AWS cognito: sign in with usernam/password OR facebook - amazon-web-services

I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:
I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.
Here is my current understanding (please correct me where I'm wrong).
1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):
cognitoUser.authenticateUser(authenticationDetails, {
..
})
where onSuccess
I store identity, access and refresh tokens, so, user
doesn't have to enter his credentials every time
Because users will be accessing AWS servicess (e.g. S3) I exchange idToken to AWS credentials
Store AWS creds in LocalStore for further use, when access resources
2) For the facebook sign-in I use Federated Identity
get a facebook access token
with fb token get a cognito identity
exchange a cognito identity to AWS creds and store those in LocalStore
Questions:
Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?
Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)
Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?
Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?
Q5. How should I restrict access to resources other than AWS for facebook signed-in users?
Q6. Any working example for this?
Thanks!

We added support for Federation through Facebook, Google and LoginWithAmazon for User Pools. This will create a user in user pool when a user logs in with federation. You can also capture the attributes from the identity provider using the attribute mapping feature.
Also if you use the app integration feature, Amazon Cognito User Pools wil generate a sign-in page like this for you.
Steps to SignIn/SignUp with a social provider through Amazon Cognito Console:
Configure a domain for your user pool like .auth..amazoncognito.com
Add any social provider and configure attribute mapping.
Enable the provider on the App Client.
Configure the callback URI, OAuth response type and allowed scopes.
Access your hosted UI at https://.auth..amazoncognito.com/login?client_id=&response_type=&redirect_uri=
Click on the button to SignUp/SignIn with Facebook (or your provider).
Authenticate with the provider, you will be redirected to the callback URI with tokens/code.
Check the newly created user in Amazon Cognito console.

I'm human and may have missed something, but that sounds pretty good to me.
You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.
If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.
I don't know that this is supported out of the box, like it is with user pools. You might have to do this using your hypothetical user database described above.
You can also link your user pool to Cognito as a provider, much like you do for Facebook. That's how you exchange an id token for credentials.
No official example from the service, though I can't speak for others.

Related

Cognito Identity using several logins

I am starting to implement federated authentication with AWS Cognito using AWS C++ SDK.
I want to authenticate a user with Cognito User Pool and Facebook, Twitter, Google.
I understand that I can link several logins under single user identifier (Cognito identityId), but it is possible only when such logins are added manually after first login.
In example, I see scenario:
A user is registered using Cognito UserPool.
Then, staying authenticated, the user authenticate itself using Facebook. And Facebook tokens can are added to logins.
When further retrieving AWSCredentials call processes - the Facebook login will be added to the user identity at Cognito Identity Pool.
After, the user can login using UserPool credentials and through Facebook authentication under the same user identityId.
Firstly, I am not sure that my scenario is correct, but it is what I realized after reading many posts here and AWS docs.
And if the scenario is correct, then I am in stuck with another question: how to refresh tokens?
In AWS C++ SDK in order to refresh AWS Credential the call CognitoIdentityClient.GetCredentialsForIdentity is used, but it requires to pass user logins.
My more specific question: do I need to pass all logins? Does it require to have all access tokens in the logins no expired?
Adressing your first point, you can use federated identity without using cognito user pool. This means that you can simply autheticate a user directly with facebook, google etc and not add them to user pool. If you do want all users to be there in user pool then you will have to write the code to accept certain parameters from these authentication providers and then add them along with username and password to your user pool.
Now on to your question. To refresh token you have to use InitiateAuth. In auth flow you have to pass "REFRESH_TOKEN_AUTH" and in AuthParameters you pass the refresh token.

