When using this in Lambda:
getOpenIdTokenForDeveloperIdentity
An identity and token gets returned.
What is the point of the identity and token? Which is for what?
Identity id is a unique user identifier that Cognito creates for your user. This identifier remains constant if you link multiple logins for a same user.
Token on the other hand is an OpenId token which belongs to that user and is valid for a limited time. This token is exchanble for AWS credentials by calling either STS or GetCredentialsForIdentity API in Cognito Federated identity service.
There are multiple resources which explain the concepts of federated identity service.
http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
http://mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication
Related
Suppose we have 3 Relying Parties with 1 OpenID Provider (= Identity Provider). If a user wants to sign-in in the first application, he will be redirect to the identity Provider (via the Authorization Code Flow) and the first application will have at the end of the flow an id token and access token.
If the user, 10 minutes wants to sign-in to the second relying party, he will be automatically redirect to the IDP (via the Authorization Code Flow) and the IDP will recognize the user by the cookie. So the IDP will not ask the user to authenticate and at the end of the flow, the second Relying Party will have a ID Token & access token.
My question : can you confirm that the ID Token & Access Token of the second Relying Party will be different of the ID Token & Access Token of the first Relying Party ?
Yes they should be different.
In ID tokens the aud claim should contain the relying party app for whom the token is intended for.
In the access token there is usually something like a client_id claim so the Relying Party could identify which client this token was issued to - although this isn't guaranteed.
See the JWT spec for details of OpenID Connect JWT tokens.
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
Is it possible to obtain an OAuth2 id_token for an Azure AD Service Principal?
I can go through the client_credentials flow against the /token endpoint, but that only yields an access_token. Is there a way for me to get an id_token as well, like I do for an interactive user?
No. You need to go through a flow which involves a service principal and a user.
Client credentials flow only involves the service principal, so the access token only contains its info. Id tokens are only given when there is a user context.
So, for an Id token, you need to use one of these flows:
Authorization Code
Implicit
Device code
On-Behalf-Of (API calling another API)
Resource Owner Password (though I don't recommend this one)
Ultimately, why do you need an Id token? The access token already contains who the calling app is. It should contain an appid claim, which is the client Id for the app.
I now use cognito user pool as “account system”, and also created a identity pool, Use IOS app I can make user sign up , sign in , get the account identity id, sync dataset and other operations.
Then I use Cognito user pool as Oauth2.0 server to achieve Alexa Smart Skill Account link, it has been able to achieve account login, get AccessToken. (I have a post in the Alexa forum, they reply I can only get AccessToken, https://forums.developer.amazon.com/questions/81362/get-id-token-from-alexa-request-when-account-link.html )
But according to my previous experience, if you want to visit Identity pool, get Identity ID, need ID_token, so I would like to ask, Is there a way I can get Id_Token or identity ID by AccessToken or user name?
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:79abd6b8-f141-4756-9272-a09ed0671d1b',
region: 'us-east-1',
Logins:{
'cognito-idp.us-east-1.amazonaws.com/us-east-1_S5kbwuSkN' : id_token
}
});
You can only use id_token to get identity id to visit an identity pool. To get id_token, you need to configure your app client in Cognito User Pool to have 'openid' as a scope.
I am using client credentials flow using Spring OAuth2. The DefaultAuthenticationKeyGenerator stores the access_token in memory for me. However if I run multiple client instances from different hosts and make the /oauth/token client_credentials grant request, I get the SAME access token. So all client instances with the same (client id and client secret) get the same access token. So I must be misunderstanding something fundamentally. Is there a way to have each instance of my client receive its own unique client credentials flow access token with it's own expiration period ? The reason I want this is so I can authenticate the client itself before a user account has been created. After the user account is created I can use the user resource password grant flow to get a user specific access_token.