AWS Cognito provides two services: user pools and identity pools. Both are similar but different concepts, ok so far.
I want to use the feature federation of a user pool.
I do NOT want to use this feature with the hosted UI.
I do NOT want to use this feature with identity pool.
I would like to use the federation login of a user pool of facebook or google of a user pool in a reactive native application. For example only with AWS sdk, for example, auth SDK from amplify.
However, I find no possibility to use the federation login of the user pool over the API (not hosted UI).
A synonym to Auth.signIn but with federation facebook using react native, for example with expo.
With expo i get the facebook tokens via
const { type, token, expires } = await Expo.Facebook.logInWithReadPermissionsAsync(aws_exports.aws_facebook_id, {
permissions: ['public_profile'],
});
How to use federated Auth using aws-amplify API without hosted UI?
Amplify does not use a User Pool API for signing in via a third-party provider, and the APIs offered for third-party providers are just for Identity Pools. Currently, there's a feature request with the AWS Amplify SDK team for the same.
A workaround would be to use the AUTHORIZATION Endpoint directly, and make suited HTTP requests to achieve your requirements.
Here's a post that shows how to use Google and Facebook to authenticate with the user pools. It's way too much to repeat here, so check out the link.
https://dev.to/dabit3/the-complete-guide-to-user-authentication-with-the-amplify-framework-2inh
Hope this helps.
Related
I use AWS stack in BE for mobile App. I have an AWS Cognito User Pool and already has organized authentication throw Google, Facebook and Apple. Now I need to implement/configure authentication throw VK social network. VK doesn't support OpenID but it supports OAuth 2.0.
Unfortunately, I don't understand how can I implement it. Please share you experiance.
OAuth is only about authorization. There is no authentication here. So to implement what you need you either have to implement the authentication yourself (and expose an OIDC token to Cognito), or use a third-party solution that can do it for you (whether it's paid or not).
While describing how to build you own OIDC wrapper for OAuth would be a topic for at least a few blog posts, what I can suggest is to use an existing solutions that could integrate with VK.
On of those solutions is Auth0 (and no, I'm not associated with them in any way). It has a connector for vKontakte.
You basically need to chain the flow like that:
Configure Auth0 to authenticate with VK
Configure Cognito with Identity Pool and an OIDC connector with Auth0
This will work as follows:
You call Cognito's UI which will redirect you to Auth0
On Auth0 you will have a button to redirect to VK
After successful sign in you will be redirected to Auth0 and there you will have a new user
Auth0 will redirect back to Cognito and it will sync user data from Auth0 to your User Pool
That's just an example and there are probably more providers that could do the same thing.
I am completely new to Amplify library. I have logged in my user using Cognito User Pool. I have the required access token (jwt token). How should I go about using AWS Amplify APIs for GraphQL using this access token?
Amplify.API.query
Amplify.API.mutate
Reading the documentation, it seems to me I have to login user using Amplify Auth only to use these APIs. In other words, how do I let Amplify know that I have access token of an authenticated user and allow me to use GrapQL APIs? Or authentication via Amplify Auth is the only way?
Amplify will handle this for you out-of-the-box.
After you authenticate the framework will take care of handling the JWT for you. If you want to see an easy enough implementation of authentication with Cognito + Amplify I recommend you this codebase:
https://www.amplifyauth.dev
https://github.com/dabit3/amplify-auth-demo
After you have configured Amplify Auth and you create APIs using the Amplify CLI you'll be prompted if you want to create an authenticated or unauthenticated API.
On the client side, you'll just call the APIs using the Amplify JS library and the fact that you're authenticated or unauthenticated will be handled for you.
after some reading on Using multiple authorization types with AWS AppSync GraphQL APIs and The Complete Guide to User Authentication with the Amplify Framework , one thing I could not figure out is if I can have 3rd Party Application Tokens (e.g. like Twitter API) and use AppSync+Cognito to generate credentials for service-to-service mutations/query?
I already have a user flow via Cognito (type AMAZON_COGNITO_USER_POOLS). I want to centralize service-to-service calls using my AppSync. Limiting the service/token access would be great too (to only X Mutations, instead of the whole schema). Would that be possible?
I'm a bit lost around what are the current limitations.
do I need a Custom Authorizer in Cognito?
should I move everything to IAM credentials?
a Lambda Resolver with manual credentials check + AppSync call?
I can't do it and I need to store these tokens in a different place (DynamoDB, etc), with metadata/some id to have some kind of identity and always use Lambda Resolvers etc.
thoughts and insights are more than welcome,
thanks!
As of today, AppSync does support 4 types of user authentication
API key (no authentication)
IAM credentials
OpenID tokens
Cognito User Pool tokens
There is a request to add custom lambda authorisers as well, but nothing has been announced to date.
In your scenario, I would use Cognito User Pool authentication on the App Sync side and federate Cognito User pool with Twitter OIDC. I know a couple of years ago Twitter was only supporting a custom subset of Oauth2. I'll let you check if they do support OIDC now :-)
But you're not the only asking this question
https://forums.aws.amazon.com/thread.jspa?messageID=881666
User pools for users who register via twitter?
AWS Amplify withAuthenticator v/s with OAuth
I want to implement an authentication mechanism for react app. I am using AWS Amplify framework, It provides 3 methods either use custom UI or with the authenticator and with OAuth components. I see with OAuth component provides Cognito hosted UI while withAuthenticator component provides AWS Amplify Custom UI.
What are the pros and cons of both except the UI
withAuthenticator is email & password against Cognito User Pools where the user is created in that directory. withOAuth and Auth.federatedSignIn use the OAuth endpoint of Cognito User Pools for OAuth flows, which performs redirects for you to authenticate users against a social provider such as Login With Amazon, Facebook, Google Sign-In, etc. A corresponding user account will be created in Cognito User Pools directory after this process takes place. More info can be found here: https://aws-amplify.github.io/docs/js/authentication#concepts
I created an API with AWS API gateway that triggers a lambda function. Now I want to restrict access to this API. I own an OpenID connect identity provider.
I want to require people to authenticate with my OpenID identity provider before accessing the API. What is the best way to do that? Apparently, I need an authorizer for my API. I read a lot of documentation, and from what is mentioned here, it seems that this would be possible with amazon cognito. However, here I can only find a way to use cognito user pools, while I want to use a cognito identity pool.
I want the typical authentication scenario, e.g. user calls the api, is redirected to my openid id provider, logs in, and can then access my api (which delivers html so all of this will be taking place in a web browser).
Is this actually possible with cognito, or do I need to write a custom lambda authorizer? If so, is there any documentation on writing an authorizer lambda that uses openid, prefereably in .NET?
You are mixing Authentication and Authorization.
Federated Identity Provider to Cognito:
You can use OpenID Federated Identity provider for Authentication.
Below documentation provides on how to configure it,
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
Once authenticated you can create a signed URL to protect your assets for the URL which you want to allow to.
Creating Signed URLs:
Below documentation providers on how to created signed URL's using C#.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateSignatureInCSharp.html
Custom Authorizer:
Following commit on github shows an example implementation of C# custom authorizer.
https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/pull/13/commits/79d75fb7c5ee4f29fa06fd2ec28c704224cf8a7a
Hope it helps.