Does it make sense to attempt to use AWS Cognito as a Django authentication back-end? What would be the advantages of doing so? What would be some challenges / problem areas?
Has anyone done any work in this direction?
It depends a bit on what your goal is for it as a back end. Cognito Identity doesn't currently manage users or user registration...etc. It leverages public providers (e.g. Twitter, Facebook, Digits, Google, Amazon...etc.) to get AWS credentials to access other AWS resources.
What were you hoping to do with this backend?
EDIT: As is commented below, the new Cognito User Pools feature allows this to happen.
Related
I would like to use Amazon cognito as a way to allow users to sign up to my app and validate api calls, so I don't have to handle user passwords or create a custom account recovery email system.
The problem is im not sure I understand how its supposed to work or what tools I am meant to use. Heres how I imagine it:
This way I could use cognito to identify users and authorize api calls.
But I am not sure if this is correct. For example I'm not sure if the frontend is supposed to refresh the tokens or the backend.
I am also not sure if I am meant to implement the code for exchanging and refreshing the token and logging out of users myself, but it seems that way since I can't find any tools that would do that for me.
I have found some libraries concerning aws cognito, but none of them mention exchanging or refreshing tokens:
https://www.npmjs.com/package/amazon-cognito-identity-js
https://www.npmjs.com/package/amazon-cognito-auth-js
https://www.npmjs.com/package/#aws-cdk/aws-cognito
I did find this library mentioned in the documentation that can be used to validate jwt id tokens on the backend.
https://github.com/awslabs/aws-jwt-verify
I am using userpools and no identity pools, since I don't grant users access to my aws resources.
So basically my question is, is my perception of the cognito workflow correct and if yes, how can I exchange the grant code for an id token and how can i use the refresh token to refresh the id token.
I've built an application which is connected with Amazon Cognito to take the sign in and sign-ups of users. Currently, application support three different subscriptions (Free, Basic, Premium). If the user signs in for basic Subscriptions, I want to give them least access to DynamoDB for download the parts of applications which is required to run the application service.
How to connect DynamoDB with Cognito directly
I am not sure, what's the best approach to follow this scenario?
(Please note- this is not a mobile-based application, so do not give suggestion to use AWS Amplify or relatable services)
When I was first learning about Cognito, I had made the same set of assumptions you are currently making. I knew that User Pools could act as my application's user directory, and Identity Pools would magically unlock all my authorization needs. I was mistaken :)
At the risk of oversimplifying, AWS Cognito exists to answer two questions:
Who are you? (authentication)
What can you do? (authorization)
Cognito addresses these concerns with two distinct offerings: User Pools (authentication) and Identity Pools (authorization).
At a high level, User Pools let you handle user registration, authentication, account recovery, and supports authentication with third-party identity providers like Facebook, Google, etc. Sounds like you might have this part figured out.
Cognito Identity Pools, on the other hand, provides a way to authorize users to use various AWS services. You can think of it as a vending machine for handing out AWS credentials. For example, if you needed to give your users access to upload a file to an S3 bucket or to invoke an endpoint in API Gateway, you could do so with an Identity Pool. You can even allow item-level access to DynamoDB based on an Amazon Cognito ID. However, this might not work the way you expect since your application users are probably not directly connecting to DynamoDB.
In most web/mobile applications, users are not connecting directly to DynamoDB. Instead, they are interacting with a web/mobile app that communicates to the back-end of your application via an API. That API would then communicate with DynamoDB. If your stack is in AWS, the path may look something like this:
Client (web/mobile app) <-> API Gateway <-> Lambda <-> DynamoDB
In this architecture, your users would authenticate via Cognito. Cognito would then authorize the user to make calls to API Gateway. API Gateway would execute your lambda, which would then interact with DynamoDB. The "user" of DynamoDB in this example is your Lambda, not the user of your application.
