Our website prevents concurrent user sessions. User can have their session active only on 1 device/browser at the same time. Today we are switching to AWS Cognito User Pools as authentication provider. Cognito hosted UI is used for sign-in. How to prevent concurrent user sessions on Cognito?
John Doe opens our website, clicks Sign-in
His browser navigates to cognito hosted UI https://save-ca-dev.auth.us-east-2.amazoncognito.com/login?redirect_uri=http://localhost:3000/user_sessions&response_type=code&client_id=4hlhf1cvm18lkst3dm8ru8oc73
John inputs his credentials, clicks Sign-in
He is redirected back to our website. He has signed-in successfully
John Doe opens our website on another PC.
Repeats Sign-in procedure. He has signed-in successfully on another PC.
On second Sign-in, our website invalidates first user session If he tries to work on first PC - he will be anonymous user.
Let's say John goes back to first PC and directly opens Cognito hosted UI /login
Problem
Cognito still shows John as signed-in and will not ask his credentials
Desired result
Cognito should ask John's credentials. How I could achieve that?
I tried turning on Cognito Device tracking and remembering, it seems I could use ForgetDevice API. But all documentation leans towards mobile devices. Is that suitable for PC browser? Also, device tracking requires device credentials generated.
It would not be possible to obtain the desired result using the Hosted UI, with its current design.
To get the desired sign-out result, you would need to create a custom web/mobile application and utilize the LOGOUT OAuth 2.0 Endpoint and the GlobalSignOut API accordingly.
You have to logout from cognito hosted UI also when your website invalidates the session.
https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
Related
I have implemented SSO for my application. I am using AWS Cognito as Service Provider and Azure AD as Identity Provider. IdP is configured through SAML in Cognito. Below is the URL generated
https://<my_custom_domain>.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=<IdP_Name>&redirect_uri=<Callback_url_passed_in_Cognito>&response_type=TOKEN&client_id=<Client_Id>&scope=aws.cognito.signin.user.admin%20email%20openid%20profile&state=transit
In my application, when a user tries to log in initially with their MS 365 account it asks for user credentials.
But after logout from the app, if the user attempts to log in again with a different account, it is not asking the user to enter credentials or pick up an existing account. It directly makes the app login for the previous account.
Note: If in my browser there are multiple MS 365 accounts signed-in then only my app asks for which account to use. If there is a single MS 365 account present then my app uses that one without asking the user to Sign-in with a different account.
Since you have specifically mentioned SAML for Cognito and Azure AD integration, this answer is based on that.
When SAML service provider (SP) initate a SAML auth request with Azure AD, it can specify ForceAuthn param as true. With that Azure AD should always prompt user to authenticate. Please refer this document. So that is supported in Azure AD.
But as far as I know, Cognito doesn't support to include that parameter in the SAML AuthnRequest. Same concern has raised in this question as well.
Even though I haven't tried, I think you should be able to use Sign-out flow in Cognito SAML configuration along with Azure AD single sign-out. So I believe it should sign out the user from Microsoft and should prompt for the credentials when user try to sign in again.
I tried to reproduce the same in my environment and got the below results:
Note that:
SSO allows users to authenticate once and access applications without re-entering credentials.
Single Sign-On allows users log in only once to access application without having to enter the login information each time.
Hence, if there is only a single MS 365 account present then it doesn't ask user to pick an account.
For sample, I configured SSO and tried to access below endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=XXXX
&response_type=code
&redirect_uri=redirecturi
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The browser prompted to Pick an account when there were multiple accounts only like below:
Alternatively, you can make use of prompt=login in the authorize endpoint and enter the credentials to access the application. The prompt will be appear like below:
Otherwise, to ensure the Pick an account screen try creating a conditional policy which requires multi-factor MFA) or device compliance when user try to access the Application.
Reference:
Single sign-on - Microsoft Entra | Microsoft Learn
I am using AWS cognito for authentication purpose.
Every time i hit the cognito domain name it asks me to select the the App client.
Is there a way i can stop cognito asking me to select the Appclient i want to use for authentication.
please do let me know the way
The screenshot that you have posted asks you to select the user with whom you'd like to log in, and it has nothing to do with the App Client. Every App Client of a User Pool works with the same set of users in the pool, but with different authentication settings. If you want to select the App Client for your Cognito Authentication Engine, you can specify the App Client ID in your Cognito Hosted UI Domain. An example URL is as follows:
https://auth.example.com/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
If you specify the App Client ID in your Hosted UI Domain/Custom Domain, you can run your Engine only on that App Client.
The text following after the "Continue with" text is not the app client but your logged-in username.
After you login with your username-password credentials, a session cookie will be set on your Cognito domain to indicate you are already logged in. This session cookie expiration is not configurable and set to 1 hour expiration. The Logout Endpoint removes this session cookie.
When you re-enter the Cognito login page, it will detect you already have a session and present you with the "Continue with" page to confirm that you want to still continue as this user.
If you want to dodge this screen. You can use the Authorization Endpoint which will first check if you have the Cognito domain session, and if you do, automatically redirect you to the redirect uri (application with authorization code), otherwise it will redirect you to the login form via Login Endpoint.
https://COGNITO_SUBDOMAIN.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=APP_CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code
Authorization Endpoint: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
I am building a web app and I would like to accomplish the following:
Authenticate/store users using AWS Cognito User Pools (Not "Identity Pools")
Allow users to sign in with both Facebook and username/password.
Use my own UI (not the hosted UI offered by AWS)
I have set up a User Pool with Facebook as an Identity Provider and an app client, but I can't seem to figure out how I can actually let users sign up.
I've tried a number of things using aws-amplify and amazon-cognito-identity-js, but everything ends up only authenticating the user in the "identity pool" (which I don't really understand why I even need one just to use "user pools").
Considering the AWS mobile SDKs somehow accomplish authentication without requiring the redirects used by the hosted UI, I would think it must be possible to also do this on the web.
I'm not getting a clear picture of the authentication process when a user logs in through another idp. My use case being for an app that does not need aws credentials.
If I get a token back after a user logs in from facebook for example, how do I connect that with a user in the userpool or my own database which may contain the user's app specific data?
user logs into facebook -> gets token back -> send token to amazon cognito (?) -> get back cognito token (?)
I'm currently looking for documentation on how to implement the above but there doesn't seem to be a direct link to it.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html
You could setup a social IdP such as Facebook and use the authorize endpoint.
Alternatively, Cognito now supports hosted signup and login pages for your application. You just need to create a Cognito domain, and set App Client Settings.
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...