Auth0 as front end to log in Cognito users - amazon-cognito

I have an Android app and an API secured with Auth0.
I'm developing an app for a new client, who has a large Cognito user pool.
Is it possible to use my current Auth0 setup to log in Cognito users via email/password and receive a Auth0 JWT?
I don't want to create a new Auth0 user for each Cognito user. At least not explicitly.
Thanks

If I understand you correctly, you want to use Auth0 as a service provider and AWS Cognito as an identity provider. In theory, you can use SAML protocol to achieve that. Try the following:
Configure Auth0 as SAML service provider. https://auth0.com/docs/protocols/saml/saml-sp-generic
Configure AWS Cognito AS Identity provider: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Then, once you initiate the login flow in auth0, users will be redirected to AWS Cognito for user authentication. After successful user authentication, AWS should redirect the user Auth0 with SAML Assertion. In that stage, Auth0 will validate the assertion and will issue a JWT token. The user will be redirected to your application with JWT. Note that if this is the first login, auth0 will create a user profile.
https://auth0.com/docs/protocols/saml
The following AWS documentation explains how to configure auth0 as IDP.
https://aws.amazon.com/premiumsupport/knowledge-center/auth0-saml-cognito-user-pool/

Related

Integration AWS Cognito with Okta

I am using AWS Cognito User pools to SignUp users. However my client applications are OKTA based. Once the users have signup and confirme their email address on cognito, I would like to be able to login with their credentials directly in the Okta apps, so that would require to create a user/password also on the Okta app. But that would require some development to take the cognito credentials and creating the Okta user with these credentials.
How can I integrate it directly, so once the user has confirmed the email, can automatically log into okta app? Also, if I invalidate a user on cognito, it should not have no longer access to Okta apps.
It's not possible. You would need to do all by hands: creating/modifying users in Okta after you do the same in Cognito.
All Okta - Cognito integrations suppose that you have your applications integrated with Cognito, which is integrated with Okta. Okta is your identity store and all creations/modifications are done there. Cognito only trusts information from Okta and allows user to sign-in into applications integrated with it

AWS Cognito Userpool - Cognito does not perform MFA challenge for Federated users

I have setup an userpool with two login methods. One using hosted UI with userpool to signup/sign-in users. And ther other using a Federated Identity Provider (IDP). For both login methods(Appclients) I have enabled and used Code Auth Flow + PKCE (So the code <-> token exchange could be completely handled by the client - react web frontend).
I have also setup an Identity pool for users' to get temporary credentials to complete the MFA (TOTP) setup from react web frontend.
Now, I could complete the MFA setup - showing the QR code (AssociateSoftwareToken), performing VerifySoftwareToken (after user gets the one time token using code generator app- google authenticator in my case) and updating userpool for user's preference with SoftwareTokenMfa settings.
When users Login using the hosted-UI (with useraccounts created through Cognito ), Cognito performs the MFA challenge before redirecting with (oauth) code.
But when users logged in using Federated Login, Cognito redirects the user back to application with oauth code.
Is there anyway, I could make Cognito perform MFA for users logging-in using Federated Login?

Get custom parameters from aws cognito when it redirects to web application (PingOne as SAML identity provider)

I am validating the user using aws cognito (saml identity provider). I want the email id of user from aws cognito when it is redirecting to my web application using callback feature of cognito.
Currently, i am using the Idp initiated flow to login to my application. When cognito callbacks to my web application URL i am not getting email address.
How can I get the email id in request?

REST API oauth2 type authentication using AWS Cognito

I have a rest api in nodejs. my mobile app will consume my rest api. Can i implement oauth2 type authentication using aws cognito for my mobile app? I need resource owner password grant if i implement oauth2.
Amazon Cognito's Federated Identity feature is not an authentication provider. It vends AWS credentials for well known providers like Facebook, Google, Cognito User Pools, etc. or for custom developer providers. These custom developer provider can use any authentication protocol as long as they talk to our services from the back end and use the OpenId tokens vended in back end from their mobile apps. You can read more about this here.
Cognito User Pools however is an authentication provider and vends OpenId tokens once the user is authenticated. These tokens can also be exchanged for AWS credentials using the federated identity flow.

Amazon Cognito Authenticated User with Auth0

I've been trying to use the authenticated code provided from Auth0 and AWS Cognito to authenticate a user but when I go to the AWS Cognito Console dashboard I see no identities have been created.
Logic flow should be this: I get my JWT from Auth0 when a user logs in and I use that to get my AWS Cognito Credentials - I use the following code:
CognitoAWSCredentials credentials = new CognitoAWSCredentials (
"us-east-1:11047a24-xxxx-xxxx-xxxx-111111111", // Identity Pool ID
Amazon.RegionEndpoint.USEast1); // Region
credentials.AddLogin("stef.auth0.com", id_token1); //id_token1 from Auth0
I did input the JWT (id_token1) into jwt.io to check the validity of it and it comes back VALID SIGNATURE when I add the Auth0 Client Secret. I am not able to see any errors when I run the code. I am using Xamarin C#. I did all the necessary setup with configuring the provider, setting up the default IAM roles for Cognito Auth/UnAuth. Put in the correct Auth0 client ID into AWS, etc... I can however add an Unauthenticated user but not an Authenticated user.
Am I using the wrong code here? Can someone point me in the right direction please?
Thank you for looking!