I created a user pool in AWS Cognito with MFA set to optional
and adaptative authentication as Optional MFA.
The MFA method enabled for users is TOTP, which I enable by calling SetUserMFAPreference.
My use case requires that any user that uninstalls their TOTP app or buys a new mobile phone can install it again in their new device by generating a new valid TOTP token.
The only way to generate a new TOTP valid token is by calling AssociateSoftwareToken, but it requires an access token that the user does not have as they are not signed in yet.
I tried with SetUserMFAPreference setting enabled=false but it did not work. Sign in still requires the TOTP challenge.
Is there any way to disable MFA or regenerate a new TOTP token to achieve below behaviour?
So I found a workaround for this problem.
This disable MFA function is not allowed in Cognito. What we did is, instead of trying to create a new token, we decided to store the existing one and reuse it every time the user wants to reinstall the authenticator app in another device.
This way, we do not need to create a new token, just reuse the existing one.
Related
We have a website where users authenticate themselves using AWS Cognito. That has been implemented using Next Auth with the Cognito provider based of their example code. That is working fine. However, whenever a new potential lead (customer) fills out a particular form we ship that information off to an external API. That API is connected to the same Cognito client and user pool in AWS, and it creates a new user and performs some operations. In the response of this API we receive the newly created user's access token, refresh token and identity token. The reasoning behind this is that whenever a new lead is created they automatically gets assigned a user and we log them in behind the scenes. It is far from an ideal solution, I know, but our assignments doesn't allow for rethinking and rewriting the current setup.
My questions is how we should implement such a custom login flow. We want to validate the tokens in the API response and create a session using those tokens, much as a regular login flow would do.
I've included this simplified chart trying to explain the process. See link:
Login flow chart
For anyone encountering a similar issue, this is how we solved it: After receiving the id_token from the external service we do a router.push(...) (next/router) to our own authorization callback API endpoint with the id_token. In our case, it became:
/api/auth/callback/cognito?id_token={ID_TOKEN}
I'd like to implement SSO logins for users in my Firebase web app, but only for users that have an existing account. When I add e.g. the Microsoft provider in Firebase and implement the required UX flows in the web app, anyone with a Microsoft account is able to sign in using that, upon which a new user account is created (if they haven't signed in before). I'd like to restrict this to users that:
have registered previously with e.g. an email and password login method, and
have subsequently chosen to activate the SSO login method in the web app
Is there a recommended way to prevent the default behaviour in Firebase auth for SSO so that I can check for an existing account with the same email and its approved login methods before letting the user log in and/or create a new account?
There is no built-in way to do this in Firebase Authentication, as it makes no distinction between sign-up and sign-in for OAuth users.
The typical approach to implement this is to create a list of the allowed users somewhere that both your app and your server-side logic can find it (like in one of Firebase's databases), and then check against this so-called allowlist in both your client-side and server-side application code (and security rules) after the user signs in and before executing any other application logic for them.
In the application itself, you could show this as "unable to sign in" to the user, since (despite you calling the Firebase API and signing them in there) they have not completed the sign-in into your application itself.
I have a Node.js lambda API that's called by an authenticated user. The user is able to access the API passing a valid JWT token. Now I'd like to interact with Cognito User Pool to change the user's email, password and etc but I haven't figured out how to achieve this using just the JWT.
I've made several tests using amplify-js and amazon-cognito-identity-js
You can reset the user's password by calling an admin API call, not through the JWT token. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html This will prompt the user for a new password.
This API call is to set a password for that particular user https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html but I prefer the first option.
In order to change user attributes (such as email, birthday...), use https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
So all these are done using the Cognito Service inside the Lambda (not to be confused with the JWT tokens).
How can I use Google Identity platform as a login / registration system for my own service?
Specifically - how can I do this and support login for same user from different devices?
Using for web service, nodejs without npm modules: passportjs / googleapis / google-auth-library.
My idea:
User opens myClientApp/login page and clicks on GoogleLogIn button which will ask him to authorize my service for specific scopes of his Google account.
I then get the refresh token & access token and save it in DB, then send the refresh token to the client with cookie.
Whenever I make a call to my own service API I send the refresh token from the cookie.
As long as I have valid access token saved in my DB or the refresh token is not expired - I treat the user matching that refresh token as an active session for my service.
Security problems:
cookies attacks, and the refresh token is easily accessed from the browser. Could use https / encryption and more methods to secure the cookie and it's value. Still- someone could copy the cookie from one computer to another!
Multiple login problems:
If the user login on different device, a new refresh token will be created. The previous device the user logged in to will now hold a wrong refresh token in the cookie...
Could the OpenID solve this? Do I need to use JWT?
What is the most secure way to use Google Identity login in my own service while supporting multiple devices login for the same user?
First, make sure that you really understand the security implications for what you want to do.
For example, NEVER send the Refresh Token to a client.
