AWS Cognito doesn't accept localhost as signin url. My app is hosted on S3 and behind a CloudFrnot distribution, so we can get https url. I'm using amazon-cognito-auth-js to do authentication on my app. Even if I run my app locally, after authentication, it will redirect me to my cloudfront url, and I need to check logs from Chrome developer tool. So for any change / test, I need to build my app, and upload it on S3, use a new inognito sesison on my browser. I'm wondering is there an easier way to do local development with Cognito? Is there any way to redirect Cognito to localhost and do local test there? Any other idea is welcomed.
Found the answer: you can add http://localhost:3000 as callback url (sign in) into your User Pool App client. You can either create a new app client for this purpose, or add a new callback url (comma separated) to existing app; each user pool client app can have multiple call back urls.
You can use localhost to test out cognito. The problem is that cognito doesn't allow HTTP. If you install an IIS certificate on you computer to use HTTPS on your machine, you will be able to use that as callback url. A tutorial for doing this is here
Related
I want to be able to offer a RT transcription in my browser app using AWS transcribe. I see there is the TranscribeStreamingClient which can have credentials for AWS which are optional - I assume these credentials are required for access to the s3 bucket?
What I want to know is how to setup auth in my app so that I can make sure my users dont go overboard with the amount of minutes they transcribed?
For example:
I would be expecting to generate a pre-signed url that expires in X seconds/minutes on my Backend that I can pass to the web client which it then uses to handle the rest of the communication (similar like S3).
However I don't see such an option and the only solution that I keep circling back to is that I would need to be feeding the audio packets from to my backend which then handles all the auth and just forwards it to the service via the streaming client there. This would be okay but the documentation says that the TranscribeStreamingClient should be compatible for browser integrations. What am I missing?
Subscription based iOS app I'm building uses Cloud Run service invoked via HTTPS request.
How can I make sure that the request can only be invoked by app owners(from the app)?
I've looked at Google Sign-In authentication, but I don't think it is applicable in my case as only those subscribed to the app should have the access, not just those with Gmail account.
I think without a Google Sign-in involved, your question has nothing to do with Cloud Run and can be generalized as:
How to send requests to to a backend app only from its mobile app?
So I'll answer that.
You'll find out that you need some form of "authentication" to prove that you're on a mobile app as a "user". To achieve that, you need some form of sign-in.
You may try to ship a secret (like a token or private key) in the application and use that to authenticate, but this will be susceptible to:
exfiltration of the private they from the application bundle through reverse engineering
applying a man-in-the-middle attack to the HTTPS request (and therefore the token) by trusting a root CA on the device and using e.g. mitmproxy to decrypt the request as plaintext.
In reality, there's no way to fully secure iOS/Android <=> backend communication that. Even the largest apps like Twitter, Instagram etc have their APIs reverse engineered all the time and invoked from non iOS/Android clients as the requests can be spoofed.
If you want to authenticate your existing users, you should figure out how these people login to your app. This could be simple username:password in Authentication: Basic [...] header, or something more complicated like OAuth2 which is what apps like Facebook, Twitter implement under the covers for their mobile apps.
Then you would validate that Authentication header in your Cloud Run application code yourself.
So again, I don't think this is a problem specific to Cloud Run, or any cloud provider.
If your goal is for your API to only be called when your users are authenticated in your app, I would recommend implementing one of the two solutions described on this page:
Using Google Sign-in or Firebase Authentication
I'm trying to run a python script that interacts with the GMail Api on AWS EC2. Said script SHOULD either process the authenticated inbox or ask for authentication if the token doesn't exist. This authentication normally takes the form of opening up a browser window. This works on localhost but doesn't work on my EC2 instance.
I've tried running a webserver using Flask (accessible through its public IP) and having the call to the script be the result of clicking a button. When I do this, I get other interactivity from the Flask script and the authentication URL prints out on the CLI, but I'm not redirected.
I've tried just running the script from the CLI, but that obviously doesn't work. That last one might've just been desperation and/or wishful thinking.
EDIT: Info - The URL seems auto-generated so I don't know it ahead of time.
I'm trying to understand the process of login to a website using the Network tab on Google Chrome because I have to use that process for autenticate accounts on an mobile application.
The login is completed when I reach the page "HomepageStudente.do", but I don't understand how to replicate all this on Postman. I've tried to do this:
Right-click on the SSO request
Copy as Curl (bash)
And it seems to work, but when I do the same thing with the second request (POST) I get a different message compared to the one on the Network tab.
Those 3 calls are based on automatic redirect by the browser, and I don't understand how to replicate it on Postaman. Is this possibile to do? Any other suggestion on how to use those requests for authenticate an account outside the website (example mobile app)?.
Thanks
github 3 legged oauth authentication requires defining the callback url (or at least the host) while creating the github application. that means the url is static.
we have several deployments for our site, and each deployment has a different host, so we needed a github application for each deployment - which is annoying to maintain.
now we've started dynamically generating deployment hosts/ports and can no longer have a github application per deployment.
we need the oauth callback url to be dynamic so that we'll be able to specify the dynamically generated host/port.
we thought about creating a second party webservice somewhere that will redirect the oauth-callback:
when you create the github application, you assign the redirect webservice url.
when authenticating you pass the url of the host trying to authenticate to github as a paramter
github queries the auth callback on the redirect service which retrieves the original_host_url parameter and redirects there, thus reaching the relevant webservice url, dynamically.
so 2 questions:
will this solution work and solve my issue, technically speaking?
does this introduce security issues, other than having the redirect service use https and maybe accept connections only from oauth providers such as github?