Use Twitter as Identity Provider in AWS Cognito - amazon-web-services

I'm want to implement social-sign in with twitter in Cognito and test it using the build in UI page but I cannot find any relevant guidelines to do this.
My use case is to authenticate user with twitter credentials and obtain user information like firstname, lastname, email, country.
I've found this relatively old post: https://aws.amazon.com/blogs/mobile/announcing-twitter-and-digits-support-for-amazon-cognito/
But it seems that the native support for twitter was removed from Cognito? Because in Cognito under Identity Providers there is no twitter option.
Does anyone know what happened regarding this?
From what I've found in the twitter documentation regarding using twitter as a IdP it seems that it is not using OpenID Connect specification but some OAuth1 custom extension (I'm not sure if what I stated is correct): https://developer.twitter.com/en/docs/twitter-for-websites/log-in-with-twitter/guides/implementing-sign-in-with-twitter
But I did not find any OpenId Connect endpoints for twitter like the ones from Microsoft for example (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration)
Is there any way that I can implement sign-in with twitter in cognito? And also to test this using the cognito build-in login UI?

As far as I know Twitter's current sign-in mechanism is based on OAuth 1.0 which is not OpenID Connect. So I would suggest you building some custom Auth Mechanism using OpenID (there might be already open source solutions), link it to Cognito and inside this custom auth app you authenticate with Twitter OAuth 1.0. So in other words, build a bridge between Cognito and Twitter via custom OpenID app.

Related

Google Identity Platform 3rd party access?

My question is how a 3rd party developer would login users through my Identity Platform? I looked at the documentation but found nothing.
Essentially I want to use Identity Platform as an OIDC Provider, but I don't know if that's supported.
Cloud Identity Platform is based on Firebase Auth product (literally because the documentation and the Javascript to add are still in Firebase perimeter!).
This product allows you to delegate the authentication to a third party, either Firebase auth if you use login/password authentication, or to connect Identity Provider (IdP).
There is several built in IdP like Google, LinkedIn, Facebook, Twitter,... and you can add custom Auth0 provider (SAML) and OAuth2 provider (OIDC).
The platform only allow you to perform an authentication and then redirect the user to YOUR app. Then, it's to YOUR app to ensure the correct authorisations and roles of the user.
All of this for saying to you:
Think about firebase Auth feature: originally, it has been designed to authenticate user that wants to connect to Mobile App, on Android. Today it's the same thing but, in addition, for your web app
It's designed for YOUR application with YOUR roles and authorisations. By the way, if your target is to allow your 3rd party developers to log into Google Cloud console thanks to this authentication mode, it's not possible.
But, stay tuned, awesome things are coming soon on this field
John is right, more details would help. But if I had to guess you are referring to the fact that Google Cloud Platform IAM does not handle Identity part only authorisation. You could, however use G Suite or Google Directory Sync (which can integrate with LDAP server or Active Directory.
You can refer to the link below which shows you how you can integrate with OIDC:
https://cloud.google.com/solutions/authenticating-corporate-users-in-a-hybrid-environment

AWS Cognito User pool Forgot Password with Google Captcha

We want to implement Cognito User pool: Forgot Password feature on the Angular Web APP by asking to validate using Google Captcha. Upon doing research we found that Forgot password API doesn't support custom parameters: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
Is it possible to UserContextData field for this?
In web App we are using aws-amplify and it doesn't seem to support it:
https://aws-amplify.github.io/amplify-js/media/authentication_guide.html#forgot-password
Are there any workarounds for this?

iOS - AWS developer authentication, User registration Process

In my application i am using AWS SDK for development. i am able to do all the operations except user registration(In Developer authentication). In AWS they mentioned that for user registration we have to write our own backend code. But i do not have any idea about backend. I am thinking that if amazon provides straight forward solution for user registration it would be helpful. And i gone through server side setup(amazon provided sample code), but there we can register the user through browser not through ios client.
In my application user registration contains emaild, username, password and photo selection options.
For user registartion (developer authentication), i have done more research, but i did not find any direct solution.
Can any one please provide direct solution or any good tutorial to implement our own backend for user registration.
Thanks in advance.
You have a couple options to use Amazon Cognito and providing a complete registration system for users without building a backend: OpenID Connect and Open Source.
OpenID Connect: Since Cognito Supports OpenID Connect-compliant identity providers, you can leverage products out there that federate/broker multiple social providers and expose the federated user via OpenID Connect which have special support for Cognito including Ping Federate, Auth0, and SecureAuth to name a few. I also understood that Okta provides an OpenID Connect identity provider so it might be worth looking into.
Open Source: LambdaAuth is a bare bones project that leverages Lambda and Cognito to provide a registration and authentication backend. Cognito Helper is another one that appears to have more features and be more developed. If one of those have the features you need, they should be easy to deploy and run on server-less Lambda, so they're easy to maintain and you pay only for what you use.
While the details of your registration process will depend on the needs of your application, you may want to consider using API Gateway to front the registration logic you write.
API Gateway will generate an SDK for you which you can use in your application to call your API.
You can have your application call your registration API which handles all of the logic for doing the backend portion of acquiring credentials: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/#developer-authenticated-identities-authflow

How to retrieve Microsoft Azure ACS claims from Facebook as Identity Provider

this is my first ever proper post, apologies for breaking any formatting conventions.
I am working on a simple app that is using the Microsoft Azure ACS for authentication and Facebook as the Identity Provider. At the moment this is just a index.php page which echoes out a big HTML chunk rendering the login page and accessing the Facebook API.
So far I have been able to set up my ACS account with the correct settings and successfully add Facebook as an identity provider. I am able to login with Facebook and return to my app, as well as use the Facebook API to get information about the user. However, I would like to get the original claims generated by ACS back from Facebook, like the "AccessToken" and "emailaddress" which are set in the ACS management, so that I can later provide this token back to ACS and continue with authentication. I cannot seem to find how to do this anywhere in the Microsoft Doc or Facebook API.
Any help would be appreciated !
I would not recommend using ACS as Microsoft is discontinuing it. You should either consider integrating directly with FB (multiple frameworks for this, and quite a bit of docs if you search for it), or consider using an alternative to ACS like Auth0.
Disclaimer: I work in Auth0.

Django - SSO with multiple auth sources - LDAP?

I have an application running on Django and a bugtracker (redmine).
I'd like to have the same accounts for my users on both applications.
So I decided to install an LDAP on my server and plug my apps on.
In the mean time, in the future I'd like to give my users the ability to attach their accounts with OAuth, OpenID (like Google, Facebook, ...).
Is LDAP still a good idea for this purpose ?
Is it something usual and how easy ?
With a unique LDAP you get resolved the duplicated account problem but you dont get the SSO or SLO functionality. The Ldap plugin of Django and Redmine are easy to configure and are well documented. Same happens with the OpenLdap server.
If you are thinking in the future, I think a nice solution would be to set a SAML enviroment.
Use simplesamlphp to build a IdP and enable the authentication sources that you want: Facebook, Gmail, Ldap, etc
Use djangosaml2 to add SAML support to django and connect it with the IdP
Use this plugin to add SAML support to Redmine and connect it with the IdP
At the end you get a system based on SAML, a protocol that actually are using Google and other big companies.