AWS Amplify withAuthenticator v/s with OAuth
I want to implement an authentication mechanism for react app. I am using AWS Amplify framework, It provides 3 methods either use custom UI or with the authenticator and with OAuth components. I see with OAuth component provides Cognito hosted UI while withAuthenticator component provides AWS Amplify Custom UI.
What are the pros and cons of both except the UI
withAuthenticator is email & password against Cognito User Pools where the user is created in that directory. withOAuth and Auth.federatedSignIn use the OAuth endpoint of Cognito User Pools for OAuth flows, which performs redirects for you to authenticate users against a social provider such as Login With Amazon, Facebook, Google Sign-In, etc. A corresponding user account will be created in Cognito User Pools directory after this process takes place. More info can be found here: https://aws-amplify.github.io/docs/js/authentication#concepts
Related
I am completely new to Amplify library. I have logged in my user using Cognito User Pool. I have the required access token (jwt token). How should I go about using AWS Amplify APIs for GraphQL using this access token?
Amplify.API.query
Amplify.API.mutate
Reading the documentation, it seems to me I have to login user using Amplify Auth only to use these APIs. In other words, how do I let Amplify know that I have access token of an authenticated user and allow me to use GrapQL APIs? Or authentication via Amplify Auth is the only way?
Amplify will handle this for you out-of-the-box.
After you authenticate the framework will take care of handling the JWT for you. If you want to see an easy enough implementation of authentication with Cognito + Amplify I recommend you this codebase:
https://www.amplifyauth.dev
https://github.com/dabit3/amplify-auth-demo
After you have configured Amplify Auth and you create APIs using the Amplify CLI you'll be prompted if you want to create an authenticated or unauthenticated API.
On the client side, you'll just call the APIs using the Amplify JS library and the fact that you're authenticated or unauthenticated will be handled for you.
Hi I created an AWS Amplify project with React, and GraphQL. It looks like Appsync offers a UI playground to play with GraphQL queries. I created my GraphQL API to use AWS Cognito Userpool for Authorization and I am using Google Federation login. How can I use the Google user that Cognito creates with Appsync's GraphQL API playground? The login modal shows clientID, userID and password but Google user that cognito creates after a federation login doesn't have a password right?
That playground doesn't support users federated through a social provider to the user pool, only usernames and password that are created in the user pool.
AWS Cognito provides two services: user pools and identity pools. Both are similar but different concepts, ok so far.
I want to use the feature federation of a user pool.
I do NOT want to use this feature with the hosted UI.
I do NOT want to use this feature with identity pool.
I would like to use the federation login of a user pool of facebook or google of a user pool in a reactive native application. For example only with AWS sdk, for example, auth SDK from amplify.
However, I find no possibility to use the federation login of the user pool over the API (not hosted UI).
A synonym to Auth.signIn but with federation facebook using react native, for example with expo.
With expo i get the facebook tokens via
const { type, token, expires } = await Expo.Facebook.logInWithReadPermissionsAsync(aws_exports.aws_facebook_id, {
permissions: ['public_profile'],
});
How to use federated Auth using aws-amplify API without hosted UI?
Amplify does not use a User Pool API for signing in via a third-party provider, and the APIs offered for third-party providers are just for Identity Pools. Currently, there's a feature request with the AWS Amplify SDK team for the same.
A workaround would be to use the AUTHORIZATION Endpoint directly, and make suited HTTP requests to achieve your requirements.
Here's a post that shows how to use Google and Facebook to authenticate with the user pools. It's way too much to repeat here, so check out the link.
https://dev.to/dabit3/the-complete-guide-to-user-authentication-with-the-amplify-framework-2inh
Hope this helps.
I'm using Cognito with a user pool to provide authentication for my Ionic application application. The application use AWS Amplify to perform the Signup and Signin operation.
Now, I need to add facebook authentication so I added an external federated identity mapping also the facebook attributes to the corresponding Cognito user pool attributes.
On the application side I use the Facebook SDK to login with Facebook, receive Facebook's JWT token and call the Amplify federatedSignIn() to authenticate. The authentication works but no user is created inside the Cognito user pool (accordingly to official documentation "Whether your users sign in directly or through a third party, all users have a profile in the user pool").
Since the user is not created I cannot call the Amplify method currentSession() to get the token (to be used for lambda authentication) since there is no user.
Am I missing something?
This is the expected behaviour using federated identity. In order to use socials login through Cognito user pool its necessary to use Cognito's built-in hosted UI which is not supported by Ionic at the moment.
I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.