We are in the role of a SAML IDP in an SSO integration with Google for Work domains. We would like to use the Google Directory API as the interface to authenticate and retrieve attributes for the user identities in the Google for work account.
We are using Domain wide delegation of authority to obtain the OAuth Bearer token with the right scopes to call the Directory API. We can successfully call most of the methods exposed in the API. The data model for the User object has get/set on Password and HashFunction. We aren't able to GET the Password and the HashFunction outside of the session that sets the Password and HashFunction.
Questions:
Do we need to assume/set some privilege or role in order to successfully get the Password and Hash function?
For existing users, is there a way through the Directory API to authenticate them without requiring a password change
Thanks for your help!
Related
We've requirement of generating access token without using user's password. User's email, client's id & secret can be provided. This will be internally used within a specific client.
What's the best way of fulfilling this requirement. Should be change the implementation in Password Grant Handler or Can have some implementation. If Custom grant type is implemented, We don't want it to be exposed in open-id configuration.
WSO2 IS v5.10.0
The main purpose of accesstoken is to provide authorization of a user's resource on behalf of a user. That is why WSO2 IS prompt the login page to authenticate the user and get users' consent. When an application gets accesstoken on behalf of a user, the user should be authenticated using some mechanism and should be aware of it, provided scopes, requested claims, etc.
The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. If you don't want to access the resources of users (APIs of users), then you can go with client-credential grant type.
Incase, if you want to access users' resources and don't want them to enter password or If you don't want the default authentication by IS, then you can use social logins (Eg: google, facebook) and login using those federated authenticators. In that case, users will not be explicitly prompted to enter a password to IS login page. Then will be logged in via those google or facebook. https://is.docs.wso2.com/en/5.10.0/learn/configuring-federated-authentication/
What I have done so far?
I have integrated Microsoft AD with AWS Cognito by adding Trust relationships and setting Cognito Identity provider. In this, I have set up an app domain prefix during Cognito set up. By using the following URL I am able to receive the token by logging in the AD login page. So when I decode this token I getting the required attributes and other information.
What I actually want?
So I don't want my users to be redirected to the AD login page and later to the application. I need just a REST API where I can provide the AD user credentials and this API will return the above JWT token which has all the information.
So in short, I want to get the Cognito JWT token by using the AD user credentials. These users are the part of AD groups which are linked to the AWS IAM by adding trust relationship using ADFS. So is there a way in which I don't need to use the Cognito hosted UI. Instead, my users will hit one API and get the credentials. I don't know what this API is.
Any help will be appreciated.
I am in the same dilemma myself, but I've found a very useful question (with answers) that might help you out.
It's been some time but maybe this will be useful for new people having the same problem nowadays.
What is the REST (or CLI) API for logging in to Amazon Cognito user pools
I think you'd want to enable the ClientCredentials flow in your cognito user pool.
You can read more on this flow here https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ to make sure it is what you need (oauth flows and grants are the same thing).
Our team has an app and we use Cognito for authentication. In previous projects, we were able to create sessions as a specific user, which helped us to debug issues.
Currently, our app consumes a JWT token for authentication needed by Cognito - would we be able to generate a JWT token for another user (as an admin) in order to debug problems within the app easier?
Tokens issued by Cognito are signed with private AWS keys and the signature within the token can then be verified using public AWS keys. If you could generate a token yourself, with a valid signature, then that would mean that you are in possession of the AWS private keys. I assume that that is not the case, so you cannot arbitrarily create valid Cognito JWTs.
You can of course write test code that ignores the signature or otherwise circumvents proper JWT validation.
Alternatively, as admin, you could create a Cognito user for testing with the properties that you wish to debug and just sign in as that user to get valid JWT tokens in return.
I am starting to implement federated authentication with AWS Cognito using AWS C++ SDK.
I want to authenticate a user with Cognito User Pool and Facebook, Twitter, Google.
I understand that I can link several logins under single user identifier (Cognito identityId), but it is possible only when such logins are added manually after first login.
In example, I see scenario:
A user is registered using Cognito UserPool.
Then, staying authenticated, the user authenticate itself using Facebook. And Facebook tokens can are added to logins.
When further retrieving AWSCredentials call processes - the Facebook login will be added to the user identity at Cognito Identity Pool.
After, the user can login using UserPool credentials and through Facebook authentication under the same user identityId.
Firstly, I am not sure that my scenario is correct, but it is what I realized after reading many posts here and AWS docs.
And if the scenario is correct, then I am in stuck with another question: how to refresh tokens?
In AWS C++ SDK in order to refresh AWS Credential the call CognitoIdentityClient.GetCredentialsForIdentity is used, but it requires to pass user logins.
My more specific question: do I need to pass all logins? Does it require to have all access tokens in the logins no expired?
Adressing your first point, you can use federated identity without using cognito user pool. This means that you can simply autheticate a user directly with facebook, google etc and not add them to user pool. If you do want all users to be there in user pool then you will have to write the code to accept certain parameters from these authentication providers and then add them along with username and password to your user pool.
Now on to your question. To refresh token you have to use InitiateAuth. In auth flow you have to pass "REFRESH_TOKEN_AUTH" and in AuthParameters you pass the refresh token.
I have an API service, which I'm going to deploy using AWS API Gateway with Cognito authorizer + Lambda as backend. This service will be used by our javascript client. Also, it should be exposed to end users as raw endpoints for programmatic access.
While it was quite easy to enable signup/login in js client using federated identities, I can't figure out the way to provide users with private access token to include directly in http headers.
Here are two authentication flows, I'd like to get in the end:
The flow for js client user:
User signs up with Facebook or Google.
User verifies his identity.
After login, user goes to the Profile/API Keys section in the interface.
User copies access token and can include it in http request header in any http client (httpie, curl, language libraries whatever)
The flow for admin created user:
Admin creates user.
Access token is generated for that user.
Admin passes generated access token the user.
User can include it in http headers to make request, as in previous flow.
An access token should be permanent, and can be regenerated by user at any time (think of Stripe API access keys).
The point here is to eliminate additional steps for the user to start using service programmatically. The closest thing in AWS docs so far is developer-authenticated-identities, but user should utilize AWS sdk anyway.
One possible way to accomplish this task is to use Custom authorizer instead of Cognito authorizer in API Gateway. Custom authorizer could implement logic based on e.g. auth header name and decide to either authorize in Cognito or to user API access token in database. I'm not sure, if it is possible, and if it is the major drawback is to reimplement Cognito authentication flow in lambda function.
The question is how can I accomplish such API access token (re)generation using Cognito or API Gateway?
The first flow should be possible with User Pools. Cognito User Pools now has a federation feature where you can federate using Facebook/Google and receive access token/refresh token depending on the flow used.
For admin created user, the user would need to authenticate before tokens are issued but this can be achieved by creating the user with a temporary password and signing the user in with that password, after which it can be changed and logged in again to receive access/refresh token.
The refresh token use case is that it can be used against the Cognito APIs to receive a new access token. When the refresh token expires (default is 30 days but it is configurable), the user would have to authenticate again.