I was under the impression that AWS Mobile Hub built out things for you in the sample app.
But I see on the resources page that it uses a AWS Cognito which I defined an auth and unauth roles. The app builds but I keep getting this when I try to login:
I have sign in enabled:
In this identity pool I have greated a unauth and auth roles. Then in Mobile Hub downloaded the code but still can't get login working. What am I missing?
When using Custom login, it means that you want to authenticate the users against your backend or developer authenticated identities. This is how it works:
The end user will provide credentials(username and password) on your iOS App.
App will call your backend to verify the credentials.
Backend will call GetOpenIdTokenForDeveloperIdentity API of Amazon Cognito for that end-user (using the username)
Cognito will return an identityId associated with that username and a OpenId Connect Token to your backend and it will passed back to the Android App.
Cognito SDK will use this token to call Amazon STS to get AWS credentials for the end user.
I would highly encourage you to follow our blog post and the developer guide, it explains this flow in depth. As always, if you have any questions please feel free to ask.
Thanks.
Related
We have a system that is using its own authentication system and I need to make it use our Google Workspace accounts to integrate with Google SSO so that when the user gives their credentials to the webpage, it will be authenticated in both google account and on our web app account.
Google default workflow redirects the user to its own form, so we have the problem of the password not being passed to our server.
Crossed my mind the fact that this would be too insecure to exist, but remember that all users that would log in to our website would have an account created in a workplace totally managed by us.
how could I auth the user this way?
Why not use "Sign-in with Google" -> OpenID Connect to access to the website. That way it will authenticate with Google.
Or add the website as a custom SAML application in the Admin console, and use Google as the IDP since the users will be provided by your organization.
Currently, I am working on linking my Alexa skill with my website. I'm stuck. I've followed YouTube tutorials and looked at the documentation. I basically want users to click on the account linking button, be taken to a login page and then have that authorize the users with their own private data. Do I need to create a oauth server? Is there anybody I can talk to who has already done something like this? I created a html page to log users in using an api call but I haven't gotten any further. Any help is appreciated.
There are two questions that you asked here. Addressing them consecutively:
Do you need to an OAuth server for account linking? --> Yes. You either create your own authorization server which uses OAuth2.0 or you can rent it from providers. There are various OAuth server providers like auth0, okta etc.
If you have created an html page for login, then it needs to connect with your auth server in the backend and you need an API to do that as well as connect with the LWA server to complete account linking with Alexa.
The auth server will basically generate an auth code upon authenticating the user and subsequently it will generate an access token. Both these URLs must be mentioned in the Amazon Alexa developer console.
Then you need to make the calls to LWA to complete authentication with Amazon. This will generate an LWA auth code and subsequently an access token.
This LWA access token along with user auth code generated by your auth server will be used to enable the skill from your website.
Feel free to contact me if you have more queries! Good luck.
I am having difficulty navigating Amazon's documentation. I currently have an app that logs in using Firebase's email and password identification. How do I connect this to my data stored in AWS using Cognito? My app is in Objective C.
Unfortunately without a backend, you cannot integrate Firebase Login with Cognito since it doesn't support OpenId Connect. With a backend, you would need to implement the Developer Authenticated Identities flow as follows:
Implement AWSAbstractCognitoIdentityProvider
In the refresh method:
Login via Firebase
Make a https call passing the Firebase Login
token to your backend and validate
From your backend, call
GetOpenIdForDeveloperIdentity using Developer Credentials
Pass
results back to the device
Update the identity id and the logins map
I am new to Amazon Mobile Hub as a backend. Before this I was using Parse which essentially did everything for me. In Amazon Mobile Hub, for sign in, there is a custom sign in option. The info for this particular option on the amazon website is as follows:
'If you have an existing authentication process, you can use your own backend to authenticate your users. This involves interaction between your end user device, your backend for authentication, and Amazon Cognito. Learn more about authenticating your own users.'
I am really confused with this. So is there no option for creating a custom user database in amazon web services? If so, what kind of external services would I have to use (like Outh 0 or something). If so could anyone direct me to any seminar which explains about custom user database.
Can Amazon's Identity and Access Management help me in this? The documentation for this service only gives code in java and I am an ios developer so I am having problems in understanding this.
If anyone has ever used parse the I am looking for something like the users class in Parse.
Vishisht,
For the custom identity provider, the Mobile Hub generated iOS Sample App does not have a fully documented solution yet. When creating the project in the Mobile Hub console and enabling “Custom” sign in, Mobile Hub is simply creating a “Developer provider name” associated with the default Cognito Identity Pool created for that project.
For Cognito Developer Authenticated Identities, you do need to create your own backend service to handle your end-user identities.Using developer authenticated identities involves interaction between the end-user device (a Mobile Hub generated sample app, perhaps), your backend for authentication, and Amazon Cognito.
The authentication server is a simple application designed to store user credentials in a secure manner and provides an OpenID Connect token to authenticated users. The authentication server can be built using AWS resources such as a web server running on an EC2 instance or an application running on an Elastic Beanstalk environment. The following blog is an end-to-end solution for building the backend authentication server and using the sample Cognito code from Github to directly interact with the backend server. Unfortunately, the sample authentication service IS only written in Java.
Integrating Amazon Cognito using developer authenticated identities: An end-to-end example:
https://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en
Btw – I have used Parse and AWS or Mobile Hub does not have anything like the “Users” class. However, with Cognito Identity and Sync, you do have control over user profiles, allows multiple providers per user, and allows you to sync user profiles between devices. The Cognito Identity and Cognito Sync examples are integrated into the Mobile Hub generated sample apps through the “User Data Storage” feature.
I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?