If users can be added to groups and groups can have roles attached to them, I wasn't sure why we need Identity pool.
With identity pool you have authenticated and unauthenticated types each with a role.
But a user can have at most one role at a time.
So happens in the case when a user belongs to a group and there is an identity?
Does the Identity pool do nothing?
Related
I have created an App role for my AZURE AD Backend Api and assigned this role to a group. Now I want to authenticate user in my .net core backend application on the basis if user has a group which has this role. I am getting the group ids in the access token but how can I get app roles assigned to these groups.
Please check how you enabled group claims in Azure Portal.
If you check the Emit groups as role claims option like below you cannot see application roles, but you can see group ids.
If the above option is enabled, make sure to uncheck the box.
Note
If you use the option to emit group data as roles, only groups will
appear in the role claim. Any application roles that the user is assigned to won't appear in the role claim.
Also, I would suggest you refer to this Microsoft official documentation below which states that if you add a service principal to a group, and then assign an app role to that group, Azure AD does not add the roles claim to tokens it issues.You can modify the “groupMembershipClaims” field in application manifest if you want to include groups claim in your token like below: -
Add app roles to your application and receive them in the token
For more in detail, please refer below link:
Configure group claims for applications by using Azure Active Directory
I have a Cognito Identity Pool set up to use a Cognito user pool as a source of identity. Now, in my case the Cognito User Pool has 2 different client id, one for my mobile application and one for my website. In order to support login from both I need to add both client ids in the Authentication Providers settings but it seems that you can add only 1 client id at a time. Is there a way to configure Cognito Identity Pool to accept 2 different Cognito Pool client IDs?
I don't wanna use the same client id cause I need to do different user validations on user sign-up based on where the user came from (app or web) and the client id is the only parameter passed to my lambda that allows me to identify from where a user came from.
From the Identity Pool Cloudformation docs, it looks like you can provide a list of identity providers. A user pool identity provider is defined as the user pool ID plus the client ID. It seems like you should be able to specify two different ones with the same user pool ID and different client IDs. I don't know whether this is possible through the console.
I am working on a project where we are building Authentication system for a coaching center. Our project needs to provide AuthN for students and teachers. A student can register for a class and that'll give that student permission to setup username and password only for that class. However, for instructors we want them to be able to Authenticate with same set of credentials for all classes.
The design we were looking into was to create one user pool for Instructors and one User Pool per class. Then allow sign-in through instructor user pool in class user pool. Something like this:
On checking instructions for setting up OIDC Provider I was able to add Instructor Cognito User Pool as OIDC Provider in CLASS A. After this I created an AppClient in CLASS A and used following format URL to sign in.
https://CLASSA-domain/oauth2/authorize?response_type=code&client_id=<your_client_id>&redirect_uri=https://www.example.com
When I am signing in with a user in Instructor Pool I am getting The username or password you entered is invalid error. However, when I try with hosted UI of Instructor Pool I am able to sign in.
The use case you mentioned is easily solved by using Cognito user groups instead of creating multiple user pools. Create a group for every class and attach the permissions required to that group. For teachers, simple grant them permissions for all the classes.
I want to use Cognito Federated Identities with multiple Authentication Providers, and I want to manage my own user database so I have a simple immutable unique user id for other areas of the application.
What would be the correct way to trigger a lambda function that inserts newly authenticated users into my user database?
If I was only using Cognito User Pools I could use the offered triggers, and would create a mapping of the User Pool's unique "sub" id to my applications user id, but if I use other Authentication Provider's (Facebook etc..) through Federated Identities there are no triggers offered.
I cannot see any triggers within Federated Identities.
I understand User Pools can now do federation within User Pools, meaning a Facebook sign up there would create a User Pool identity which would have a "sub" id I could use, but I feel the federation in User Pool's is not as mature and strong as in Federated Identities, there are also less Providers to choose from.
Secondary question: Is there a best standard for mapping Authentication Providers ids to my application user id? I understand sub is an immutable unique id for User Pools, but Federated Identitie's "Identity ID" can merge and thus change so I guess best practive would be to use each Authentication Provider's unique id?
I want to know , from where this value is ${cognito-identity.amazonaws.com:sub} populated . I had checked in cognito Identity JWT token where sub will have username of cognito. I cant able to see federated ID any where in JWT Id token. I can only see the ID generated in federated identity pool.
Does it is a hash of cognito and federated pool ID ?
Because if it is taking from JWT token, i want to pass custom:Attribute1 into this variable dynamically ${cognito-identity.amazonaws.com:custom:Attribute1} in IAM role of dynamodb ?
Thanks
Any help is appreicated
With Cognito Federated Identity, the username from the user pool is not preserved across the federation boundary. Instead it is exchanged for an identity id which is consistent for future interactions with that user. At this time, you will need to maintain your own mapping of username -> identity id. Another option is to not use Federated Identity and proxy your requests to DynamoDB through API Gateway using Cognito User Pool authorizers so you have access to the end user's username.