I want to create a custom signup Authentication Flow in aws amplify cognito service
What i Have
1.Enter Username
2.Enter Password
3.Verify user with Otp (Phone Number)/Confirmation Code (email)
What i want
1.Enter Username
2.Enter Otp/Confirmation Code
3.Enter Password
How to achieve this SignUp flow using aws amplify cognito service,Else what is the best service or approach
The scenario you want is possible to do with a custom auth flow but this has some caveats:
You can't use Cognito's MFA with a custom auth flow. It's just not possible. I have an enterprise account with AWS and have raised this with our rep and it was not even in their backlog. This means you need to implement your own SMS OTP or use twilio's API for it ($).
the cognito hosted UI does not support custom auth, you will need to redo ALL the UI yourself (think reset password links etc, not just login).
since you will be making API calls, not using the hosted UI, you will lose all oauth benefits, no code grant or oauth scopes. This means you need to do a heap of extra work to get it working securely in a mobile auth session, essentially you will need to reimplement code grant with PKCE somehow.
If you want to do this you can use the custom auth flow, it's pretty complex but here is an article that helped me out when I was doing it: https://dev.to/duarten/passwordless-authentication-with-cognito-13c
My advice would be to stick with the Hosted UI if possible, or don't use Cognito. The feature set of Cognito is a lot less than other auth providers (but it's cheaper).
Related
I have an AWS REST API Gateway with Cognito authentication using the client credentials grant.
We have been creating new clients by hand and sharing the ID/secret with people who need to use our API. They send the ID/secret and "grant_type=client_credentials" to Cognito, it gives them a bearer token and they use the API with the token. All fine so far. (It is a CLI tool running on a schedule, not accessed by a browser. I specifically need to avoid any sort of "go to the browser to login".)
Now, we have a new "island" of users who have a local OIDC (Azure AD) provider that can issue them a bearer token from a curl to an endpoint.
Is there a way to make Cognito accept those tokens??
I have tried federating Cognito with a different oidc provider (I don't have AD, but a different provider), getting myself a bearer token from it and sending it to the API GW, and I just get 401'ed. I don't know if there is something I'm doing wrong or if it's not possible.
(Things I might be doing wrong seems to be a long list! I need to create a client in the other provider and add it's ID/secret/URL to Cognito, that works. I used the same client ID/secret to generate my bearer token. But when I'm in client creds flow in Cognito, I need to set a custom scope. Do I need to add that scope to my initial request to the other provider (The API GW doesn't require a scope, it is just a mock endpoint at the moment in testing). The client_id= in the request is for the client in the other provider, not the Cognito client ID. Should I set it to the Cognito client ID?)
OR do I need to write a custom authenticator for the API GW to validate the token? (Decode JWT, Check : issuer is allowed and signature is valid.)
And not use Cognito at all for these other users.
(If it was an HTTP API, I think I can create a JWT authoriser and it does it all for me, but it isn't and there are some features on REST APIs not available on HTTP (like WAF))
Sorry it's a bit short on details. I could spend days copy/pasting all the configs from ID provider/Cognito but if it fundamentally won't work I wasted my time!
(After trying it, I think maybe federation only works for actual users with a browser based login flow, not clients with a CLI flow. I can't find anyone saying client credentials flow does work anyway!)
Cognito is using the authorization server role. So in all cases, the tokens returned to client applications will be issued by Cognito. These apps will never deal with Azure AD tokens. Multiple types of client can coexist together:
CLIENT CREDENTIALS GRANT
Clients who use this flow might represent B2B connections. The business partner must always get Cognito tokens directly, and no federation is used here.
AUTHORIZATION CODE GRANT
Browser clients will use this flow, and you can configure Cognito to implement authentication by making a second OIDC Connect redirect to Azure AD.
My blog post provides a walkthrough on how settings are configured. Cognito will act as a client of Azure AD and use a scope such as openid profile email.
After a user login, Cognito will receive Azure AD tokens, validate them, then issue its own tokens. Nothing will change in the API gateway, which will continue to verify Cognito tokens.
my application requires an authorization code grant flow integration with Cognito and the website responded to me that Auth-Code accordingly.
https://<poolName>.auth.eu-central-1.amazoncognito.com/login?client_id=<clientID>&response_type=code&scope=email+openid+profile&redirect_uri=<redirectURI>
Now I want to know what email address has logged in. As fas as I understood, this is where I would need the JWT token.