That last bit is important, so I'll repeat it: Unless your users are directly connecting to DynamoDB (not recommended), they are not the "user" operating on DynamoDb. Therefore, restricting DynamoDB access based on a user's Cognito ID is not going to be an option for you.
So, what can you do? Your application needs to provide the business logic around what effect your users can have on DynamoDB. Perhaps free users have read-only access to a specific partition, while premium users can modify the same partition. That logic has to be handled directly by you.
I know you said you weren't looking for Amplify suggestions since your application is not mobile-based. However, Amplify offers SDKs that aren't specific to mobile development. The folks at Serverless have made a fantastic tutorial on building a full-stack serverless web app, which includes a very readable chapter on serverless auth with Cognito. They use Amplify in a web app to integrate with Cognito, S3, and API Gateway. If that's something you are trying to do, I'd recommend checking it out.
I have an app hosted in a DigitalOcean server that is only used by me. Now I would like to give access to some friends, so I need users authentication management.
I have read AWS Cognito is a good option however it is not clear to me if it is possible to implement only AWS Cognito to work in joint cooperation with other services or if I need to migrate all to AWS to be able to use Cognito. I’ve been looking for tutorials but all talk about using Cognito in addition to other AWS services.
The point is that I’m using a Postgres DB and looking at AWS prices it is expensive to me to migrate to AWS. In case it is to do what I would like, I really appreciate recommended lectures.
Thanks in advance.
I need users authentication management.
I have read AWS Cognito is a good option
Indeed the AWS Cognito is a good option for user authentication and authorization. If you have a web app, you may as well check out the AWS amplify framework for easier onboarding.
if it is possible to implement only AWS Cognito
You don't need to use any other AWS services or migrate your infrastructure. Your application can use Cognito indepently.
You can use Cognito even as a pure OAuth 2.0 based authentication and authorization service if you want to keep really independent.
all talk about using Cognito in addition to other AWS services
Cognito can provide its users session (temporary) aws credentials to use AWS services. You don't have to use the feature if you don't need to.
What I have done so far?
I have integrated Microsoft AD with AWS Cognito by adding Trust relationships and setting Cognito Identity provider. In this, I have set up an app domain prefix during Cognito set up. By using the following URL I am able to receive the token by logging in the AD login page. So when I decode this token I getting the required attributes and other information.
What I actually want?
So I don't want my users to be redirected to the AD login page and later to the application. I need just a REST API where I can provide the AD user credentials and this API will return the above JWT token which has all the information.
So in short, I want to get the Cognito JWT token by using the AD user credentials. These users are the part of AD groups which are linked to the AWS IAM by adding trust relationship using ADFS. So is there a way in which I don't need to use the Cognito hosted UI. Instead, my users will hit one API and get the credentials. I don't know what this API is.
Any help will be appreciated.
I am in the same dilemma myself, but I've found a very useful question (with answers) that might help you out.
It's been some time but maybe this will be useful for new people having the same problem nowadays.
What is the REST (or CLI) API for logging in to Amazon Cognito user pools
I think you'd want to enable the ClientCredentials flow in your cognito user pool.
You can read more on this flow here https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ to make sure it is what you need (oauth flows and grants are the same thing).
Can someone explain to be how to authenticate with a user pool using Postman? I've searched for auth endpoints in the documentation, but I haven't found any references.
I'm pretty sure you are SOL with this. Part of this reason is because authentication with Cognito is highly customizable and therefor fairly application specific. For example you might be using federation with Facebook, Google, Amazon or SAML. You might be be using MFA or some type of custom challenge. If you aren't using federation, Cognito uses SRP by default which means the client side does a bunch of calculations and black magic to make sure that you are securely authenticated without ever sending your password over the wire. Postman isn't going to know how to do this for you and you aren't going to want to do it yourself just for the sake of using Postman.
My suggestion would be to create a simple app that authenticates using the AWS SDK or even better, AWS Amplify. You can print the auth tokens to the screen and just copy them into Postman to make authenticated requests to your API.