We Keep Coding

How to debug Cognito's idpresponse endpoint

I'm setting up OIDC provider for Cognito User pool. The open id connect service I'm using is Paypal. At the step where paypal issues code and redirects to cognito's /oauth2/idpresponse endpoint after which cognito is supposed to exchange the code for access token, I'm receiving "Exception processing authorization code" error. As you can see the error message is not very discriptive.
I have no idea what I'm doing wrong. I did setup open id connect properly. Setup client settings in cognito and etc.
These are the endpoints I'm using for openid connect:
https://www.sandbox.paypal.com/signin/authorize
https://api.sandbox.paypal.com/v1/identity/openidconnect/tokenservice
https://api.sandbox.paypal.com/v1/oauth2/token/userinfo
https://api.sandbox.paypal.com/v1/oauth2/certs
In app client settings I have auth code grant flow and implicit flow enabled. I have custom domain setup. I provided paypal client id and secret
My guess is if I'm able to somehow debug idpresponse endpoint I should be able to solve the problem. Is there any way to do that? Maybe cloudwatch?

I don't know about debugging Cognito's endpoints, but I had the same problem and fixed it by doing the following:
Go to your User Pool in AWS.
In the side navigation under Federation, select Attribute mapping.
Click the tab of the identity provider you're having issues with (in my case it was Google).
There should be three columns, Capture, Google attribute, and User pool attribute. Make sure all of the attributes that are checked in the Capture column are mapped to an attribute in the User pool attribute column.
UPDATE:
After submitting this answer, I realized that the checkboxes in the Capture column are not checked by default. If you marked any attributes as required in the Attributes section of your user pool, then you need to map those attributes to the attributes provided by your external identity providers.
For example, I marked email as a required attribute in my user pool settings. So, when I added Google as an identity provider, I had to go to Federation->Attribute mapping, click on the tab for Google, check the box in the Capture column next to email, and select Email from the dropdown box in the User pool attribute column.
After taking these steps, the sign in work-flow worked for me.
My guess is the auth flow works just fine between Cognito and your identity provider, but Cognito doesn't know how to map the attributes returned from the identity provider to the attributes you have set in your user pool (in General settings->Attributes under the Which standard attributes are required section).

AWS Cognito Username and Password Authentication using PHP

I am using AWS Cognito API, I trying to login using the code provided on this URL https://github.com/pmill/aws-cognito/blob/master/examples/login.php, and getting exception "Auth flow not enabled for this client" "InvalidParameterException", please let me know if I am missing something or doing something wrong, user was signed up and confirmed successfully but not able to login? If help would be appreciated.
Thanks

Sounds like there is some issue with your Userpool settings. In Cognito Userpool console, select your Userpool. Go to App Integration --> App client Settings . Select your App Client. Under OAuth2 --> Allowed OAuth flows, select the first 2 options (Authorization code grant & Implicit grant. Also, under Allowed scopes select the ones you want to allow. You can select all of them for testing. Save the changes. This should fix the error (atleast the first one - "Auth flow not enabled for this client). See if you get any errors.
If you still get the error, then may be ADMIN_NO_SRP_AUTH is not enabled for your client. In your Userpool settings, go to App Clients (and not App Client Settings). Click on Show Details for your app client. Select the ADMIN_NO_SRP_AUTH option i.e. Enable sign-in API for server-based authentication and save. See if this fixes your issue.

I published one article on fixing this error on Linkedin. Here's the link: https://www.linkedin.com/pulse/amazon-cognito-how-fix-error-auth-flow-enabled-client-malik/
My brief answer is: please check "Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH)" as shown in below picture.

Cognito User Pools - Is it possible to create a custom sign up/in form for Facebook login?

