Use Cognito locally [offline] - amazon-web-services

I've got a feeling this is a noob question... Is there a way to simulate the use of Cognito User pools locally (so offline)?
I've got a feeling that resorting to aws cognito normal user pools while developing is bit unnecessary. I now that with serverless there's a plugin to use it offline, but didn't found one for cognito.

The AWS SDK doesn't include a local plugin for using Cognito User Pools at this time, however we have heard this request from other customers and will consider it in future releases.

Recently localstack released a pro version that actually allows to run the cognito locally. It also has several other services that normally are used with cognito so this is the perfect solution for me.
https://github.com/localstack/localstack

Also there is an open source contributor created node package/docker image emulating some parts of Cognito, but not all.
https://github.com/jagregory/cognito-local
Haven't used it personally, but looking forward to it.

Related

AWS Cognito OIDC Customizations

https://consumerdatastandardsaustralia.github.io/standards/#security-profile
I am trying to setup AWS Cognito as an OIDC provider. Able to create User pool however there are lots of custom data needed. Such as ".well-known/openid-configuration" of Cognito returns few details but missing introspection_endpoint, revocation_endpoint, claims_supported etc.
Similary, customization of /authorize endpoint with additional claims is needed.
Any help or suggestions would be really helpful.
Regards & Thanks
Claims can be somewhat customised with a lambda: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
introspection_endpoint and revocation_endpoint are not core oauth and are extensions. I have found Cognito does not generally implement extensions, there are many parts of oauth2 core not implemented also.
Cognito is missing many many features you may expect to get out of the box, there is a seemingly large and opaque backlog which support constantly reference when you point out that a standard feature is missing.
no silent refresh capability in the hosted UI, so no safe way to store the refresh token.
no support for custom auth flow in the hosted UI
no passwordless support in the hosted UI
no ability to pre-populate a field in the hosted UI (e.g. username)
no ability to customise the plethora of obscure error messages in the custom UI
fixed now, but for years the email addresses were case sensitive!
If you choose not to use the hosted UI there is no way to get any oauth scopes.
There are many non-oauth cognito idp calls that you may be able to use with the access token: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/index.html
If these don't fit your needs, I would suggest you consider other auth services, or adjust your expectations if you choose to move forward with Cognito. Good luck!

How to access to secrets in static site hosted in S3 bucket

I'm new and since I could not find relevant information in my searches I decided to ask for your advice.
I created a SPA (React) that receives a token, validates the token and if the token is valid it renders some content. That SPA is hosted in S3.
Now, I want to add some API keys (sensitive ones). Adding them to the code (manually or during the build of the bundle) it would be a bad idea, no?
I thought about storing them in AWS, like in secrets manager, and use the SDK (js) to retrieve them. But here is my doubt. I don't want neither to hardcode the AWS credentials in the code for the SDK, nor use something like cognito since the authentication would be done by this app through the token that it receives. What would be the best way to achieve this? I will appreciate advice and if you can point to some resources.
Feel free to make as many suggestions as you want. Thanks.

AWS Cognito signup page that isn't public facing

I'm currently working on a way to hand off creation of users in a Userpool to my product team so that I don't need to handle user creation and password resets anymore. The key here is that the tool I give them needs to be simple and non-technical, and not require them going into was with permissions, knowing how to use Cognito and make the users within Cognito. This also needs to not be a public facing signup (i.e. the folks using the page need to never see the signup form). This is for my team's developer documentation which integration partners cannot see until they meet with us.
Looking at all the possibilities and the AWS API documentation has been making my head spin, though. I'm not sure what the best way to create this tool - the Cognito SDK? The AWS AdminCreateUser API? Or is there a way to set this up with the built in signup page UI provided by Cognito but host the signup page elsewhere (somewhere that people who look at our documentation will never see a signup page)?
Please let me know what your approach would be if given this problem. I'm a pretty green jr. developer and don't have much experience with AWS.
If you really don't want to use the built-in Cognito UI to create users, you would need to come up with an alternative custom solution. Mind you will need to implement all features you expect from such user administration tool, including login for administrators into the tool itself.
With AWS Cognito APIs you can do everything native UI can do (and even more, like setting user attributes which is not available at Cognito console).
Quick google search led me to this project: https://github.com/jzoric/cognito-user-manager-ui which may be a good starting point if you decide to go this route.
Alternatively you may want to explore other SAAS solutions (Auth0 or Okta) which may provide better native UI out of the box.

How many ways to use Amazon Web Services for basic authentication / profile functionalities in iOS?

I want to use AWS services into my app for authentication and basic functionalities which include : Login, Register, Forgot Password, Change Password, Delete account, etc.
I have searched a lot and found that there are many ways :
By using Amplify Framework
AWS Mobile client
By Amazon Cognito
By Identity Provider
Actually, I am little confused, what is the difference between all these ? Which one is the best way to implement ? And while go for documentation, there are so many official documentation about it on google. Which can be consider ?
https://github.com/awslabs/aws-sdk-ios-samples/tree/master/CognitoYourUserPools-Sample/Swift
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSMobileClient/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSCognito/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSAuthCore/index.html
https://aws-amplify.github.io/aws-sdk-ios/docs/reference/AWSCognitoAuth/index.html
What are all these use for ? Can anyone differentiate ?
these are all abstractions on top of the lower level generated Cognito Client designed to make it easier on the developer to call Cognito API's. The lowest level ones are AWSCognito, AWSAuthCore, and AWSCognitoAuth. The AWSMobileClient is a higher level abstraction built on top of all of these to make it easier to hit the Cognito API's in a way most developers can understand (Cognito can be fairly complex) and is the one the Mobile SDK teams here at AWS recommend using. Amplify will have an Auth category which will be an even higher level abstraction and will also be generic to any auth provider when it is done but right now it's still in progress( you can track PR's for the Auth category here and here) thus Amplify is depending on the AWSMobileClient for auth at the moment.

Hiding AWS secret from application

I'm a Java backend engineer working on a feature that the frontend (SPA and Android) must send (large) files to S3. Since I have to manage with a lot of requests. Because of network overload reasons I'm avoiding to make a 'proxy' service where the frontend send me the file so that I can send it to S3 but I have some concern about the best way to keep my apps secure.
I looked for some solutions but I cannot find one that manages exactly what I want.
Amazon S3 upload with not showing secret key in frontend
This post has almost my answer but I don't have enough score to comment.
S3 upload directly in JavaScript
I read some documentation on AWS but I still have some questions and some requisites.
The solution may permit the client an authenticated user to send a file to s3 directly
It may make a GET call to get some token or something like that (without sending a lot of data)
It's to be secure (no secret key knowledge at the frontend)
Which solution may be good for me?
The backend may generate a signing key and send it to frontend making the request to AWS (http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html)
I can use STS to generate a temporary credential for each upload.
Do you think these approach will work? Which one do you think is better? What are the trade offs? Is there other way to deal with this problem?
Best thing to do here is use the Cognito service to generate anonymous credentials in the app that allow an upload to S3. For Android you can use the SDK then to do multi-part uploads from the device to S3, which will speed up the process as well.
I couldn't find an exact Android example, but this is one for iOS and the terminology should transfer the same, just with the other SDK: iOSTransferManager .
You can also call Cognito directly from javascript, if you have a web based app: Cognito in JS example
Hope that helps!
- Chris