I am new to Cognito, so I'm sure the answer to this will be very obvious to most readers.
I want to restrict access to my app so that certain Google accounts can access it.
I have configured Google as an external identity provider in Cognito, and the sign-in works insofar as anyone with a Google account can sign in with Cognito and access the app.
How would I go about having Cognito check the email address associated with the Google account of the person trying to sign in and only letting them access the app if their Google account is authorized, and denying them if they don't have permissions?
I think this is a quick answer, I am just at a loss when it comes what words to search in order to find help.
You can use a pre-sign up lambda. Pre sign up lambda is triggered just before AWS Cognito signs up a new user, so you can add custom verification methods in pre-sign up lambda and accept the registration if you verified the user and deny registration if the verification is failed.
You can read more about pre-sign up lambda here : Pre-sign up lambda
You could use the Cognito Lambda triggers to check the user attributes of the google user when signing in like email and then authenticate or fail authentication depending on the email of the user. You will have to mess around with which trigger to use but that could work.
Related
is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.
I need to login users via Instagram for my mobile application so I can make calls to Instagram API and get some information from the Instagram. Simply, my application will ask user to authorize Instagram access and able to get access token for API calls. Application should not ask user to login again once the user is authorized. I already setup my Instagram client-app to implement server-side authentication flow.
My challenge is I want to do this on by using AWS mobile services. I already setup custom authentication from MobileHub and came to point where I need to define my custom authentication flow (in this case it is Instagram authentication flow). Under AWS Cognito app when I go to Triggers tab, I see different options for defining lambda functions associated with my authentication (such as pre/post auth or define / create / verify auth challenge). I am not sure how to align Instagram Authentication flow with these functions. Or should I use something else. Also I am not clear how does AWS Cognito manages authentication flow: I don't want my users to go through authorization process every time they start my application. I believe AWS Cognito link users from my custom flow to some Cognito identity and able to authenticate when they use my application. I really appreciate any suggestions, or even code sample (if available).
Check this Document for Cognito Identity. Instagram is not there by default. So you have to use External Identity Provider, most probably using Open ID Connect Providers.
BACKGROUND: Obviously I don't know too much about cognito because I spent the last two hours attempting to authenticate my users with cognito and realized that they weren't authentication providers but rather organizers of credentials.Then I thought of an easier workaround instead of creating a entirely new backend for authenticating users and wanted to verify its viability.
PLAN: I was thinking that I would have users come onto my app and automatically be authenticated with Cognito as an unauthenticated user. Then I would use calls to AWS Lambda and Dynamodb (where my data is stored) and use either a facebookID, which would be obtained from a logged in Facebook user, or a username/password combo to do a basic check and authenticate a user.
Please let me know if any part of my PLAN isn't clear and I will elaborate.
Question: Please let me know if my PLAN is a safe way for me to authenticate users without making an intense backend solely dedicated to creating and storing accounts.
If you want to use Cognito Credentials to access Lambda and DynamoDB, that's exactly the use case Amazon Cognito is meant for.
If you want unauthenticated identities to later on migrate to authenticated with Facebook, note than once you link an identity with Facebook the user will always need to be authenticated to get credentials for that identity: you can't access it as unauthenticated again.
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.
I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/