I'm currently getting started with aws services. I'm trying to build an admin UI for managing a cognito user pool. E.g I want to have some cognito users to have admin rights for creating new users from the UI etc. I'm a bit confused by the docs on the different ways to integrate authentication in API gateway, Lambda and DynamoDB. Do I need a Identity Pool for that use case? Or just different User Pool roles?
Thank you in advance for any help.
To use AWS resources you do need identity pool. You should create user groups in your user pool and assign them different roles in IAM. After this, create an identity pool and select cognito identity under the authentication providers. Also make sure you select "Choose Role from token".
Related
I have an authentication service currently integrated with CA layer 7 API Gateway. When user presents username/password to L7, it forwards the call to the auth-service, which returns JWT and session id if credentials are valid.
I am looking to integrate this auth service with AWS API gateway through cognito federated identities. I am not clear on how to integrate this set up and migrate the existing users to the user pools. I am looking for an option to eliminate the need of saving credentials in internal database. Is it possible once I migrate the users to user pools? Also, what all the features my auth-service should be able to support as added to federated identities.
It would be really helpful if you could share the relevant implementation samples.
You can import users into the cognito user pool. This will transfer all information except for the password. All users will need to create a new password when they try to log in for the first time.
If you don't want to use user pools you can just add your current authentication as a federated identity provider.
I think you should stick to just using federated identity unless you are not satisfied with your authentication app since cognito user pool requires passwords. It will be far simpler to just created a federated identity pool and configure your app with it.
We're building an application using AWS App Sync, we're still in a very early stage.
Our application has a restricted area, through user sign-in, which is being managed via aws cognito users pool. And this is fine.
We're having issues on the public area which doesn't require any authentication.
How can we protect these public endpoints?
We're having some doubts about hard coding the api key (that we know can be rotated), is it a good practice (documentation page says that it isn't ideal for production)?
Is there any way to authorise the origin? (aka, any request coming from www.foobar.baz is ok)
I would suggest using Amazon Cognito Federated Identity to control authenticated and unauthenticated access to the api. In order to do use Amazon Cognito Federated Identity with AWS AppSync, you need to use AWS IAM based authorization.
For the authenticated access you can use Amazon Cognito User Pools and federated to Amazon Cognito Federated Identity and since the federated identity can also allow for unauthenticated users it will allow you to control some api's which can be made public via an IAM policy.
For more information please read the AWS IAM Section of our security guide here
Under your AppSync app's Settings menu, where you set the User Pool Configuration, there is an option to set a default action. You can change this to DENY and all unauthenticated requests will be rejected. The alternative approach is to ALLOW everything, and manually add #aws_auth directives to every query/mutation/subscription field that you care about restricting.
I have set up a cognito user pool and have attached this to an identity pool. I wanted to allow only valid users from my user pool to execute my aws api. I have been reading about authorizing my api but there seems to be a number of ways to do this as follows:
Using an IAM role that I can attached to my authorized identity role
Using a custom authorizer in the aws api gateway
Based on what I want to do above, is there a recommended way to implement the api authorization?
Thanks in advance.
If the API you are calling, uses the user data, I would go with 2. If not, 1 would work as well. However, why do you want to integrate with an identity pool unless supporting federation with Google, Facebook etc.
http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.
My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ?
I'm a bit confused. Any help is greatly appreciated.
Thanks in Advance.
Cognito federated identities and Cognito user pools address different use cases.
With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.
With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.
To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.
I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.