I would like to use a Cognito User Pool for Facebook logins only, which may be possible using the built in login form, but I need to use my own.
Theoretically, when it comes to a custom form, it shouldn't be hard: after I receive a user object from FB, I bind the user and email attributes to the ones in my User Pool and I save it.
But what to do about the password field and future authentication? And here I have failed during my journey...
...
userPool.signUp('FoobarUser', '**password?**', attributeList, null, function(err, result){
...
While digging deeper into the docs, I tried to implement a Identity Pool (Federated Identities), managed to save user info in the form of datasets as well, but then I realised, querying these sets gonna be a huge pain if possible at all.
Maybe I'm failing to understand the concepts, I would be really thankful if someone could suggest a way to manage facebook logins in a nicely organised fashion using Cognito.

So here is what I understand from your query.
Setup
Link Facebook to userpool
The app client allows only Facebook login, no other providers allowed (not even Userpool)
On login, you want Facebook user's info to be automatically populated in your Userpool
You don't want to use Cognito's builtin UI but use your own
My 2 Cents
In your app client, just select Facebook
In your UI, have a login button. On clicking it should redirect to your userpool's authorization endpoint
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id
If you want to use your own UI with multiple providers, allow the same in Client and on clicking the appropriate button in your UI (say Facebook), redirect users to the authorize endpoint but append the identity_provider in the URL
https://your_domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=https://www.example.com&response_type=token&client_id=your_appclient_id&identity_provider=Facebook
If you want to see the names of all supported identity providers, use ListIdentityProviders API call
This way, all Facebook users will be automatically created in your userpool. Of course, their names will be random like Facebook_123jkjdwj but all their details will be correctly populated from the token as per your attribute mapping. As a plus, all auto-created users from a particular provider are added to an auto-created group 'Userpoolid_providername' eg. us_east_1_xxxx_Facebook.

AWS Cognito: Google Login find the email address

Once the cognito-id is created for a user logging via. google, how to find the email id of the user.
As shown in the above picture, I can find the cognito-id, but couldn't find any other information that google could have supplied when the user logged in.
Any help is appreciated.
Thanks in advance,

First make sure you provide email in scopes. Usually the scope is defined as profile email openid.
Next you have to "Configure attribute mapping" which is on the bottom right of the "Identity providers" section. There you can map Google's email attribute to the Email attribute of the user pool.
You'd probably have to remove users from the pool that logged in prior to the additional configuration to properly fetch the attributes. You can do this by clicking on the google user in the user pool then click "Disable" then "Delete". For example, I couldn't see the picture attribute of a google user until I removed my user from the pool and logged in again.
You should now be able to see the email attribute (and other properly configured) when you click on the user. You should also be able to see these attributes when you decode the id_token and when you call the <AUTH_DOMAIN>/oauth2/userInfo endpoint.

Cognito leverages these tokens to sign in users, but doesn't store any additional metadata against the user. It doesn't track any of it, so you won't see it there. To do so, you'd need to grab it from Google during sign in, and either store it in Cognito sync or in an external datastore (e.g. a dynamo table keyed by identity id).

Prevent users bypassing security using web addresses

After the user has logged in; I have security on page 1 (homepage) of an Apex application which prevents unauthorized users getting any further. Once the user has logged in, it goes away to an apex authorization group and checks whether their name is in the group. If it isn't, it says...you shall not pass.
However if an authorized user copy's the web address of page 3 (view employee salaries), and gives it to an unauthorized user, they can use it, it redirects them to the login page, they login, and there in to that page!
To get round this as a temporary measure i setup each page to have the same authorization group as on page 1. This works but surely there must be a simpler way to manage this?
E.g. User enters the web address, it redirects them to the login page and once they are logged in it doesnt work as they are not part of the group?

I think I found a solution; there is a something called 'Deep Linking' under the security tab in the Application's properties. I have now checked this to disabled and it always redirects the user back to the homepage.

The correct method is indeed to set up authorization schemes on objects that have to be screened off. In apex 4.2 however (I believe - don't think this was in 4.1) you can go to "application properties > security" and there is an "authorization" section there where you can set up a global authorization scheme.