrating with OIDC on the other hand works really well.
Azure AD integration with AWS Cognito.
I have created a service account on Google Cloud Platform. I am using a standalone Java program which uses GCP Java Client API to get the Authentication Token ID by taking service account JSON file. By using the Token ID, I can create a compute instance.
I don't want to use Java API or gcloud tool, is there a REST API exists which takes required details and return Token ID?
I went through the GCP documentation and could not find any details for the authentication and authorization through REST using Service Account.
I have created a service account on Google Cloud Platform. I am using
a standalone Java program which uses GCP Java Client API to get the
Authentication Token ID by taking service account JSON file. By using
the Token ID, I can create a compute instance.
Using a service account is the correct and recommended method to authenticate and authorize software applications.
Note. The assumption here is that the software application is running on your systems under your control. If instead you are installing software on a user's desktop or system not under your control, then you would use Google OAuth 2.0 (Google Accounts) to obtain User Credentials to authorize your application.
Another method is to issue short-lived temporary credentials from a service account credential that are time limited. These short-lived credentials are created on your server and then handed to the client.
I don't want to use Java API or gcloud tool, is there a REST API
exists which takes required details and return Token ID?
You have the classic "Chicken or Egg" situation. You need credentials to authenticate and authorize otherwise anyone could create credentials. Google Service Account credentials provides this. To create service account credentials, use the Google Cloud Console or gcloud CLI to download the service account Json file.
I went through the GCP documentation and could not find any details
for the authentication and authorization through REST using Service
Account.
This question is confusing. Do you want to use Service Account credentials to authorize your Google API calls OR do you want to call a Google API to obtain credentials?
In the first case, once you create service account credentials, they are used to authorize your API calls. You add the Access Token to the HTTP header when making API calls.
For the second case, use Google OAuth 2.0 to obtain credentials. Google OAuth 2.0 uses Google Accounts for authentication. This method provides you with an Access Token (just like a service account) and a Refresh Token and Client ID token. You will need to add the Google Accounts user identity to your Google Cloud IAM which provides for authorization (privileges).
I have an EC2 instance running a Node.js Express backend that controls CRUD operations to an RDS instance. I am doing a mobile application client (which I am authenticating users through cognito with the client sdk). What would be the best way to authenticate my mobile app users so that only authenticated users can access my Node.js Express functions running in EC2? Basically looking for something like IAM Lambda authentication (but for this server application, rather than a serverless architecture).
What would be the best way to authenticate my mobile app users so that only authenticated users can access my Node.js Express functions running in EC2
Authenticating with Cognito you shoud be able to get an access token (id token and access token) once the user is authenticated.
The token is to be fetched by the mobile client after the user is authenticated, see https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html . This token can be sent along every request to the nodejs services. Please note the token has an expiration time and the client needs to get another one when the token is expired.
The token contains user identity, issuer, expiration time and (Cognito) user groups
The services must validate the token (issuer, expiration, signature) and trust the token (or not) based on the validation.
Validation example: https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification) in this example the public key is read from a certificate. Amazon provides only the public key properties (e,n) https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/, so you will have to complete the public key yourself, example https://github.com/rzcoder/node-rsa
Edit: more detailed clarifications
I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.