I'm having trouble implementing a feature where I need check if a user does not exist or is existing in cognito but as federated user. The prior is done without trouble but I'm stuck on the latter without any clue. I went through the cognito and amplify documents but couldn't find any clue. Could there be a work-around or a function that I don't know about, any suggest is welcomed.
You can create a mutable custom user attribute on Cognito such as isFederatedUser and set this on user during user creation.
If this is not possible, you can call list-users and filter the identities attribute.
Related
I am using AWS Cognito for auth. I am using AWS Amplify framework.
Currently I have email-password signup option. On Cognito PostConfirmationTrigger I add user to User DynamoDB table.
I want to add google signup option as well.
In federated sign-in (signup time), this trigger is not triggered so I am unable to add user to User DynamoDB table.
Any hints how can I invoke that trigger lambda only for first time federated sign-in (signup)?
The post confirmation trigger is worth avoiding as it also doesn't trigger for admin confirmations. Reimplement it as a post-authentication or pre-token-generation trigger and, if need be, add a condition expression to your put item request to avoid overwriting existing user items.
Cognito is a bit borked when it comes to federated sign-on and triggers. Triggers only seem to be called the first time a user logs in.
Is there a way I can update another user attributes using AWS amplify with cognito? I.e. when user reply to a post I want to change a rating of a person that started a thread. Or for this I will need a table in DB to manage it.
In docs i see that there is a method:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminUpdateUserAttributes-property
but I dont see a way to use it in Amplify.
I have not seen any API of aws-amplify which can alter user attributes as admin.
Generally, it is good practice not to duplicate data or keeping data duplication minimal if unavoidable. In other words, keeping a single source of truth. Use Cognito as only for authentication, I mean obtaining JWT token.
Rating, user basic info, and role; keep those at your own data source.
How can I define custom scopes on a per user basis using cognito?
For example I have scope resource1.read, resource1.write
I want user A to have resource1.read and resource1.write while user B has resource1.read only.
This is just a high level example. We have tons of different resources and wants to allow customers to manage what resource each user has access to.
I havent found a way to associate scopes with each individual users but only at a per pool level.
Is there a way to achieve this using only cognito or cognito + some AWS manged service or do I have to implement another API to manage the scopes myself?
we couldn't find a way to make scope work on per user basis so we ended up using the custom attributes instead.
if you have less than 25 scopes (cognito max limit) then you can use one attribute per scope. P.S. just be aware you can't rename/remove the attribute once its in place unless you delete the whole pool and start over again.
For example your attributes might look like:
custom:resource1.read : "true"
custom:resource1.write : "false"
custom:resource2.read : "true"
custom:resource2.write : "true"
the idea is simple. instead of having all the scopes defined inside the scopes array we define it in regular custom attributes. When the code checks for scopes just loop thru all fields and find the one with correct prefix.
You could implement your own authorization service and call it with the Pre token generation Lambda trigger:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
This only applies to the ID token though, just like Steve's answer.
You can use this AWS Lambda trigger to customize an identity token before Amazon Cognito generates it. You can use this trigger to add new claims, update claims, or suppress claims in the identity token.
i'm using Cognito for user authentication on a site I'm working on for a client, and I need to add (if possible) a way for an admin (of the site) to login as a user. It's mainly used to see issues that the user is experiencing.
Do you know if there's a way to do that with Cognito, basically signing in as someone else if you have a specific code or belong to a specific group, or any other way?
Thanks
Not easily.
Effectively Cognito doesn't want you to be able to do this, as it opens no end of security issues within your application.
However, you can take control of the authorisation process by using Custom Authentication. By writing your own custom authentication, you can effectively allow user impersonation so long as the authenticating user can pass your authentication "tests".
I'd invite you to think hard about this method, however, as it does mean that you are now responsible for making sure no one else can use this backdoor.
I have a web application where people can upload files and I want a login for this so some functions can only be accessed by people who are logged in. I want to have one fixed pair of username and password, so there should be no option for users to create their own account (only the people who have the right information can access). I have a login paige where I proof with JavaScript if the fields are filled and if they are there should be invoked a lambda function to set the user to auth in Cognito to login. I created a fixed user in Cognito with username and password and I now want to proof if the entries of the fields are the same like the created user so that the user is logged in and can use the functions on the web app.
I read a lot of tutorials how to set up an authentication with cognito and lambda, but totally different to what I want to do. So I really have no idea how I can write the lambda function to do what I want.
Has anyone an idea how I can build up my plan or is it a bad idea like that?
Thank you for your help
you don't need the user/pass, in api gateway in the lambda method set the auth type to AWS_IAM, so only auth users will be able to call the lambda method... and then only that specific user will be able to call your lambda method.
inside the lambda method you can access
event.requestContext.identity.cognitoAuthenticationProvider
and
event.requestContext.identity.cognitoIdentityId
to get the user that was auth by AWS