AWS Cognito - help understanding authenticated vs. unauthenticated access

I don't understand auth. vs. unauth. user access within AWS Cognito. While learning about Cognito I came across several articles on the Internet and questions here within Stackoverflow concerning this and I'm just not grasping the concept.
I'm gathering that a simple use case for unauth. user access within Cognito is when we have users who need to access some AWS resource(s) who have an account but aren't "logged-in." But how is this possible? In other to get an access token, wouldn't you need a valid username and password? If by unauth. we mean a user who has a valid access token but can't access some resources [based on some user pool parameter], I suppose that makes sense, but I don't understand how Cognito works in this regard.
I've searched for hours on this w/o grasping this concept and I really just need a little help from the community if anyone would be willing to share.
UPDATE: What's confusing to me is that "unauth." is a non-logged in user already, no? Why do I have to or want to get an access-token for a non-logged in user? What is the purpose of this?
Something that is confusing when starting out with AWS Cognito, is that it is actually two services. Cognito User Pools is a user store that authenticates users and Cognito Identity Pools authorizes users.
Unauth:
When referring to a unauthenticated flow, you're skipping the authentication process and really just authorizing with an identity pool. To do this in code, you setup a credentials provider, and make a call to GetID. This generates an identityID in the identity pool and retrieves authorization tokens that give access based on the IAM role for unauthenticated users. Example here
Auth:
Now for the authenticated flow, before you authorize with the identity pool, you have to have authentication tokens. These can be retrieved by authenticating with a third party (Facebook for example), or with a Cognito User Pool. You authenticate with those services by providing a username/email and a password. The tokens delivered by those services can then be "passed" to a credentials provider. When done this way, authorizing with the identity pool will return access tokens that give access based on the IAM role for authenticated users. In addition, a user can "log out" and later "log back in" and they will be able to receive the same identity ID that was generated for them the first time they authorized with the identity pool.
I hope that all makes sense. I'll give an example of why you may combine the two
Example
Let's say we're building a web platform that lists events around our city. This platform needs to:
Store events in a database
Allow city organizers to add events to the database
Allow residents to view the events
We wouldn't want the residents to have to login to view publicly listed events, so when they visit the event's page of our website, unknown to them, they actually authorize with an identity pool. Thus they are provided unauth IAM role access to make a GET API call to our database, to retrieve the events.
Of course, we don't want just anyone adding events to the database. So for city organizers, there is a login form. This login form takes a username and password to authenticate them with a user pool. The user pool tokens are then used to authorize with the identity pool, giving them auth IAM role access to make a POST call to our API, allowing them to add events to our database.

AWS Authentication

I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.

AWS Cognito with Facebook and Google: unique IdentityId?

In my web application, I want to allow users to log in using 2 possible providers (Facebook, Google) and retrieve credentials using AWS Cognito.
From what I understand, if a user (john#domain.com) logs in using his Facebook account, the Cognito IdentityId will not be the same as if he had logged in using his Google account.
Assuming that the user uses the same email address (john#domain.com) to log in for both his Facebook and Google accounts, how can I make sure that that user has a single, unique IdentityId in Cognito?
I would not want the user to have 2 different IdentityId's. It would be nice if I could associate john#domain.com to a single IdentityId.
Cognito doesn't know about the email with which an account was registered. If the same user authenticates on two different devices using facebook on one and google on the other, it will give two different ids.
However, it can be told that they're linked. If that same user were to log in to facebook on one device, they'd get identity A. If they were to then link identity A to their google account by including the login token for both when communicating with Cognito, then Cognito would know they're associated, and any future authentication with one of the two providers would give the same id.
That deviates a bit if both Facebook and Google had already been linked to an id before Cognito was told to link them - in that case, the id that is used could be either of the two.

AWS Cognito: Do I need other AWS service to write a full functioning signup/signin system?

I am planning to write a mobile app with AWS handling the backend work. Like many common apps, mine will support user registration and login. All backend resources should be secure based on the user's role.
After reading AWS Cognito, it handles both Open authentication provider and Developer Authentication provider. This helps to support third party login. The capacity of syncing data is a big plus.
However, I have some questions about Cognito when I try further implementation.
What are the user credentials stored?
I need to add more user attributes (eg. email, profile image etc.) when a new user is created. Can Cognito handle this? Or do I need to use storage like S3 to store the entire user profile?
Does Cognito support email verification for user registration?
Does Cognito handle 'forgot password' feature?
All advices are welcomed.
There is now Amazon Cognito User Pools (currently in beta), allowing to store user credentials, see here
Update: Cognito has since added a new feature that does allow storing credentials. See Cognito User Pools for more information.
Amazon Cognito does not store credentials. Instead, it allows you to offload the task of securely storing credentials to any OpenID Connect-complaint credential provider such as, but not limited to, Facebook, Google, and Login With Amazon.
If you have a credential provider that is not OpenID Connect compliant, you can use the Developer Authenticated Identities capability to leverage another authentication system as a credential store (such as your own back-end service). Registration, email verification, and forgot password features would be handled by the Identity Provider: Either an OpenID Connect provider (e.g. Facebook) or your own provider via Developer Authenticated Identities.
Cognito's Sync capability gives you the ability to store profile information or any other information specific to the current user (referred to as "identity" in Cognito). There is a good blog post about using Cognito Sync to store & synchronize data here.