Facebook authentication for Cognito user pool without hosted UI - amazon-web-services

I am building a web app and I would like to accomplish the following:
Authenticate/store users using AWS Cognito User Pools (Not "Identity Pools")
Allow users to sign in with both Facebook and username/password.
Use my own UI (not the hosted UI offered by AWS)
I have set up a User Pool with Facebook as an Identity Provider and an app client, but I can't seem to figure out how I can actually let users sign up.
I've tried a number of things using aws-amplify and amazon-cognito-identity-js, but everything ends up only authenticating the user in the "identity pool" (which I don't really understand why I even need one just to use "user pools").
Considering the AWS mobile SDKs somehow accomplish authentication without requiring the redirects used by the hosted UI, I would think it must be possible to also do this on the web.

Related

Account Linking In Alexa

We are building complete serverless architecture using AWS services for all of our api's (using API Gateway + Lambda functions + DynamoDB) and to control our devices we are using aws-iot platform. Mobile to devices interaction will happen over the aws-iot. On mobile side for user management we are using firebase and all business logic is in Lambda function. Now we want to work with Alexa with our existing architecture flow, but we are confused with the account linking part. Do we have to implement our own auth server which will take care of authorization part or should we move to cognito user pool + login with Amazon, so that we will have user management and auth at the same platform.
Yes, you usually have to set up your own oAuth 2.0 if you want to do Account Linking with a user in your system. As you mentioned, there is also the possibility to use "Login with Amazon" (LWA) which makes things a little easier. However, you will only get a user's email address and name (often, this is enough).
If you don't want to set up your own oAuth server, there are also tool providers that can do user management for you, like Auth0. For example, Auth0 can be used to connect different identity providers like Facebook, Google logins, but also allows for username + password.
You can find a detailed step by step guide to set up Alexa Account Linking with Auth0 here. Let me know if you have any more questions!
The documentation states the following providers can be used for authentication Github, Facebook, Twitter, Google. I don't see how you'd be able to link in with Amazon / Alexa. Also I'm not sure why you would want to use Firebase and not AWS Cognito.

OAUTH2 server for getting AWS Cognito User Pool token?

I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...

AWS cognito: sign in with usernam/password OR facebook

I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:
I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.
Here is my current understanding (please correct me where I'm wrong).
1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):
cognitoUser.authenticateUser(authenticationDetails, {
..
})
where onSuccess
I store identity, access and refresh tokens, so, user
doesn't have to enter his credentials every time
Because users will be accessing AWS servicess (e.g. S3) I exchange idToken to AWS credentials
Store AWS creds in LocalStore for further use, when access resources
2) For the facebook sign-in I use Federated Identity
get a facebook access token
with fb token get a cognito identity
exchange a cognito identity to AWS creds and store those in LocalStore
Questions:
Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?
Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)
Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?
Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?
Q5. How should I restrict access to resources other than AWS for facebook signed-in users?
Q6. Any working example for this?
Thanks!
We added support for Federation through Facebook, Google and LoginWithAmazon for User Pools. This will create a user in user pool when a user logs in with federation. You can also capture the attributes from the identity provider using the attribute mapping feature.
Also if you use the app integration feature, Amazon Cognito User Pools wil generate a sign-in page like this for you.
Steps to SignIn/SignUp with a social provider through Amazon Cognito Console:
Configure a domain for your user pool like .auth..amazoncognito.com
Add any social provider and configure attribute mapping.
Enable the provider on the App Client.
Configure the callback URI, OAuth response type and allowed scopes.
Access your hosted UI at https://.auth..amazoncognito.com/login?client_id=&response_type=&redirect_uri=
Click on the button to SignUp/SignIn with Facebook (or your provider).
Authenticate with the provider, you will be redirected to the callback URI with tokens/code.
Check the newly created user in Amazon Cognito console.
I'm human and may have missed something, but that sounds pretty good to me.
You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.
If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.
I don't know that this is supported out of the box, like it is with user pools. You might have to do this using your hypothetical user database described above.
You can also link your user pool to Cognito as a provider, much like you do for Facebook. That's how you exchange an id token for credentials.
No official example from the service, though I can't speak for others.

Authentication Mechanisms on AWS

We are developing a Saas application on AWS and were looking for ways to store application user login credentials on AWS. User volume will grow quite a lot and would be in thousands presumably. I looked at IAM too but looks like it has a limit of 5000 user profiles whcih we might exhaust down the line.
I dont want to store these on RDS in even a hashed form.
Thanks!!
IAM is for your AWS account users, not for your application users. It sounds like Cognito might be what you're looking for.
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system
You can use AWS Cognito user pools to save your application users. It will allow your web/mobile app users to sign up and sign in.
Have a look at this

AWS Authentication

I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.