If you want to use the same tokens for the same client on multiple devices, you have a chicken and egg situation. How do you "authenticate" the user at each device. How do you know that user "John" is actually user "John" but on a different device the first time?
Your goal is not to trade convenience for less security. Your goal should always be security first, no matter the inconvenience.
A better approach is to let Google authenticate and authorize a user on each device. They only have to do this once per device. Your backend systems keep track of the Refresh Token issued for each device. You can then generate the Access Tokens and Identity Tokens when needed - they expire after one hour anyways. Store a cookie on the user's device that identifies them to your system so that you can look up who they are, get the Refresh Token, create new Access Tokens, etc.
There is a limit to the number of Refresh Tokens that can be issued before the oldest ones are voided. I think the number is 50. This is usually not a problem. If a Refresh Token is invalid, just put the user back thru the authenticate process and store the new token.
Also provide the user with a sign-out method that removes all stored tokens in your system.
The cookie that you store on the client's devices should be opaque meaning that there is no stored information in the cookie and the cookie is only valid for that device and no other devices. This solves the stolen cookie moved to another device problem.
I will now touch on some of your questions:
My idea: User opens myClientApp/login page and clicks on GoogleLogIn
button which will ask him to authorize my service for specific scopes
of his Google account.
Google OAuth does not work that way. You send the user to a URL, Google manages all display and input with the end user. Once everything is complete a callback URL on your server is called and you are passed a code. The exact details depend on the type of OAuth Flow that you are using.
I then get the refresh token & access token and save it in DB, then
send the refresh token to the client with cookie.
During the OAuth Flow you will request the Access Token, Refresh Token and Identity Token. The Refresh Token is saved in the database. Never send this token to the client. Read my suggestion above about creating an opaque cookie that you send to the client.
Security problems: cookies attacks, and the refresh token is easily
accessed from the browser. Could use https / encryption and more
methods to secure the cookie and it's value. Still- someone could copy
the cookie from one computer to another!
Create an opaque cookie that is only valid for that device and no other devices. If a client sends you a cookie intended for a different device, consider this a problem and invalidate all cookies, tokens, etc for this user on all devices.
Multiple login problems: If the user login on different device, a new
refresh token will be created. The previous device the user logged in
to will now hold a wrong refresh token in the cookie...
I covered this issue above. Store the Refresh Token generated for each device in your DB. Consider each device / Refresh Token / cookie as a set.
Could the OpenID solve this? Do I need to use JWT? What is the most
secure way to use Google Identity login in my own service while
supporting multiple devices login for the same user?
By Open ID I think you mean Open ID Connect (OIDC). This is already integrated into Google OAuth and this is the part that generates the Identity Token.
Do I need to use JWT?
Google OAuth Tokens are generated from Signed JWTs. However for the most part you do not need to worry about the format of tokens. Google provides endpoints that validate and decode Google OAuth tokens.
What is the most secure way to use Google Identity login in my own
service while supporting multiple devices login for the same user?
I covered this question in the first part of my answer above.
We want to allow our users to retrieve a set of temporary CLI credentials for a given AWS role by signing in to OneLogin with password and MFA. We have a working solution, but it requires the user to fully re-authenticate to OneLogin (including MFA) every 60 minutes as the AWS temporary credentials expire. I think that won't fly - our users are accustomed to permanent API credentials tied to a real IAM user.
Ideally, we'd like to allow users to authenticate once a day, securely cache the resulting SAML assertion, and use that to transparently refresh the AWS API credentials as needed. I'm thinking of something like aws-keychain that would use the local OS credential store to remember the SAML assertion, and only prompt the user for input when their OneLogin session has timed out.
This almost works as-is. The catch is that the SAML assertion returned by OneLogin's saml_assertion and verify_factor endpoints sets a three-minute deadline on the Subject and Conditions fields.
Is there a way to do what we want, or are we trying to route around a core SAML principle?
The accepted answer here is no longer true. It is now possible to authenticate the user and verify MFA once at the start of a session and then have the session refreshed on an hourly basis without having to enter further MFA tokens.
To do this you must use the --loop parameter of the CLI tool and have a corresponding App Policy in OneLogin that enables the "Skip if OTP received within last X minutes" setting.
https://developers.onelogin.com/api-docs/1/samples/aws-cli
We're in the process of officially adding an option to in our official CLI tool to re-use the user credentials similarly to what you're describing.
Essentially our CLI tool has an option to reuse the user/pass in the background to continuously refresh the access info in a user profile so while the user will provide credentials once, the access info will get updated before it expires.
But unfortunately, at least at this time, there's no way to get around the MFA part if the application policy requires MFA. It'll need that MFA to refresh the credentials.
If you have to have MFA, you can always use the OneLogin MFA APIs to bake in an MFA flow into the tool...
Check it out here: https://github.com/onelogin/onelogin-aws-cli-assume-role/pull/5