I now use cognito user pool as “account system”, and also created a identity pool, Use IOS app I can make user sign up , sign in , get the account identity id, sync dataset and other operations.
Then I use Cognito user pool as Oauth2.0 server to achieve Alexa Smart Skill Account link, it has been able to achieve account login, get AccessToken. (I have a post in the Alexa forum, they reply I can only get AccessToken, https://forums.developer.amazon.com/questions/81362/get-id-token-from-alexa-request-when-account-link.html )
But according to my previous experience, if you want to visit Identity pool, get Identity ID, need ID_token, so I would like to ask, Is there a way I can get Id_Token or identity ID by AccessToken or user name?
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:79abd6b8-f141-4756-9272-a09ed0671d1b',
region: 'us-east-1',
Logins:{
'cognito-idp.us-east-1.amazonaws.com/us-east-1_S5kbwuSkN' : id_token
}
});
You can only use id_token to get identity id to visit an identity pool. To get id_token, you need to configure your app client in Cognito User Pool to have 'openid' as a scope.
Related
Users can use my app without a login. But they get more features if they create an account, like saving a product.
I'm working through this AWS doc: Integrate Your Existing NoSQL Table - AWS Mobile Hub Developer Guide
But it doesn't appear to have any details about allowing permission for users that don't have a login. I would need to randomly generate an ID when a user first opens the app and still create a user with it.
I've setup a database that has a list of products. That I plan to use the ObjectMapper API to query the database.
AWS has a service called Amazon Cognito.
Amazon Cognito has two parts, Cognito user pools and Cognito Federated Identity.
Cognito User Pools manages user creation, the storage of credentials, the allocation of groups etc.
Cognito Federated Identity, converts an authenticated user into AWS IAM credentials.
Cognito Federated Identity can use Cognito User Pools to authenticate, or Facebook, Amazon, Google, Apple, SAML or OpenID.
Cognito Federated Identity allows both Authenticate and Unauthenticated users.
You can switch from Unauthenticated users to Authenticated users.
You can use Cognito Federated Indentity to get a user ID by calling GetId.
The Logins parameter is optional. GetId will return a unique user Guid each time. You can then store that Guid Locally to track your user, and later if the User decides to signup, you can link that guid to an authenticated user. The link has iOS code examples.
AWS Mobile Hub (now Amplify) uses Cognito in the background, you can see the process flow here.
I got this issue while trying to fetch user attributes from AWS Cognito.
I can't tell how it can be an "Invalid Token" because I have copied and pasted it, also I have make sure that it's the accessToken not idToken or anything else.
There are some other similar questions on this site but they don't address my issue:
"Access token does not contain openid scope" in AWS Cognito
Access token does not have the openid scope
Update: here my app client config
OK, I got you detail.
Short answer: You must use oauth2 Cognito authentication instead of using default Cognito authentication API in SDK.
Let me explain why you meet error: You're using Cognito authentication, then Cognito return to you an "access token" that not contains "openid" scope, you can paste the Token here to check: https://jwt.io/#encoded-jwt.
You have to use oauth2 authentication to get the "access token" that contains "openid". In order to do it, you have to use Hosted UI or AUTHORIZATION Endpoint to get the "access token".
You can try Hosted UI by access link (pls edit your domain + response_type + client_id + redirect_uri): https://tsunami.auth.us-east-2.amazoncognito.com/login?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_SIGNIN_URL
You can use AUTHORIZATION Endpoint: https://tsunami.auth.us-east-2.amazoncognito.com/oauth2/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_SIGNIN_URL&identity_provider=COGNITO and it will redirect to Hosted UI
Getting user info is an open id connect feature and requires the openid scope in the token.
I suspect the problem originates from not specifying this scope when you authenticated and got the token.
Usually you configure scopes such as these when authenticating:
openid profile email
You also provide these in the OAuth Client trust entry configured in Cognito
The profile scope enables you to get the user name from the user info endpoint
The email scope enables you to get the email from the user info endpoint
See step 9 of my write up for an example
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
When using this in Lambda:
getOpenIdTokenForDeveloperIdentity
An identity and token gets returned.
What is the point of the identity and token? Which is for what?
Identity id is a unique user identifier that Cognito creates for your user. This identifier remains constant if you link multiple logins for a same user.
Token on the other hand is an OpenId token which belongs to that user and is valid for a limited time. This token is exchanble for AWS credentials by calling either STS or GetCredentialsForIdentity API in Cognito Federated identity service.
There are multiple resources which explain the concepts of federated identity service.
http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
http://mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication
In OAuth1.0,the access_token and the access_secret is unique for every user in the third party system(like facebook).so when i login by Facebook,it returns me the access_token and access_secret,i can register a user in my site and login.
In OAuth 2.0,it only returns access_token,and expires time.and the access_token may expire after several days. how to identify a person?(or must i request it's api to save the uid of facebook to reach this goal)?
Keeping track of users is completely in your responsibility and not part of OAuth. OAuth just specifies how you can get access using an Access Token to a provider API.
So yes, you have to fetch the user info from Facebook to get the unique ID. ;)