i'd like to explain an auth flow and hope you can answer if amazon cognito the correct solution for this.
Requirements:
For every Login (Username/Password, Facebook, Google etcpp), there should be a valid User Pool account.
Flow Facebook (no identity or user pool account exists).
Customer clicks "Login with Facebook":
1) calling GetOpenIdToken -> with the FB AccessToken
1a) at the same time, use the FB AccessToken to fetch the email address from Facebook
2) calling AdminCreateUser with a generated password and facebook email
3) calling AdminInitiateAuth and fetch the idToken
4) calling GetOpenIdToken and add the idToken for cognito user pool and the facebookAccessToken
Result: a user in the Cognito User Pool and a linked federated account
Important is for me: the token from 4) is a user pool token and contains "sub" (UUID wich one is important for our internal database)
Ok, thats is ok and works good BUT:
Flow Facebook user comes back (identity and linked user pool account is available)
Customer clicks "Login with Facebook":
1) calling GetOpenIdToken -> with the FB AccessToken
2) calling DescribeIdentity and get the Login List
2a) we can see that there is a linked user pool id and don't need to create a new user
exact at this point comes the question:
how can i get a user pool token if i just have the facebookAccessToken, but a linked user pool login?
and is it possible to get the user pool data for that linked user just with the facebook accessToken ?
If this the correct flow or is this auth flow not supported by Cognito?
Thanks
Marcel
No this is not supported currently. You have created an identity in Cognito Federated Identities which has linked logins (FB and Cognito User Pools), but to authenticate with Cognito User Pools you currently cannot use Facebook access token. The only way to get the user pool token is by using the username/password for that account.
We have heard this request from multiple customers and would consider adding it in future releases.
Those Flows are not currently supported by AWS Cognito. You can build the customize flow on your identity api and just use cognito with Developer Credentials. But not recomended
Related
I am starting to implement federated authentication with AWS Cognito using AWS C++ SDK.
I want to authenticate a user with Cognito User Pool and Facebook, Twitter, Google.
I understand that I can link several logins under single user identifier (Cognito identityId), but it is possible only when such logins are added manually after first login.
In example, I see scenario:
A user is registered using Cognito UserPool.
Then, staying authenticated, the user authenticate itself using Facebook. And Facebook tokens can are added to logins.
When further retrieving AWSCredentials call processes - the Facebook login will be added to the user identity at Cognito Identity Pool.
After, the user can login using UserPool credentials and through Facebook authentication under the same user identityId.
Firstly, I am not sure that my scenario is correct, but it is what I realized after reading many posts here and AWS docs.
And if the scenario is correct, then I am in stuck with another question: how to refresh tokens?
In AWS C++ SDK in order to refresh AWS Credential the call CognitoIdentityClient.GetCredentialsForIdentity is used, but it requires to pass user logins.
My more specific question: do I need to pass all logins? Does it require to have all access tokens in the logins no expired?
Adressing your first point, you can use federated identity without using cognito user pool. This means that you can simply autheticate a user directly with facebook, google etc and not add them to user pool. If you do want all users to be there in user pool then you will have to write the code to accept certain parameters from these authentication providers and then add them along with username and password to your user pool.
Now on to your question. To refresh token you have to use InitiateAuth. In auth flow you have to pass "REFRESH_TOKEN_AUTH" and in AuthParameters you pass the refresh token.
I'm using Cognito with a user pool to provide authentication for my Ionic application application. The application use AWS Amplify to perform the Signup and Signin operation.
Now, I need to add facebook authentication so I added an external federated identity mapping also the facebook attributes to the corresponding Cognito user pool attributes.
On the application side I use the Facebook SDK to login with Facebook, receive Facebook's JWT token and call the Amplify federatedSignIn() to authenticate. The authentication works but no user is created inside the Cognito user pool (accordingly to official documentation "Whether your users sign in directly or through a third party, all users have a profile in the user pool").
Since the user is not created I cannot call the Amplify method currentSession() to get the token (to be used for lambda authentication) since there is no user.
Am I missing something?
This is the expected behaviour using federated identity. In order to use socials login through Cognito user pool its necessary to use Cognito's built-in hosted UI which is not supported by Ionic at the moment.
I don't understand auth. vs. unauth. user access within AWS Cognito. While learning about Cognito I came across several articles on the Internet and questions here within Stackoverflow concerning this and I'm just not grasping the concept.
I'm gathering that a simple use case for unauth. user access within Cognito is when we have users who need to access some AWS resource(s) who have an account but aren't "logged-in." But how is this possible? In other to get an access token, wouldn't you need a valid username and password? If by unauth. we mean a user who has a valid access token but can't access some resources [based on some user pool parameter], I suppose that makes sense, but I don't understand how Cognito works in this regard.
I've searched for hours on this w/o grasping this concept and I really just need a little help from the community if anyone would be willing to share.
UPDATE: What's confusing to me is that "unauth." is a non-logged in user already, no? Why do I have to or want to get an access-token for a non-logged in user? What is the purpose of this?
Something that is confusing when starting out with AWS Cognito, is that it is actually two services. Cognito User Pools is a user store that authenticates users and Cognito Identity Pools authorizes users.
Unauth:
When referring to a unauthenticated flow, you're skipping the authentication process and really just authorizing with an identity pool. To do this in code, you setup a credentials provider, and make a call to GetID. This generates an identityID in the identity pool and retrieves authorization tokens that give access based on the IAM role for unauthenticated users. Example here
Auth:
Now for the authenticated flow, before you authorize with the identity pool, you have to have authentication tokens. These can be retrieved by authenticating with a third party (Facebook for example), or with a Cognito User Pool. You authenticate with those services by providing a username/email and a password. The tokens delivered by those services can then be "passed" to a credentials provider. When done this way, authorizing with the identity pool will return access tokens that give access based on the IAM role for authenticated users. In addition, a user can "log out" and later "log back in" and they will be able to receive the same identity ID that was generated for them the first time they authorized with the identity pool.
I hope that all makes sense. I'll give an example of why you may combine the two
Example
Let's say we're building a web platform that lists events around our city. This platform needs to:
Store events in a database
Allow city organizers to add events to the database
Allow residents to view the events
We wouldn't want the residents to have to login to view publicly listed events, so when they visit the event's page of our website, unknown to them, they actually authorize with an identity pool. Thus they are provided unauth IAM role access to make a GET API call to our database, to retrieve the events.
Of course, we don't want just anyone adding events to the database. So for city organizers, there is a login form. This login form takes a username and password to authenticate them with a user pool. The user pool tokens are then used to authorize with the identity pool, giving them auth IAM role access to make a POST call to our API, allowing them to add events to our database.
i am using AWS Cognito to manage my app Sign In and Log In, on this way i authenticate my user against the user pool and obtain the jwt tokens (id token, access token and refresh token), i am using the id token to authenticate my app against the backend.
Now i want to integrate my app to make Sign in and Log in with Facebook, Gmail and others, as far as i know i should use the AWS Federated Identities, but i dont know how can i create my user in the user pool using the Facebook Login (p.eg) and obtain the tokens, may someone help me?
The way to federate identities into AWS is by using AWS Cognito Federated Identity as you mentioned. Your user pool can be configured as an identity provider for your identity pool, similar to Facebook, and Google. So all these options function as identity providers for your identity pool in order to federate identities into AWS.
I have a Congnito identity pool with Congnito User Pool as well as Facebook as authentication provider. I am able to register users with user pool as well as facebook. Some of the users may initially register using user pool but later may want to use their facebook credential to login.
Currently my application is treating both of them as separate users. How do I validate if a new login using facebook is already registered using user pool ?