We would like to have many user pools based on the user domain (#gmail.com, #microsoft.com etc..)
Right now using lambda triggers we are denying/accepting access based on the domain of the user.
We want to be able to have only one hosted ui which will take the user domain and by this parameter will sign in the user inside the specific user pool.
example:
I got 2 user pools (gmailUserPool, exmapleUserPool) which both connected as google idp
user domain is #gmail.com -> sign in to gmailUserPool
user domain is #exmaple.com - > sign in to exmapleUserPool
Till now we tried to change the userPoolId in preAuth lambda trigger but it returned with an error
user pool should be 'another-user-pool-id'
Is there a way to handle all of this users from 1 hosted ui?
Related
Any Cognito User Pool gurus out there? I've been using Cognito for a while now but this one has me a bit stumped.
We allow users to sign up and sign in using social accounts like Facebook which are set up as Identity Providers in the User Pool.
Users need to complete a custom registration form before they can use the main app - we don't use the hosted UI for login or signup
One step of the custom registration process allows the user to indicate which social provider then want to use
This allows us to pull back the users email, first and last names from the social provider which is great - we use a cognito client and callback to do this currently
But in doing so, this provisions a user within the Userpool before the registration process is complete - in fact this makes sense- in order for Cognito to provide us the user info it needs to have called into the social providers /userinfo endpoint to populate the user data
So, the issue we now have is that whilst the user is half way through the registration process I have a confirmed user account - eg. before the user has completed the registration process
This is an issue because a user could sign into the the app using their social login without ever have completed the registration process
So as I see it I have two options:
PostConfirmation Lambda trigger which uses the cognito-idp SDK to disable the user just after it was confirmed
Don't use Cognito to obtain the user info like firstname, lastname, email, picture etc - however this would require us to write a solution for every current and future social provider which isn't something I'm keen on
Am I missing something obvious?
Thanks in advance!
I would say PostConfirmation Lambda trigger is a good approach - however instead use adminDisableProviderForUser to disable the user from signing in with the specified external (SAML or social) identity provider
adminDisableProviderForUser
You can later call adminLinkProviderForUser to link the existing user account in the user pool to the external identity provider.
adminLinkProviderForUser
An alternative solution is to prevent the user from signing in if they have not fully completed the registration process via a Pre Authentication Lambda Trigger checking for a unique identifier with respect to your completed registration process
The simplest solution in the end for us was a Pre Token Generation Trigger in Cognito like this:
exports.handler = async (event) => {
if(event.triggerSource==="TokenGeneration_HostedAuth") {
//check db/api etc to see if we have a valid registration stored for user
if(!hasCompletedRegistration) {
//throw auth exception which we can catch on the frontend to inform user
throw new Error("REGISTRATION_NOT_COMPLETE")
}
}
return event
};
For username/password sign ins the TriggerSource will be TokenGeneration_Authentication
For federated/social sign ins the TriggerSource will be TokenGeneration_HostedAuth
I have a single Tenant with four (4) Applications and ten (10) Users defined. I want 3 users to have login access to all four Applications, and 7 users to have login access to only of the 2 applications. However, it appears that anytime I add a user to the Tenant the user receives "login/authentication" rights to all 4 applications.
Before installing and setting-up FusionAuth, I thought I would be able to use the "Groups" feature to create a group called "Group-A" that would "grant" login access to all 4 applications and another group called "Group-B" with "grant" login access to only 2 applications. I would assign the 10 users to either Group-A or Group-B and limit which user could login/authenticate to a particular application.
This capability does not appear to exists. What am I misunderstanding?
FusionAuth supports this model. We call this Registrations and if a user is has a Registration for an Application, they will be allowed to access it. If they don't have a Registration for that Application, they will be logged in, but won't be granted access to the Application.
The specific implementation depends on your integration with FusionAuth:
If you are using the OAuth interface, when FusionAuth redirects back to your application, it will pass along a parameter called userState. This is a hint back to your application as to whether or not the user is registered for it. If the value of this parameter is AuthenticatedNotRegistered, you should not allow access to the application.
Additionally, if you are using the OAuth workflow, when you exchange the authorization code for a token, this token will not include the Application id or any roles that the user has for the Application.
If you are using the /api/login API, then the response will contain a status code of 202 that indicates that the user was authenticated but not registered for the application. Similarly, the JWT that this API returns will also not include the Application id or any roles.
Here are the doc pages for the OAuth and Login API:
https://fusionauth.io/docs/v1/tech/oauth/endpoints#authorization-code-grant-request
https://fusionauth.io/docs/v1/tech/apis/login
I have a Cognito Identity Pool set up to use a Cognito user pool as a source of identity. Now, in my case the Cognito User Pool has 2 different client id, one for my mobile application and one for my website. In order to support login from both I need to add both client ids in the Authentication Providers settings but it seems that you can add only 1 client id at a time. Is there a way to configure Cognito Identity Pool to accept 2 different Cognito Pool client IDs?
I don't wanna use the same client id cause I need to do different user validations on user sign-up based on where the user came from (app or web) and the client id is the only parameter passed to my lambda that allows me to identify from where a user came from.
From the Identity Pool Cloudformation docs, it looks like you can provide a list of identity providers. A user pool identity provider is defined as the user pool ID plus the client ID. It seems like you should be able to specify two different ones with the same user pool ID and different client IDs. I don't know whether this is possible through the console.
I am using Cognito User pools and the hosted Cognito UI. I want new users to be disabled when they first sign-up.
I am trying to use a Cognito Trigger to disable the user.
The "Pre sign-up" trigger is to soon, the user has not been created yet. I have successfully used the "Post confirmation" to disable the user, however this is causing a side effect. After the user enters the confirmation code which is emailed to them, they see this message in the hosted UI "User is disabled".
Does anyone have a suggested solution on how to make the new users disabled by default?
We had a similar Business Requirement. For us we made use of a User Pool Group. This allowed the sign up and validation process to work as normal. We had the Post Confirmation trigger send our product team an email with details about the new confirmed user. We had a simple UI for the product team to add the group to a user if they should have access.
To Deny/Grant Access to the app: Our app checked the ID Token, once a user successfully authenticated, for the group (the ID Token has a 'cognito:groups' key which contains a list of all the groups the user is in). If the group was not present we displayed a page showing the user a customized access denied message
Weblogic contains a lot of security providers. It's feasible to make more than one authentication provider active at a time. The problem is we need to assign a different role to the user whenever he is authenticated through one of the providers. Is it possible to assign a specific role to the user each time he got authenticated through one of the providers?
A user can only have a given set of roles at any given time. Roles can be changed in the admin console but can not be done dynamic and for good reason. One would not want an unauthorized user to be able to become the Admin to a server. You can assign all the roles the user requires but you cannot dynamically, using code, perform such compromising tasks.
In short, a user can only perform tasks to the ability that the role provides him at any given time.