How can I query the email adress of the token I have just received?
Any help is much appreciated!
As I was going through that, actually, I still am. I have talked a lot with Amazon Engineers for past weeks, have done a bunch of research on my own and let me clarify couple of things.
Hosted UI is a way to go if you can accept the limitations. This is after all hosted ui, you can only change that much. BUT (!!!!) and I can not stretch this enough: it works only for simple usage. If you start searching you'll see that it doesn't support CUSTOM_AUTH flows which is extremely useful if you want to implement even something as basic as MFA. So if you dream of Revolut-like login page with just phone number email verification - pity, hosted ui will not help.
Hosted UI is more than just UI! It's a whole server! That's why you can't simply replace it.
Now, as we established what hosted UI can't do. What are the alternatives? Of course, you can use other providers like Okta or Auth0, but I assume, you're here because you want to use AWS. But the recommended (by AWS) alternative is to actually implement your own authentication using Amplify SDK. It's quite simple to use, I must say that. But what they don't tell you explicitly, is that it's no longer OIDC flow. Instead, AWS suggests to use their custom flows, such as USER_PASSWORD flow or SRP (Secure Remote Password), where password doesn't fly over http(s) at all.
You might ask: can't I have OIDC with Cognito AND custom flows? Well... you can, but it's not that simple. Long story short, you can use both hosted ui and amplify and possibly create your own cool SSO. For details look at their github page where AWS Labs go through some details.
If you can't afford spending next 2 months working on SSO, but you don't necessarily need OIDC flow and get settle for another solution, you can easily go for SRP or USERNAME_PASSWORD flows.
If you're like me and you're migrating from the old legacy authentication system done... wherever (;)), go for USERNAME_PASSWORD and utilise user migration lambda trigger in Cognito, where you can automatically migrate users once they login with their old credentials! Neat
AWS Cognito is full of traps... Consider that as well
First, make sure your Cognito client includes the email OAuth scope. User Pools > my-user-pool > App client settings > Allowed OAuth Scopes.
Then, decode the id token and you will have the email. You can use JWT.io to quickly decode tokens for testing and development.
UPDATE: You can use the POST /oauth2/token endpoint to fetch the tokens. But in general, if you're creating a frontend for users, it's better to use someone else's UI. The Cognito hosted UI works, although it looks a bit dated and it doesn't support MFA/TOTP. The modern approach is to use the Amplify UI Authenticator component, which supports TOTP and all the flows you'd expect (sign-up, password reset, etc).
I am exploring options for securing a REST based API being called from end-user applications across a variety of platforms, including mobile, web and OTT applications.
The applications have their own optional login process, though users can also use the application anonymously.
We are an AWS shop, and I'm looking for a more general solution using Cognito and Lambda#Edge, likely using a JWT token.
However, I can't quite piece together the options for issuing the JWT token from Cognito, especially given that we are not requiring any form of login. Is there an option using a rotating secret of some form? Any other options?
In API Gateway you can secure your API with cognito token.
Create an Authorization method and select the user pool you want to
use.
Attach this method to the API you want to secure.
Now you will need to pass ID TOKEN in header of every call.
If token is incorrect or expired the API call will fail.
You can read more here.
is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.
I need to login users via Instagram for my mobile application so I can make calls to Instagram API and get some information from the Instagram. Simply, my application will ask user to authorize Instagram access and able to get access token for API calls. Application should not ask user to login again once the user is authorized. I already setup my Instagram client-app to implement server-side authentication flow.
My challenge is I want to do this on by using AWS mobile services. I already setup custom authentication from MobileHub and came to point where I need to define my custom authentication flow (in this case it is Instagram authentication flow). Under AWS Cognito app when I go to Triggers tab, I see different options for defining lambda functions associated with my authentication (such as pre/post auth or define / create / verify auth challenge). I am not sure how to align Instagram Authentication flow with these functions. Or should I use something else. Also I am not clear how does AWS Cognito manages authentication flow: I don't want my users to go through authorization process every time they start my application. I believe AWS Cognito link users from my custom flow to some Cognito identity and able to authenticate when they use my application. I really appreciate any suggestions, or even code sample (if available).
Check this Document for Cognito Identity. Instagram is not there by default. So you have to use External Identity Provider, most probably using Open ID Connect Providers.