We are building complete serverless architecture using AWS services for all of our api's (using API Gateway + Lambda functions + DynamoDB) and to control our devices we are using aws-iot platform. Mobile to devices interaction will happen over the aws-iot. On mobile side for user management we are using firebase and all business logic is in Lambda function. Now we want to work with Alexa with our existing architecture flow, but we are confused with the account linking part. Do we have to implement our own auth server which will take care of authorization part or should we move to cognito user pool + login with Amazon, so that we will have user management and auth at the same platform.
Yes, you usually have to set up your own oAuth 2.0 if you want to do Account Linking with a user in your system. As you mentioned, there is also the possibility to use "Login with Amazon" (LWA) which makes things a little easier. However, you will only get a user's email address and name (often, this is enough).
If you don't want to set up your own oAuth server, there are also tool providers that can do user management for you, like Auth0. For example, Auth0 can be used to connect different identity providers like Facebook, Google logins, but also allows for username + password.
You can find a detailed step by step guide to set up Alexa Account Linking with Auth0 here. Let me know if you have any more questions!
The documentation states the following providers can be used for authentication Github, Facebook, Twitter, Google. I don't see how you'd be able to link in with Amazon / Alexa. Also I'm not sure why you would want to use Firebase and not AWS Cognito.
Related
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
We are building an application with mobile authentication and we decided to use Aws. I searched a little and decided to use Aws Cognito. I read the documentation and while reading I noticed that, for the application side I need to use Aws Amplify. I tried some examples but I am not sure I understand the concept right.
Can you give me some insight about this model.
Amazon Cognito is a managed Identity Provider in the cloud, it provides you with a user repository, federation, GUI for signin, signup, lost password and other user flows, it supports OTP, email address verification etc ...
It can be integrated into your app through the provided UI or through its API if you want to control the look and feel of theusre interfaces.
Amplify is a command line tool and client library to make it easy to provision and to use cloud services, including Cognito, from your web or mobile application.
The Amplify CLI will help you to provision Cognito in the cloud, without requiring you to click through all the options in the console. The Amplify client side library will provide high level programming constructs to make it easy to access cloud based services, such as Cognito, from your apps.
You can watch this 45 minute talk that shows Amplify in action : https://www.youtube.com/watch?v=QxOcvOMnAuQ and this github repo with a sample application : https://github.com/sebsto/amplify-react-workshop
I am building a web app and I would like to accomplish the following:
Authenticate/store users using AWS Cognito User Pools (Not "Identity Pools")
Allow users to sign in with both Facebook and username/password.
Use my own UI (not the hosted UI offered by AWS)
I have set up a User Pool with Facebook as an Identity Provider and an app client, but I can't seem to figure out how I can actually let users sign up.
I've tried a number of things using aws-amplify and amazon-cognito-identity-js, but everything ends up only authenticating the user in the "identity pool" (which I don't really understand why I even need one just to use "user pools").
Considering the AWS mobile SDKs somehow accomplish authentication without requiring the redirects used by the hosted UI, I would think it must be possible to also do this on the web.
I wanted to check we can use a custom node.js implementation as wrapper for exposing the API's for identity and user management using aws cognito.
We already have a bunch of API's (on ASP.NET identity) and would not want to change anything in the downstream systems. We would like keep the API signatures and just move the implementation to node.js server for identity and user management
The current examples on awslabs and the documentation is mainly targeted for using this under a web/mobile applications. Is there any guideline/sample if we can use this as an API wrapper.
Apologies if I'm misinterpreting the question, but are you just trying to use Cognito with node instead of on a web app? Are you asking about Cognito federated identities or Cognito user pools?
If federated identities, yes, that will be fine and you shouldn't have any issues. All of the APIs are available in the node SDK, and the general flow should be identical to any other non mobile flow.
If you're asking about user pools, it's a bit trickier. Authentication uses SRP to validate passwords, and the mobile/web SDKs do this for you. Outside of those, you'd have to implement it yourself, which is no fun at all. You could rip out the code that does it from any one of those SDKs (each are published on Github) to help with that. Alternatively, you could use admin no srp authentication, which carries the risk of sending the username/password over the wire but passes off the authentication to the Cognito server.
We're trying to figure out whether to create our own Parse server or migrate to AWS stack. We're looking for AWS alternative to Parse login, where it extracts user info such as email and name.
The closest one I could find is AWS Cognito, but it doesn't seem to store any user info (email/name). It seems that the only way to get them is through the developer authenticated identities, which means I have to deal with user's credentials (encrypt the user's password), handle the fb/google registration, etc.
I'm new to AWS Mobile, but I was hoping that these should be a standard feature that BaaS solution should provide. Am I missing something here? For those who uses AWS Mobile stack, how do you handle this?
Thanks!
We are using aws mobile analytics stack (sdk and export events to redshift) in our ios application and we run into the same issue you are describing. The only way we have to handle it is to ask the user to provide these details as part of the registration process.
At least in ios there is no way to get the user email and name from the os or through aws.
Currently Amazon Cognito does not support user registration. We have heard this request from multiple customers and we will consider adding this feature in future releases.
Note: If you do decide to do your own authentication using developer authenticated identities, you can use Amazon Cognito to store your user data such as email and other profile information. It also provides offline access and synchronizes data across devices for authenticated users.
Cognito User Pools does what you want (authentication, username, email all sorts of claim data).
It is integrated with Cognito Identity in a fork off of the github repository aws-mobile-hub-helper (here)
That repo contains an AWSSignInProvider for Cognito User Pools. It is also modified to support identity merging across any provider with an AWSSignInProvider implemented (Google, Cognito Your User Pools, and Facebook in that repository).