If our user has MFA enabled in cognito and they file a support case where we as the admin would have to 'impersonate' their account to see what is going on. How would that work? There doesn't seem to be a temporary disable of MFA in cognito right? Would we have to request that the user disable MFA on their end before we can use our endpoints to impersonate the login?
There is no way to "impersonate" the user with or without MFA unless the user is willing to give you their credentials! Then you can theoretically also convince them to give you their MFA as soon as they recieve it. But all of this would really bad practice. You should look for alternative like creating a dummy account and trying to recreate the issue that a user is facing. If you could give details about what you are trying to achieve by impersonating the user, maybe we could figure out some alternatives.
Related
can GMAIL API be used for sending out account verification when registering to a site?
I plan to use it for email registration , verification, forgot password for transactional use
Yes it can but you may not want to unless you are using Google workspace.
To send an email using a standard google gmail account you will need to use Oauth2 and authorize the user who owns this account. Using Gmail scopes with an Oauth2 will require your application go go though a security audit. This audit is expensive and time consuming. Its up to you to decide if this is worth it or not.
You could go though the SMTP server and use something called an Apps password to authorize it. This solution would work but, google is shutting down unsave apps now and i fear that apps password will me next. If it is your only option then would be to use Xoauth2 with smtp. Which again may require that you verify the app.
If you do have a google workspace account then you could set up domain wide delegation to a service account allowing it to impersonate a user on your workspace domain. This solution would work without any issues. It would be optimal in my opinion.
I'm using AuthFlow='ADMIN_NO_SRP_AUTH' to set up Cognito MFA authentication.
I wonder if Is there any way that I can ignore the MFA authentication?
Which AdminInitiateAuth request should I use?
For example:
I create a user, then register that user to my UserPool, enable MFA for that user, and now MFA is working fine.
But what if on a bad day, I don't want to use MFA Authentication anymore, but I also don't want to disable MFA for my user because I want to use it on another beautiful day.
May not be the answer you are hoping for but... You can't do it. And it wouldn't even make sense.
The MFA is either enable or disabled. If it's enabled, you need to authenticated with it. Think about it. You set it up to protect user's account. But the user is able to say - oh, I actually don't want to use it just this time.
The thing is - a bad actor could do exactly the same. Just send a request saying not to use MFA. That would defeat the purpose of MFA entirely.
That's why this decision is left to either an administrator of the pool or the user who can disable it, but only as long as he/she is signed it (depending on pool's configuration).
That's why you can only either have it enabled or disabled. And you cannot disable it ad hoc per request.
I'm trying to figure out which OAuth2 grant to use for my application/saas. Or if OAuth2 is even the correct way to go.
The application:
The purpose of the application is for use and integration with e-commerce. So what I want is for the user is to go to my site and register an account. After the account has been created the user should be provided with credentials with which he/she can acquire an access- and refresh-token. The access-token should provide access to the users OWN resources and preferably use scopes to limit access. The user should the be able to get/post/put and delete stuff from his/her account as if working in the provided administration (SPA).
They should not have to go through the OAuth redirect flow, because they will be using the API from their servers.
My thoughts
First I considered going for the Client Credentials grant. But then I found out that it will not provide access to a user and it's resources.
I've started leaning towards using the Resource owner credentials grant. But I don't put a lot of faith in my users picking strong passwords. And in almost all documentation I can find, everyone seems to not recommend using this grant.
Maybe OAuth is not suitable for my project? Maybe I should go for some API Key which can be traded for an access token?
Any thoughts and/or input?
I've one link which may useful for you.
Link: https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/choosing-grant.md
Came to the conclusion that OAuth2 was not correct for my situation.
In the end I chose to go with a custom solution based on JWT.
Is there a line of code that bypasses the second app authentication screen where you select Allow or Deny? I would like our users to automatically be connected to the registered app.
Thanks!
No, it is not possible to bypass that step. If it were possible it would be a security hole.
Yes, is it possible, for paid networks. To be able to do this, your application should use an access token that must be authorized as verified network admin, so it could impersonate user access tokens, take a look at impersonation on Yammer documentation for more information about this.
BACKGROUND: Obviously I don't know too much about cognito because I spent the last two hours attempting to authenticate my users with cognito and realized that they weren't authentication providers but rather organizers of credentials.Then I thought of an easier workaround instead of creating a entirely new backend for authenticating users and wanted to verify its viability.
PLAN: I was thinking that I would have users come onto my app and automatically be authenticated with Cognito as an unauthenticated user. Then I would use calls to AWS Lambda and Dynamodb (where my data is stored) and use either a facebookID, which would be obtained from a logged in Facebook user, or a username/password combo to do a basic check and authenticate a user.
Please let me know if any part of my PLAN isn't clear and I will elaborate.
Question: Please let me know if my PLAN is a safe way for me to authenticate users without making an intense backend solely dedicated to creating and storing accounts.
If you want to use Cognito Credentials to access Lambda and DynamoDB, that's exactly the use case Amazon Cognito is meant for.
If you want unauthenticated identities to later on migrate to authenticated with Facebook, note than once you link an identity with Facebook the user will always need to be authenticated to get credentials for that identity: you can't access it as unauthenticated again.