Users can use my app without a login. But they get more features if they create an account, like saving a product.
I'm working through this AWS doc: Integrate Your Existing NoSQL Table - AWS Mobile Hub Developer Guide
But it doesn't appear to have any details about allowing permission for users that don't have a login. I would need to randomly generate an ID when a user first opens the app and still create a user with it.
I've setup a database that has a list of products. That I plan to use the ObjectMapper API to query the database.
AWS has a service called Amazon Cognito.
Amazon Cognito has two parts, Cognito user pools and Cognito Federated Identity.
Cognito User Pools manages user creation, the storage of credentials, the allocation of groups etc.
Cognito Federated Identity, converts an authenticated user into AWS IAM credentials.
Cognito Federated Identity can use Cognito User Pools to authenticate, or Facebook, Amazon, Google, Apple, SAML or OpenID.
Cognito Federated Identity allows both Authenticate and Unauthenticated users.
You can switch from Unauthenticated users to Authenticated users.
You can use Cognito Federated Indentity to get a user ID by calling GetId.
The Logins parameter is optional. GetId will return a unique user Guid each time. You can then store that Guid Locally to track your user, and later if the User decides to signup, you can link that guid to an authenticated user. The link has iOS code examples.
AWS Mobile Hub (now Amplify) uses Cognito in the background, you can see the process flow here.
Related
We are building an app that requires social logins (Apple, Facebook, Instagram, Google, etc) and also phone number login (where the user receives a code via SMS to login)
This is a similar sign-in model to Tinder/Bumble dating apps
We are using AWS for our backend and want to use AWS Cognito for our Authorization/Authentication
I am having difficulty finding out a way to get AWS Cognito working with our setup:
Currently, AWS Cognito provides 2 ways of authorization.
Cognito User Pools
Cognito Identity Pool
We have developed the Phone number login method with User Pool and the social login methods i.e. Google and Facebook are Federated via. Identity Pool.
The issue with the Federated Signing-in method is that the JWT tokens are not returned by Cognito, instead, temporary AWS credentials are returned (which for now works efficiently with the system).
But since AWS does not allow us to use two authorizers at a time, we then needed to use the temporary credentials instead of JWT tokens provided by the user pool. The issue here is that the temporary credentials get expired in a maximum time of 12 hours from the time they have been issued and in case of phone number login, the user needs to then login back to generate the credentials again which degrades the User Experience.
Though Google and Facebook log in can also be integrated via User Pool and retrieve JWT Token in return, the issue is that a UI hosted by Cognito appears which again prompts the user with several login methods used in the app, which again is a bad UX as user needs to tap on Sign-in in with Facebook twice to sign-in.
Is there a way to have Phone number login/social login without:
Using Hosted UI (My understanding is that the Hosted UI cannot be changed to appear how we want, ie: like our original sign-in page designs)
Forcing the user to log in again ever 12 hours
Forcing the user to log in twice (once in our app and once in the Cognito provided UI)
Thank you for your time
I would like users to register an account on my site via OAuth Spotify. I have the following scheme:
User authenticates via Spotify
Spotify ID and Mail are returned
An account will be created on the website (saved to the database)
The user can log in with his Spotify to access that account
The problem I foresee here is that someone can spoof the authentication by copying the ID of another user and it's mail, am I right? If so, what would be a better way to let an user create an account using Spotify Authentication? Let the user set a password? That seems user unfriendly to me.
So, how can I achieve this?
You can use the access token acquired through OAuth to find the associated username. You can use this as the basis for your accounts instead of a username or password on your own site. The process would be something like:
The User authenticates via Spotify
The Spotify OAuth callback returns a authorization code
You use the authorization code to get an access and refresh token for the user
You use the access token to access the associated User ID and use this as the unique ID for the accounts on your site.
Save an account with the Spotify user ID to your site's database
The user can log in again with Spotify to access their account (it will streamline the process by skipping the Spotify OAuth view, if they have previously approved your site, and are logged into Spotify in their browser)
Since your application will only retrieve the User ID from someone's valid access token, and the only way your application will receive that is if they log in through the Spotify OAuth flow, each account on your site will be linked to a valid, unique, Spotify user.
While looking into this, there are security considerations about using OAuth alone to authenticate users. I would look at this post on Security Stack Exchange and decide based on what level of security is needed for your site.
We are using WSO2 IS v5.4.1
We want to authenticate users based on external user data store.
The desired steps:
User logins via Oauth to WSO2 IS with username and password
The login request is forwarded to an external service which authenticates the user by given username and password without authenticating by WSO2 IS default user store.
The service returns some kind of desired response to WSO2 and based on this response some kind of business logic is performed.
I saw that there are 2 options to achieve this:
Implement Custom Local Authenticator
Implement Custom Federated Authenticator
What the is the correct approach?
Thanks,
By the definition,
Local authenticators are to authenticate the user with a local user store. Presumably using username and password. You can use inbuilt login page to ask user's credentials and validate it against the local user stores.
Federated authenticators are to authenticate with 3rd party identity providers. Like Google or Facebook. In this case you won't ask user's credentials directly instead you'll redirect the user to 3rd party login page and after authentication 3rd party IDP will send the result.
By understanding the facts that you have provided, it seems you need a local authenticator where you can ask the user's credentials directly from them and authenticate against the user store.
PS: If you can directly communicate with the user store (Without using any API) and it's a OOTB supported user store (LDAP or JDBC), you can directly plug in that as a secondary user store (Or even as the primary user store) and authenticate against it without using any customization.
I have my user pool and federated pools linked.
I am able to sign up and verify a user however it does not register on the console in the user federated identity pool. It only comes up as unauthenticated.
What do I need to do in order to have my users stop showing up as unauthorized users and have them show up as users in my userpool?
It sounds like you both have unauthenticated identities enabled and are not correctly setting the User Pools token before communicating with Cognito after authenticating. Cognito Federated Identities thinks you haven't given a token, which is why you're seeing only unauthenticated ids. Give this docs page a read, the short version is the logins need to be set like this:
logins.put("cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>", session.getIdToken().getJWTToken());
I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?