AWS Cognito use custom auth flow with external identity provider - amazon-cognito

is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.

I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.

Related

How to get custom attributes back from AWS Cognito & OIDC when using AWS Amplify?

We're developing a website with AWS Amplify that uses Cognito to handle the authentication. I've configured the user pool in Cognito to use Keycloak as the OIDC IDP. The basics of logging in and out are all working as desired.
I now want to get more information back from Keycloak into the Amplify app. If I use https://openidconnect.net/ as a test point for authenticating to Keycloak as if it was Cognito, I can decode the JWT in https://jwt.io and see the additional information I'm after.
In Cognito, in General Settings > Attributes, I've added a custom attribute "groups":
In General settings > App clients, I've marked that attribute as readable:
Under Federation > Attribute mapping, I've mapped the OIDC attribute to the User pool attribute:
but, when I authenticate in the web application and dump the payloads for the ID and access tokens, I cannot see the "custom:groups" attribute.
What am I missing or misunderstanding here?
Thanks.

Custom Authentication flow with aws amplify cognito

I want to create a custom signup Authentication Flow in aws amplify cognito service
What i Have
1.Enter Username
2.Enter Password
3.Verify user with Otp (Phone Number)/Confirmation Code (email)
What i want
1.Enter Username
2.Enter Otp/Confirmation Code
3.Enter Password
How to achieve this SignUp flow using aws amplify cognito service,Else what is the best service or approach
The scenario you want is possible to do with a custom auth flow but this has some caveats:
You can't use Cognito's MFA with a custom auth flow. It's just not possible. I have an enterprise account with AWS and have raised this with our rep and it was not even in their backlog. This means you need to implement your own SMS OTP or use twilio's API for it ($).
the cognito hosted UI does not support custom auth, you will need to redo ALL the UI yourself (think reset password links etc, not just login).
since you will be making API calls, not using the hosted UI, you will lose all oauth benefits, no code grant or oauth scopes. This means you need to do a heap of extra work to get it working securely in a mobile auth session, essentially you will need to reimplement code grant with PKCE somehow.
If you want to do this you can use the custom auth flow, it's pretty complex but here is an article that helped me out when I was doing it: https://dev.to/duarten/passwordless-authentication-with-cognito-13c
My advice would be to stick with the Hosted UI if possible, or don't use Cognito. The feature set of Cognito is a lot less than other auth providers (but it's cheaper).

How to use Firebase Authentication with Okta?

I am currently using Firebase Authentication in my app using the built-in OIDC providers (Google, Facebook etc.). Is it possible to use Okta as an additional OIDC provider with minimal modifications to my app, meaning Okta should behave just like any other built-in provider? Firebase Auth apis, such as firebase.auth().currentUser and firebase.auth().onAuthStateChanged() should still work.
The doc page for Custom Authentication talks about getting a custom token from an auth server, but does not clarify if that's an OAuth access token. Is there an example of Okta integration or a generic OIDC integration that works seamlessly with Firebase auth?
There's no built-in Okta provider for Firebase Authentication, but if you have an existing authentication flow for it, it's fairly easy to integrate it into Firebase as a custom provider.
It's a 6 step process:
You gather the user credentials on the client.
You pass those credentials to a trusted environment, either a server you control, or Cloud Functions.
On the server you verify that the credentials are correct according to Okta, typically by calling a server-side API they provide with a key you provide.
You then use the results of that call to mint a new ID token for the user. This is a JWT, not an OAuth access token.
You pass back that ID token from the server to the client.
The client then calls firebase.auth().signInWithCustomToken(token) with the ID token, to sign in to Firebase Authentication.

Storing and using facebook's refresh token in Identity as a service (IDaaS)

We're planning to use IDaaS for better identity management. We are comparing functionalities between Okta, Auth0, and AWS Cognito.
However, Facebook provides a way to refresh user token. They also have an option for extending page token. My question is if I use any of IDaaS or identity management system, can I use those functionalities.
I know I can get a refresh token from Okta or Auth0 and use it to get access token. But could not find any way to retrieve or use the refresh token from Facebook. Am I missing anything?
I have added Facebook as Social Identity Provider. I can log in using via facebook account. My applications do not know about Facebook's App Id and secret. Is it possible to use the facebooks refresh token functionalities via IDaaS?
you can use Okta's Identity Provider API to get the Facebook access token issued for a user during authentication.
https://developer.okta.com/docs/api/resources/idps#identity-provider-social-authentication-token-model
You can then use it to call Facebook APIs to get a refresh token that you can then store within Okta as a custom attribute on the (idp)user profile.
I'm assuming that you want to use the FB refresh/access token to get additional data from Facebook. Is that your use case, or is it primarily about keeping the user logged in to facebook? More detail on the use case can help me provide more relevant information.

AWS Cognito Mobile Hub

I need to login users via Instagram for my mobile application so I can make calls to Instagram API and get some information from the Instagram. Simply, my application will ask user to authorize Instagram access and able to get access token for API calls. Application should not ask user to login again once the user is authorized. I already setup my Instagram client-app to implement server-side authentication flow.
My challenge is I want to do this on by using AWS mobile services. I already setup custom authentication from MobileHub and came to point where I need to define my custom authentication flow (in this case it is Instagram authentication flow). Under AWS Cognito app when I go to Triggers tab, I see different options for defining lambda functions associated with my authentication (such as pre/post auth or define / create / verify auth challenge). I am not sure how to align Instagram Authentication flow with these functions. Or should I use something else. Also I am not clear how does AWS Cognito manages authentication flow: I don't want my users to go through authorization process every time they start my application. I believe AWS Cognito link users from my custom flow to some Cognito identity and able to authenticate when they use my application. I really appreciate any suggestions, or even code sample (if available).
Check this Document for Cognito Identity. Instagram is not there by default. So you have to use External Identity Provider, most probably using Open ID Connect Providers.