I'm not getting a clear picture of the authentication process when a user logs in through another idp. My use case being for an app that does not need aws credentials.
If I get a token back after a user logs in from facebook for example, how do I connect that with a user in the userpool or my own database which may contain the user's app specific data?
user logs into facebook -> gets token back -> send token to amazon cognito (?) -> get back cognito token (?)
I'm currently looking for documentation on how to implement the above but there doesn't seem to be a direct link to it.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html
You could setup a social IdP such as Facebook and use the authorize endpoint.
Alternatively, Cognito now supports hosted signup and login pages for your application. You just need to create a Cognito domain, and set App Client Settings.
Related
I am using AWS cognito for authentication purpose.
Every time i hit the cognito domain name it asks me to select the the App client.
Is there a way i can stop cognito asking me to select the Appclient i want to use for authentication.
please do let me know the way
The screenshot that you have posted asks you to select the user with whom you'd like to log in, and it has nothing to do with the App Client. Every App Client of a User Pool works with the same set of users in the pool, but with different authentication settings. If you want to select the App Client for your Cognito Authentication Engine, you can specify the App Client ID in your Cognito Hosted UI Domain. An example URL is as follows:
https://auth.example.com/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
If you specify the App Client ID in your Hosted UI Domain/Custom Domain, you can run your Engine only on that App Client.
The text following after the "Continue with" text is not the app client but your logged-in username.
After you login with your username-password credentials, a session cookie will be set on your Cognito domain to indicate you are already logged in. This session cookie expiration is not configurable and set to 1 hour expiration. The Logout Endpoint removes this session cookie.
When you re-enter the Cognito login page, it will detect you already have a session and present you with the "Continue with" page to confirm that you want to still continue as this user.
If you want to dodge this screen. You can use the Authorization Endpoint which will first check if you have the Cognito domain session, and if you do, automatically redirect you to the redirect uri (application with authorization code), otherwise it will redirect you to the login form via Login Endpoint.
https://COGNITO_SUBDOMAIN.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=APP_CLIENT_ID&redirect_uri=REDIRECT_URI&response_type=code
Authorization Endpoint: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
We are integrating with AWS Cognito via:
client (browser) -> server -> AWS Cognito. We are doing this as we want to set a httpOnly cookie for security reasons.
We are signing up the user via signUp and confirmSignUp (SMS code) APIs which is called in our server. Is it possible to obtain the user's access token after confirmSignUp without having the user go through the whole authentication (username + password + sms) step? I've looked for admin APIs or other APIs to do this but couldn't find one that'd do what I'm looking for.
I'm creating a small API using Amazon's AWS Cognito as well as Lambda and a Facebook Login.
When a user / my App sends an API request to Lambda, Cognito does a good job and authenticates the user with it's Facebook-Login on the fly. My point is that as far I can see, Cognito isn't handing on any information about the user (like an ID or the Fb access token), except I'm providing it in my request of course.
In my case, I'd like to get the users Facebook access token in AWS Lambda to do some stuff with it.
Does anyone know how to get any information of the current user, which is hitting the API (like the Fb access token) or is Cognito a closed system in this way?
If you are using the Facebook integration with Cognito User Pool (under federation -> identity providers), you can then map the access_token from the facebook integration to a useable Cognito attribute by going to federation -> attribute mapping -> Facebook tab. the facebook ID is the username, minus the "Facebook_" prefix.
hope this helps!
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...
I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.