Custom identity provider in Amazon Mobile Hub/ Amazon Web Services - ios

I am new to Amazon Mobile Hub as a backend. Before this I was using Parse which essentially did everything for me. In Amazon Mobile Hub, for sign in, there is a custom sign in option. The info for this particular option on the amazon website is as follows:
'If you have an existing authentication process, you can use your own backend to authenticate your users. This involves interaction between your end user device, your backend for authentication, and Amazon Cognito. Learn more about authenticating your own users.'
I am really confused with this. So is there no option for creating a custom user database in amazon web services? If so, what kind of external services would I have to use (like Outh 0 or something). If so could anyone direct me to any seminar which explains about custom user database.
Can Amazon's Identity and Access Management help me in this? The documentation for this service only gives code in java and I am an ios developer so I am having problems in understanding this.
If anyone has ever used parse the I am looking for something like the users class in Parse.

Vishisht,
For the custom identity provider, the Mobile Hub generated iOS Sample App does not have a fully documented solution yet. When creating the project in the Mobile Hub console and enabling “Custom” sign in, Mobile Hub is simply creating a “Developer provider name” associated with the default Cognito Identity Pool created for that project.
For Cognito Developer Authenticated Identities, you do need to create your own backend service to handle your end-user identities.Using developer authenticated identities involves interaction between the end-user device (a Mobile Hub generated sample app, perhaps), your backend for authentication, and Amazon Cognito.
The authentication server is a simple application designed to store user credentials in a secure manner and provides an OpenID Connect token to authenticated users. The authentication server can be built using AWS resources such as a web server running on an EC2 instance or an application running on an Elastic Beanstalk environment. The following blog is an end-to-end solution for building the backend authentication server and using the sample Cognito code from Github to directly interact with the backend server. Unfortunately, the sample authentication service IS only written in Java.
Integrating Amazon Cognito using developer authenticated identities: An end-to-end example:
https://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en
Btw – I have used Parse and AWS or Mobile Hub does not have anything like the “Users” class. However, with Cognito Identity and Sync, you do have control over user profiles, allows multiple providers per user, and allows you to sync user profiles between devices. The Cognito Identity and Cognito Sync examples are integrated into the Mobile Hub generated sample apps through the “User Data Storage” feature.

Related

Is it possible to Integrate 2 applications with different OAuth2 grant-types?

Im trying to link AWS Alexa with a backend application(SugarCRM 9.0) which handles OAuth2.0 but different grant-type (password and refresh) and AWS Alexa Requirements are authorization code grant type or implicit grant type.Is there a way to get around this?
I'm not sure if setting up a AWS manage active directory to integrate sugar's user with Alexa, because that will generate infrastructure to a solution that can probably be simplified.I used AWS SSO as an approach to link these service since AWS SSO enables you to makes it easy to centrally manage access to multiple business applications (but not between them)...
Probably not the answer you want.
You'll likely need to create a middleware service that has people do the Login with Amazon login, and a Sugar CRM login, so you can reference the unique customer ID Login with Amazon creates for them (which will be the same in your skill and middleware if you use the same app ID / security profile) with the access tokens you retrieve for them from SugarCRM.

Using Azure Active Directory to establish Authorization and Authetication for an iOS and web clients?

I am building an iOS application with swift and this application has a web client that's using Microsoft Azure services. I want to add sign in and login functionality to the application using Microsoft Azure. I am not using any cloud applications or services. I will just have simple forms for signing up and logging in. I want to be able to save user credentials to authenticate and authorize them when they are using the application. I tried reading over their documentation and It seems to me that I need to use Azure Active Directory but I am not clear on that.
I am fairly new to Microsoft Azure, Can anyone clarify to me if I can use it and provide resources of how to do that.. ?
The simplest way to implement that is to use Azure Mobile Apps - it is the backend-as-a-service. You are able to connect your backend with the authentication providers of a choice - Facebook, Azure Active Directory, custom provider, etc. Then, when user will try to authenticate, all of the authentication code will be handled by a cloud platform - user will enter his credentials, these will be sent to the auth provider and if they are valid it will send the auth token that you will be able to use in your app to get his information, etc.
Here is the tutorial for Mobile Apps for iOS.
Or, you may use Azure Active Directory directly as a provider (it will serve as a catalogue of your users). Using that tutorial or the samples from the official library. But i would highly recommend to look at Mobile Apps as it is the fast and simple way to implement what you need.

Using Parse and AWS Cognito

I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?

How does an "account" work with AWS Identity Token Vending Machine?

I've followed the instructions in this post http://mobile.awsblog.com/post/Tx371Y7CA0QJ95X/Simplifying-Token-Vending-Machine-Deployment-with-AWS-CloudFormation
And I can see that it's working somewhat, and i understand the overall concept of what TVM is and why it's needed, however I still have hard time understanding how this works in practicality. I read a post somewhere that anonymous token vending machine is designed for read-only and if I wanted to actually provide write access I need to use identity TVM.
In the demo app it makes me register my account on the cloudformation server i set up, but I don't understand how this works with say my own web app. I have a mobile app that connects to rails app where I need users to upload their profile images as well as post photo content. I already have the app running except for the integration part with the TVM (basically my aws credentials are embedded in the app which Amazon doesn't recommend)
So my question is how do i integrate an existing REST based iOS app with identity token vending machine to upload photos to S3? How can i integrate it without making users separately create an "account" for the identity token vending machine on top of registering for my app?
We recently launched Amazon Cognito, which obviates the need for the TVM in many cases, particularly in the "anonymous TVM" case. Through Cognito's unauthenticated access you can grant users of your application limited access privileges to various AWS resources. Cognito leverages existing functionality of IAM Roles and STS to deliver these credentials.
If you want to maintain the integration with your existing backend authentication solution, you will need to generate and maintain the list of identity ids for your application. You can read more about the APIs involved in our API documentation.
Your app can act as the TVM, mapping your user identities to the IAM Roles with the permissions they need. Then can use the AssumeRole calls on STS to create temporary credentials for these users. Your app then creates a S3Client object with these credentials and use it to upload the photo.
See the "Identity federation" and "Web identity federation" sections of the of IAM Roles documentation
The AWS Web Identity Federation Playground is a nice example app to see it at work.
CoudFormation will automate the creation, updates and deletion of AWS Resources, including EC2 Instances and IAM Roles, but will not be directly related to the user authentication.

Authenticating to Google Cloud Endpoints as iOS app (not user with Google account credentials)

One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.
I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:
If your iOS app is making calls to an Endpoint that requires
authentication, you must Add a Sign-in Dialog to your iOS client.
I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.
Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.
I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.
I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).
GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.
So until further notice I will add an API key to my application-level API requests and check it in each #ApiMethod.

Resources