I have used Lamdba and set up IAM and Cognito and got a identityId and token. I am confused on the next steps. The user is authenticated in Cognito after login. But how do I keep them logged in like by refreshing the token when the app loads? And how do I query DynamoDB using only authenticated users? The documentation is vague. Also using Federated identities and my own OpenID developer authentication process written in lambda.
Related
We are building an app that requires social logins (Apple, Facebook, Instagram, Google, etc) and also phone number login (where the user receives a code via SMS to login)
This is a similar sign-in model to Tinder/Bumble dating apps
We are using AWS for our backend and want to use AWS Cognito for our Authorization/Authentication
I am having difficulty finding out a way to get AWS Cognito working with our setup:
Currently, AWS Cognito provides 2 ways of authorization.
Cognito User Pools
Cognito Identity Pool
We have developed the Phone number login method with User Pool and the social login methods i.e. Google and Facebook are Federated via. Identity Pool.
The issue with the Federated Signing-in method is that the JWT tokens are not returned by Cognito, instead, temporary AWS credentials are returned (which for now works efficiently with the system).
But since AWS does not allow us to use two authorizers at a time, we then needed to use the temporary credentials instead of JWT tokens provided by the user pool. The issue here is that the temporary credentials get expired in a maximum time of 12 hours from the time they have been issued and in case of phone number login, the user needs to then login back to generate the credentials again which degrades the User Experience.
Though Google and Facebook log in can also be integrated via User Pool and retrieve JWT Token in return, the issue is that a UI hosted by Cognito appears which again prompts the user with several login methods used in the app, which again is a bad UX as user needs to tap on Sign-in in with Facebook twice to sign-in.
Is there a way to have Phone number login/social login without:
Using Hosted UI (My understanding is that the Hosted UI cannot be changed to appear how we want, ie: like our original sign-in page designs)
Forcing the user to log in again ever 12 hours
Forcing the user to log in twice (once in our app and once in the Cognito provided UI)
Thank you for your time
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
I am having difficulty navigating Amazon's documentation. I currently have an app that logs in using Firebase's email and password identification. How do I connect this to my data stored in AWS using Cognito? My app is in Objective C.
Unfortunately without a backend, you cannot integrate Firebase Login with Cognito since it doesn't support OpenId Connect. With a backend, you would need to implement the Developer Authenticated Identities flow as follows:
Implement AWSAbstractCognitoIdentityProvider
In the refresh method:
Login via Firebase
Make a https call passing the Firebase Login
token to your backend and validate
From your backend, call
GetOpenIdForDeveloperIdentity using Developer Credentials
Pass
results back to the device
Update the identity id and the logins map
I was under the impression that AWS Mobile Hub built out things for you in the sample app.
But I see on the resources page that it uses a AWS Cognito which I defined an auth and unauth roles. The app builds but I keep getting this when I try to login:
I have sign in enabled:
In this identity pool I have greated a unauth and auth roles. Then in Mobile Hub downloaded the code but still can't get login working. What am I missing?
When using Custom login, it means that you want to authenticate the users against your backend or developer authenticated identities. This is how it works:
The end user will provide credentials(username and password) on your iOS App.
App will call your backend to verify the credentials.
Backend will call GetOpenIdTokenForDeveloperIdentity API of Amazon Cognito for that end-user (using the username)
Cognito will return an identityId associated with that username and a OpenId Connect Token to your backend and it will passed back to the Android App.
Cognito SDK will use this token to call Amazon STS to get AWS credentials for the end user.
I would highly encourage you to follow our blog post and the developer guide, it explains this flow in depth. As always, if you have any questions please feel free to ask.
Thanks.
I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?