I am using AWS Cognito Custom Auth (OTP based login) for authenticating mobile app users. Now I want to introduce Truecaller based login, for which I need to add support in Custom Auth to verify truecaller signature.
The Cognito custom auth flow is like
I was thinking of a approach where in I could pass a parameter (truecaller/otp) in InitiateAuthFlow using ClientMetadata field which I was hoping would reach Define Auth Challenge trigger on the basis of which I can decide which custom auth flow to trigger, but the documentation says it does not pass ClientMetadata field params to Define Auth Challenge trigger, I can't understand why.
And now I can't find a way to achieve this. Can someone help here?
Related
I need to get access/refresh pair (or at least access) tokens from a custom REST endpoint.
So in general I need programmatically create a user session from SPI by user ID(without a user password)
Could you please suggest a better way or any examples, I'm not experienced in keycloak and I feel like missing something.
my keycloak version: 15.0.2
I think about using token_exchange and:
http://{ip}:{port}/auth/realms/{realm}/protocol/openid-connect/token
But not sure if it's will work as I expect, and if it's the best way.
If I understood correclty, you want to do user impersonation. Ie: create a token on behalf of user, without his consent.
To do that, externally to Keyckoak, you can use token exchange feature. This doc will help you: https://www.keycloak.org/docs/latest/securing_apps/#_token-exchange
Basically, the idea is that you'll give to a client permission to create tokens for any user you want.
But your question is how to do that from inside a Service Provider Interface loaded by Keycloak.
To programmatically impersonate a user, you can actually just do as the token exchange code do.
Take a look at https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L131
You'll have to create a session for the desired user and build her token.
The crux it's here https://github.com/keycloak/keycloak/blob/a912558d29c685ef912baa04b8cc823a70c6fd2d/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java#L227
You get the problem reading the title. Is there anyway I can sign up customers using commercejs. The documentation is only showing login/logout methods but not sign up.Is there anyway I can do it through commercjs. Or should I use other authentication service like Firebase Auth??
There is no specific way to register a user as Commercejs does not store any kind of password.
The only way for registering a user is to use https://commercejs.com/docs/api/#create-customer as per API reference docs. however if you want to integrate some kind of custom auth you should definitely use this reference:
https://commercejs.com/docs/api/#issue-jwt-for-customer
This allows you to issue a JSON web token for a customer directly using your secret Chec API key. This may be a desirable option if you are integrating your own customer authentication, and simply need a token to authorize API requests as your customer with.
I have personally used this method along with Firebase auth.
I would like to limit the access to my cognito service.
My scope is to filter all the calls to cognito adding a server layer that allow me to do specific actions when the user uses the service.
I know that triggering events is the right way to do this but the events in cognito are very limited and a lot of stuff can not be done. For example if the Authentication fails for some reason the postAuthentication event is not triggered.
Another use case can be the validation of the attribute, or limit the reading of some attribute.
The only idea I've is to hide the IdentityPoolId or the UserPoolClientId but seems pretty unsafe.
There are two approaches in using AWS Cognito UserPools.
Using Hosted UI.
Using the SDKs/RESTAPI and Implement Your Own API and UI interface.
Using Hosted UI
If you go with the first option, pretty much of the things are handled by AWS and the control you have is limited. However, you can do certain configuration using triggers. On the other hand, you have lesser risks from your side since you are maintaining a limited code.
Using the SDKs/RESTAPI
If you go with the second option, you can limit Cognito UserPools as required putting the logic inside your own code. This allows limiting access as you desire. However, you have to write custom code to authenticate and signup users.
Mix of Both
It is also possible to use a mix of these approaches. For example, you can write custom code for signup but for sign in use hosted UI.
Custom Attributes and Claims
Also if you plan to return attributes based on your custom rules, use the trigger Pre token generation. Amazon Cognito invokes this trigger before token generation allowing you to customize identity token claims.
Note: A similar approach can be done for the Cognito Identity Pools.
I have a web application where people can upload files and I want a login for this so some functions can only be accessed by people who are logged in. I want to have one fixed pair of username and password, so there should be no option for users to create their own account (only the people who have the right information can access). I have a login paige where I proof with JavaScript if the fields are filled and if they are there should be invoked a lambda function to set the user to auth in Cognito to login. I created a fixed user in Cognito with username and password and I now want to proof if the entries of the fields are the same like the created user so that the user is logged in and can use the functions on the web app.
I read a lot of tutorials how to set up an authentication with cognito and lambda, but totally different to what I want to do. So I really have no idea how I can write the lambda function to do what I want.
Has anyone an idea how I can build up my plan or is it a bad idea like that?
Thank you for your help
you don't need the user/pass, in api gateway in the lambda method set the auth type to AWS_IAM, so only auth users will be able to call the lambda method... and then only that specific user will be able to call your lambda method.
inside the lambda method you can access
event.requestContext.identity.cognitoAuthenticationProvider
and
event.requestContext.identity.cognitoIdentityId
to get the user that was auth by AWS
I'm looking for a way to create a api token after registration without session
And I also have a question:
Regular site have session to identify the current user
But in api How can I identify the current user if we do not create for him a session?
I'm having trouble with these questions
The main concept is that in login request you send e-mail and password and you get the token.
In all next request you send always this token (so you know which user makes the request) and for this you also send other data (if they are necessary).
Of course you need to make sure this token is somehow unique so you can now exactly which user is making the request.
You can implement it on your own or you can take advantage on some ready components.
In fact in Laravel 5.2 you have TokenGuard built in so you can create simple token authentication out of the box. You can watch this movie on Laracasts for further details.
You can also use some other packages for example JWT Auth