I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?
Related
Im trying to link AWS Alexa with a backend application(SugarCRM 9.0) which handles OAuth2.0 but different grant-type (password and refresh) and AWS Alexa Requirements are authorization code grant type or implicit grant type.Is there a way to get around this?
I'm not sure if setting up a AWS manage active directory to integrate sugar's user with Alexa, because that will generate infrastructure to a solution that can probably be simplified.I used AWS SSO as an approach to link these service since AWS SSO enables you to makes it easy to centrally manage access to multiple business applications (but not between them)...
Probably not the answer you want.
You'll likely need to create a middleware service that has people do the Login with Amazon login, and a Sugar CRM login, so you can reference the unique customer ID Login with Amazon creates for them (which will be the same in your skill and middleware if you use the same app ID / security profile) with the access tokens you retrieve for them from SugarCRM.
I was under the impression that AWS Mobile Hub built out things for you in the sample app.
But I see on the resources page that it uses a AWS Cognito which I defined an auth and unauth roles. The app builds but I keep getting this when I try to login:
I have sign in enabled:
In this identity pool I have greated a unauth and auth roles. Then in Mobile Hub downloaded the code but still can't get login working. What am I missing?
When using Custom login, it means that you want to authenticate the users against your backend or developer authenticated identities. This is how it works:
The end user will provide credentials(username and password) on your iOS App.
App will call your backend to verify the credentials.
Backend will call GetOpenIdTokenForDeveloperIdentity API of Amazon Cognito for that end-user (using the username)
Cognito will return an identityId associated with that username and a OpenId Connect Token to your backend and it will passed back to the Android App.
Cognito SDK will use this token to call Amazon STS to get AWS credentials for the end user.
I would highly encourage you to follow our blog post and the developer guide, it explains this flow in depth. As always, if you have any questions please feel free to ask.
Thanks.
I am new to Amazon Mobile Hub as a backend. Before this I was using Parse which essentially did everything for me. In Amazon Mobile Hub, for sign in, there is a custom sign in option. The info for this particular option on the amazon website is as follows:
'If you have an existing authentication process, you can use your own backend to authenticate your users. This involves interaction between your end user device, your backend for authentication, and Amazon Cognito. Learn more about authenticating your own users.'
I am really confused with this. So is there no option for creating a custom user database in amazon web services? If so, what kind of external services would I have to use (like Outh 0 or something). If so could anyone direct me to any seminar which explains about custom user database.
Can Amazon's Identity and Access Management help me in this? The documentation for this service only gives code in java and I am an ios developer so I am having problems in understanding this.
If anyone has ever used parse the I am looking for something like the users class in Parse.
Vishisht,
For the custom identity provider, the Mobile Hub generated iOS Sample App does not have a fully documented solution yet. When creating the project in the Mobile Hub console and enabling “Custom” sign in, Mobile Hub is simply creating a “Developer provider name” associated with the default Cognito Identity Pool created for that project.
For Cognito Developer Authenticated Identities, you do need to create your own backend service to handle your end-user identities.Using developer authenticated identities involves interaction between the end-user device (a Mobile Hub generated sample app, perhaps), your backend for authentication, and Amazon Cognito.
The authentication server is a simple application designed to store user credentials in a secure manner and provides an OpenID Connect token to authenticated users. The authentication server can be built using AWS resources such as a web server running on an EC2 instance or an application running on an Elastic Beanstalk environment. The following blog is an end-to-end solution for building the backend authentication server and using the sample Cognito code from Github to directly interact with the backend server. Unfortunately, the sample authentication service IS only written in Java.
Integrating Amazon Cognito using developer authenticated identities: An end-to-end example:
https://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en
Btw – I have used Parse and AWS or Mobile Hub does not have anything like the “Users” class. However, with Cognito Identity and Sync, you do have control over user profiles, allows multiple providers per user, and allows you to sync user profiles between devices. The Cognito Identity and Cognito Sync examples are integrated into the Mobile Hub generated sample apps through the “User Data Storage” feature.
I am currently trying to use amazon s3 for uploading images from IOS app with a Rails Back-end.
I currently don't understand how security works. In their docs
http://docs.aws.amazon.com/mobile/sdkforios/developerguide/s3transfermanager.html
it's not clear to me how to upload/destroy safely objects in sync with the back-end. For instance, in order to post/destroy, I was expecting a mechanism of asking a signature to the Rails server, and only then be able to upload the image to amazon. But I can't find this kind of mechanism.
Has someone gone through this kind with aws?
If you are using your server to generate temporary credentials for the AWS Mobile SDK, we recommend the following approach:
Generate the access key, secret key, and session token on your server. You have many language options including Java, .NET, PHP, Ruby, Python, and Node.js.
Implement your credentials provider by conforming to AWSCredentialsProvider. Take a look at the implementations of AWSWebIdentityCredentialsProvider and AWSCognitoCredentialsProvider as examples. This credentials provider should:
Retrieve the access key, secret key, and session key from your server.
Persist them locally until they expire.
Return the credentials when requested.
Re-retrieve them from your server if they are expired.
Initiate the credentials refreshing process when - refresh is called.
I encourage you to take a look at Amazon Cognito Identity. With Amazon Cognito, you can create unique end user identifiers for accessing AWS cloud services by using public login providers such as Amazon, Facebook, Google, and any OpenID Connect compatible provider, or by using your own user identity system. It covers many of the custom server use cases, and it is easier to use and manage.
I've followed the instructions in this post http://mobile.awsblog.com/post/Tx371Y7CA0QJ95X/Simplifying-Token-Vending-Machine-Deployment-with-AWS-CloudFormation
And I can see that it's working somewhat, and i understand the overall concept of what TVM is and why it's needed, however I still have hard time understanding how this works in practicality. I read a post somewhere that anonymous token vending machine is designed for read-only and if I wanted to actually provide write access I need to use identity TVM.
In the demo app it makes me register my account on the cloudformation server i set up, but I don't understand how this works with say my own web app. I have a mobile app that connects to rails app where I need users to upload their profile images as well as post photo content. I already have the app running except for the integration part with the TVM (basically my aws credentials are embedded in the app which Amazon doesn't recommend)
So my question is how do i integrate an existing REST based iOS app with identity token vending machine to upload photos to S3? How can i integrate it without making users separately create an "account" for the identity token vending machine on top of registering for my app?
We recently launched Amazon Cognito, which obviates the need for the TVM in many cases, particularly in the "anonymous TVM" case. Through Cognito's unauthenticated access you can grant users of your application limited access privileges to various AWS resources. Cognito leverages existing functionality of IAM Roles and STS to deliver these credentials.
If you want to maintain the integration with your existing backend authentication solution, you will need to generate and maintain the list of identity ids for your application. You can read more about the APIs involved in our API documentation.
Your app can act as the TVM, mapping your user identities to the IAM Roles with the permissions they need. Then can use the AssumeRole calls on STS to create temporary credentials for these users. Your app then creates a S3Client object with these credentials and use it to upload the photo.
See the "Identity federation" and "Web identity federation" sections of the of IAM Roles documentation
The AWS Web Identity Federation Playground is a nice example app to see it at work.
CoudFormation will automate the creation, updates and deletion of AWS Resources, including EC2 Instances and IAM Roles, but will not be directly related to the user authentication.