I am trying to authenticate Google users in my app by using the AdminInitiateAuthCommand for AWS Cognito. I have added in Google as a federated identity in my User Pool in Cognito, and am now using the AdminInitiateAuthCommand to authenticate the user and to retrieve access/refresh tokens from the session Cognito creates. How can I be able to do this? When using a ADMIN_USER_PASSWORD_AUTH authorization flow, it requires you sending it the username and password. And obviously for security reasons, Google would never give access to the password of a Google user. So what would be the workaround for this?
const auth = await client.send(new AdminInitiateAuthCommand({
AuthFlow: AUTHFLOWS.ADMIN_USER_PASSWORD_AUTH,
ClientId: 'clientId',
UserPoolId: USERPOOLID,
AuthParameters: {
USERNAME: username,
PASSWORD: password,
},
}));
Related
I have an integration test and would like to use a secret key to impersonate a Coginto user pool user without using a username/password. Is this doable?
I am new to AWS Cognito. Based on description, Userpool is used for authentication. If I am a user in the userpool, I can use this user name and password to authenticate my identity. Why do I need to add App to userpool?
Thanks for help in advance,
AWS Cognito allows you to create a number of apps to integrate with your user pool. On each app, you can custom the Authentication flow, Access/Refresh token expiration, attribute read and write permissions, hostUI...
Use case: you use the same user pool for both apps but there are some custom like:
App A: just allow authentication via the ALLOW_USER_PASSWORD_AUTH and access token expiration is 5 minutes.
App B: just allow authentication via the ALLOW_USER_SRP_AUTH and access token expiration is 30 minutes.
Hope that's clear.
When I create a new app client in AWS Cognito, I have an option not to generate client secret (I need to disable this because as far as I understand nodejs apps do not support this secret), so I am wondering what key is then used to sign the JWT tokens that are issued by Cognito
The client secret is not used to sign JWT tokens. The private key is used to sign a token and public key to verify it. You can view public keys for your User Pool by next URL:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
More information about this can be found in AWS documentation - Verifying a JSON Web Token
Having a client secret depends from whether you are going to use the implicit or the explicit(or authorization_code) grant for authorization. Nodejs applications support both. Below I have an example of a request with authorization_code grant, where you need the secret when you will perform your request to Cognito's token endpoint (passed as headers in Authorization).
let enc = WNEMONITOR_APP_CLIENT_ID + ":" +WNEMONITOR_APP_CLIENT_SECRET
request.post({
url: 'https://YourCognitoUserPoolDomain.auth.yourregion..amazoncognito.com/oauth2/token',
headers: {
Authorization: 'Basic ' + Base64.encode(enc),
'Content-Type': 'application/x-www-form-urlencoded'
},
form: {
grant_type: 'authorization_code',
code: code,
redirect_uri: theurlofyourapplication,
scope: 'email openid profile',
client_id: WNEMONITOR_APP_CLIENT_ID
}
The response will be your id_token and the refresh_token (if you have configured it to your UserPool earlier, in the configuration of App Client, check box "ALLOW_REFRESH_TOKEN_AUTH")
In https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html you can see the requests in each case.
In https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ you can see the difference between the two grants (implicit - without secret, and authorization_code), do choose the best for your case. But it has nothing to do with the language that your application is written in.
In case you are convinced you don't need the authorization_code grant, you can configure not to have a secret like this:
In your User Pool in the AWS console go to App Clients (on your left), and on the client that you will create unclick the box "Generate client secret". I am not sure if you can edit an App client that you have already created. But I am sure that you can create a new one, and then use the client id of the new one to retrieve your token.
I have an Android app and an API secured with Auth0.
I'm developing an app for a new client, who has a large Cognito user pool.
Is it possible to use my current Auth0 setup to log in Cognito users via email/password and receive a Auth0 JWT?
I don't want to create a new Auth0 user for each Cognito user. At least not explicitly.
Thanks
If I understand you correctly, you want to use Auth0 as a service provider and AWS Cognito as an identity provider. In theory, you can use SAML protocol to achieve that. Try the following:
Configure Auth0 as SAML service provider. https://auth0.com/docs/protocols/saml/saml-sp-generic
Configure AWS Cognito AS Identity provider: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Then, once you initiate the login flow in auth0, users will be redirected to AWS Cognito for user authentication. After successful user authentication, AWS should redirect the user Auth0 with SAML Assertion. In that stage, Auth0 will validate the assertion and will issue a JWT token. The user will be redirected to your application with JWT. Note that if this is the first login, auth0 will create a user profile.
https://auth0.com/docs/protocols/saml
The following AWS documentation explains how to configure auth0 as IDP.
https://aws.amazon.com/premiumsupport/knowledge-center/auth0-saml-cognito-user-pool/
I have a .net web api app with owin security. The security middleware is configured with Google authentication (no local username/password authentication) and Oauth bearer token.
In startup:
public void ConfigureAuth(IAppBuilder app)
{
...
app.UseOAuthBearerTokens(new OAuthAuthnorizationServerOptions {
TokenEndpointPath = new PathString("/token"),
AuthorizeEndpointPath = new PathString("/account/authorize"),
Provider = new ApplicationOAuthProvider("web"),
...
});
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions {
ClientID = "...",
ClientSecret = "..."
});
}
From my client applications I go to
http://myapp.com/account/authorize?client_id=web&response_type=token&redirect_uri=...
This redirects to a google login that the user fills in, then back to my app with a bearer token that I peel off and add to request headers for my api.
I would like to write some integration tests where my tests call the API. The tests have the google credentials of a test user, but I am not sure how to have the test authenticate without bringing up a browser and a google login screen. I could drive that with Selenium but that seems heavy-handed.
How do I programmatically get a bearer token to use with my API such that I can impersonate my test user?
Normally you would use the OAuth2 resource owner password credentials grant in this case, but Google does not seem to support that.
So your best option seems to be to use the authorization code grant to authenticate the test user, extract the refresh token from the token endpoint response. Then use the refresh token and client ID and secret to get an access token from your integration test.
See this for more information:
https://developers.google.com/identity/protocols/OAuth2InstalledApp