I'm creating a small API using Amazon's AWS Cognito as well as Lambda and a Facebook Login.
When a user / my App sends an API request to Lambda, Cognito does a good job and authenticates the user with it's Facebook-Login on the fly. My point is that as far I can see, Cognito isn't handing on any information about the user (like an ID or the Fb access token), except I'm providing it in my request of course.
In my case, I'd like to get the users Facebook access token in AWS Lambda to do some stuff with it.
Does anyone know how to get any information of the current user, which is hitting the API (like the Fb access token) or is Cognito a closed system in this way?
If you are using the Facebook integration with Cognito User Pool (under federation -> identity providers), you can then map the access_token from the facebook integration to a useable Cognito attribute by going to federation -> attribute mapping -> Facebook tab. the facebook ID is the username, minus the "Facebook_" prefix.
hope this helps!
Related
I am running a simple Rest API based on FastAPI. This API runs in a AWS Lambda container. I have added API Gateway as a trigger.
Now I want to secure this API.
My expectation:
I create a User and a Password manually
The user can call a specific endpoint with his User and Password to receive an access token
With this access token the user should be able to access the API e.g. by passing a Bearer Token.
Actually I have tried AWS Cognito, but the only way to receive an access token is to use the CLIENT_ID and the CLIENT_SECRET. And I don't want to share this to external users of the API.
I think this CLIENT_ID and CLIENT_SECRET is made for a web-app or sth. like that but this is not what I want. I just need a simple pipeline of: user creation -> user login -> Access_token -> API.
I hope anyone of you is able to share a guide or similar. Maybe AWS Cognito is not made for such a use case , if you think so then just let me know and why.
Thanks in advance.
yes, absolutely it's possible, please refer below image.
In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials
through an identity pool.
Finally, your app user can then use those AWS credentials to access
other AWS services such as Amazon S3 or DynamoDB.
later on you need some custom authorizer in API-Gateway (lambda) to validate the token.
What I have done so far?
I have integrated Microsoft AD with AWS Cognito by adding Trust relationships and setting Cognito Identity provider. In this, I have set up an app domain prefix during Cognito set up. By using the following URL I am able to receive the token by logging in the AD login page. So when I decode this token I getting the required attributes and other information.
What I actually want?
So I don't want my users to be redirected to the AD login page and later to the application. I need just a REST API where I can provide the AD user credentials and this API will return the above JWT token which has all the information.
So in short, I want to get the Cognito JWT token by using the AD user credentials. These users are the part of AD groups which are linked to the AWS IAM by adding trust relationship using ADFS. So is there a way in which I don't need to use the Cognito hosted UI. Instead, my users will hit one API and get the credentials. I don't know what this API is.
Any help will be appreciated.
I am in the same dilemma myself, but I've found a very useful question (with answers) that might help you out.
It's been some time but maybe this will be useful for new people having the same problem nowadays.
What is the REST (or CLI) API for logging in to Amazon Cognito user pools
I think you'd want to enable the ClientCredentials flow in your cognito user pool.
You can read more on this flow here https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ to make sure it is what you need (oauth flows and grants are the same thing).
I'm not getting a clear picture of the authentication process when a user logs in through another idp. My use case being for an app that does not need aws credentials.
If I get a token back after a user logs in from facebook for example, how do I connect that with a user in the userpool or my own database which may contain the user's app specific data?
user logs into facebook -> gets token back -> send token to amazon cognito (?) -> get back cognito token (?)
I'm currently looking for documentation on how to implement the above but there doesn't seem to be a direct link to it.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html
You could setup a social IdP such as Facebook and use the authorize endpoint.
Alternatively, Cognito now supports hosted signup and login pages for your application. You just need to create a Cognito domain, and set App Client Settings.
I am trying to add a Google login through Amazon Cognito, I have setup everything needed, I have also configured the attribute mapping from google to my pool attributes, I've mapped 'access_token' attribute to 'google_access_token' attribute and 'refresh_token' to 'google_refresh_token'. When sign in process starts, google prompts me for required permissions needed and redirects back to my app, and I can see on cognito dashboard that user is added with access token mapped in 'google_access_token' but no refresh token there. I double checked every configuration everything seems fine. I also tried mapping other attributes like 'token_type' and 'expires_in' those are getting mapped except the refresh token.
I found out that for generating refresh token from google, client need to pass 'access_type=offline' parameter in the GET parameters which Amazon Cognito DOESNOT send while starting OAUTH login with google, so google doesnt provide google refresh token. So in nutshell there is no way ( Atleast now ) to get refresh token from google and access google APIs "offline" if you are using Amazon cognito. Alternatively I used Auth0 which supports this and can send access_type parameter to google and can store refresh token.
If I may ask, have you seen this document?
Understanding Amazon Cognito user ool oauth 2.0 grants
To get to the point, this concern may be because of the OAuth Flow we have set in the Cognito User Pool. We need to use "Authorization Code Grant" as the OAuth flow. Implicit Grant doesn't generate refresh tokens, but Authorization Code Grant does.
If you're using Amplify framework in your project, this framework will do most of the heavy lifting for you. You just need to setup the User Pool's app client correctly and configure Amplify for that specific app client.
I hope this helps.
I have an API service, which I'm going to deploy using AWS API Gateway with Cognito authorizer + Lambda as backend. This service will be used by our javascript client. Also, it should be exposed to end users as raw endpoints for programmatic access.
While it was quite easy to enable signup/login in js client using federated identities, I can't figure out the way to provide users with private access token to include directly in http headers.
Here are two authentication flows, I'd like to get in the end:
The flow for js client user:
User signs up with Facebook or Google.
User verifies his identity.
After login, user goes to the Profile/API Keys section in the interface.
User copies access token and can include it in http request header in any http client (httpie, curl, language libraries whatever)
The flow for admin created user:
Admin creates user.
Access token is generated for that user.
Admin passes generated access token the user.
User can include it in http headers to make request, as in previous flow.
An access token should be permanent, and can be regenerated by user at any time (think of Stripe API access keys).
The point here is to eliminate additional steps for the user to start using service programmatically. The closest thing in AWS docs so far is developer-authenticated-identities, but user should utilize AWS sdk anyway.
One possible way to accomplish this task is to use Custom authorizer instead of Cognito authorizer in API Gateway. Custom authorizer could implement logic based on e.g. auth header name and decide to either authorize in Cognito or to user API access token in database. I'm not sure, if it is possible, and if it is the major drawback is to reimplement Cognito authentication flow in lambda function.
The question is how can I accomplish such API access token (re)generation using Cognito or API Gateway?
The first flow should be possible with User Pools. Cognito User Pools now has a federation feature where you can federate using Facebook/Google and receive access token/refresh token depending on the flow used.
For admin created user, the user would need to authenticate before tokens are issued but this can be achieved by creating the user with a temporary password and signing the user in with that password, after which it can be changed and logged in again to receive access/refresh token.
The refresh token use case is that it can be used against the Cognito APIs to receive a new access token. When the refresh token expires (default is 30 days but it is configurable), the user would have to authenticate again.