I'm working on building a mobile / web app and would like to utilize AWS Cognito for authentication.
I wanted to do a Proof Of concept before implementing it completely. As part of that, I have setup a user pool and used Amplify to Signup, SignIn users.
As part of Sign up I was able to verify the user using verification code to either a phone (or) email.
Also as part of Sign In, I received the MFA tokens in my phone/email and validated the MFA before logging in.
My question is, I would like to differentiate email/phone verification methodology(SignUp) vs MFA Token methodology(SignIn).
Is it possible to verify user email via a verification link (SignUp) and utilize token based MFA for SignIn ?
I tried changing the user pool MFA message from code to link. I m getting a verification link in my email, however I m not getting an MFA - because I have used email as my verification method.
Per the documentation, email verification doesn't trigger MFA as part of SignIn.
In your user pool, if you have selected both email and phone as required,phone is given more priority. At the time of sign up and sign in, you are just given a MFA code via sms but not email.
But if you want to use Email for sign up and phone MFA sms code for signing in, please read this-
You need to call 3 methods(GetUser,GetUserAttributeVerificationCode and VerifyUserAttribute) from the AWS SDK to verify the other attribute.
Referfence Article - AWS Docs
Hope it helps.
Related
I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?
Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android
This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".
Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here
I'm using okta to sign-in to my react based web application. There is an edit action within the app that requires the user to re-enter his password. I've checked the docs and couldn't find anything similar. The closest I got to was the 're-authenticate' user part. However, that's only based on time. I want to achieve similar functionality based on an event(say, button click). Can I do this using refresh tokens? (I'm not clear about the whole idea of refresh token). Is there a workaround or a specific okta API that allows me to do this?
I have contacted Okta support and they advised me to use the Okta MFA factors(OTP to email/phone, Google Auth etc.) and not to prompt the user to enter a password.
MFA Factors API: https://developer.okta.com/docs/reference/api/factors/
Problem:
I am using Aws Cognito using google as external federated identity for auth of my application:
problem is it logs me in with the last user when having only one signed in google account. Basically it seem its simply not able to logout the user completely.
Heres what is happening :
I am logged into google with e.g user a#gmail.com
I login into cognito via the external federated identity use the above email and login. All iz well.
I now logout and want to login into cognito using 'b#gmail.com', now say I created the account using another browser and never used the current browser, so browser does not know about this.(In short I am logged into just one gmail account in this browser.)
When I try to signin I am shown the option to 'Signin with Google' but it never presents me the account selection screen and directly logs me in.
I am using the screen cognito shows at https://mydomain.auth.auth.us-east-1.amazoncognito.com/login
Using Prompt:
I see that google itself has a way to force the user to select an account using the 'prompt' : select_account option. But I see no way to specify this anywhere in cognito.
Question :
- Anyone have any fix / workaround to above problem? I need a way to 'always' show the account selection so that he can choose or use a different account.
Did you try the logout endpoint from cognito ?
- Yes, This is happening even after I send the user to the logout endpoint of cognito, which is probably supposed to logout the user.
I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
I have an iOS 7 iPad app that uses Auth0 to authenticate users. Auth0 sends a verification message to each new user's email address to verify the email address. I would like my app to be informed when the email address has been verified. I have not found a way to do this without repeatedly querying Auth0 for the user's profile until the profile indicates the email address is verified.
Has anyone found a more efficient way to do this? I am very new to process communication over the internet, but I see that I may be able to use an Auth0 Rule to send a URL get request. I also see that I have added URL schemes to my app to enable it to respond to URLs. But I don't know if these two features can be used to provide a notification from Auth0 to a device that the event I want has occurred.
Has anyone a solution to this?