I'm trying to map a Cognito user pool ID to a cognato federated identity ID and I can't figure out how to do this.
Here's what I'm trying to do :
- a user login to a user pool
- he drops a file on s3 with the path ${cognito-identity.amazonaws.com:sub}
- then I need to do processing on that file, for which I need to retrieve the user's pool ID
I've searched extensively and I can't find a way to access the user pool Id which is different than the identity ID.
Any help appreciated !
There is no way to direct way map a Cognito User Pool ID with a Cognito Identity ID(for an Identity in the Identity Pool).
However, as a workaround, you could store the mapping in a Cognito User Pool Custom Attribute, or any RDBMS/NoSQL Database.
I tried to figure this out as well, looks like the folks serverless-stack.com have this figured out!
https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html
Sample lambda code for a lambda that's authorized through IAM that extracts the user pool user id.
export async function main(event, context, callback) {
const authProvider = event.requestContext.identity.cognitoAuthenticationProvider;
// Cognito authentication provider looks like:
// cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr
// Where us-east-1_aaaaaaaaa is the User Pool id
// And qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id
const parts = authProvider.split(':');
const userPoolIdParts = parts[parts.length - 3].split('/');
const userPoolId = userPoolIdParts[userPoolIdParts.length - 1];
const userPoolUserId = parts[parts.length - 1];
...
}
Related
I am currently working on multi-tenancy using admin auth as per the documentation: https://cloud.google.com/identity-platform/docs/multi-tenancy
I initialized a Tenant Auth with a registered tenantId:
const tenantManager = admin.auth().tenantManager();
const tenantAuth = tenantManager.authForTenant(tenantId);
let tenantData = await tenantManger.getTenant(tenantId)
When I perform any operations using this tenantAuth or get the tenant data, I get the following error
An internal error has occurred. Raw server response: "{"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}"
I can understand it is an IAM role required for the service account key I used for initializing the admin SDK. Can anyone tell what's the valid role to be added?
I am trying to create an Express API with JWT authentication.
However, I was wondering how to best allow users to only access their own resources.
For example if there is a user with id 1 and each user has a list of books in the database:
The id is already part of the JWT Token but commonly there would be a request to something like /users/1/books to get all of the books belonging to user 1.
Would my routes typically still look like this and I would just check the id in the token is the same the request is made for, or is there any other/simpler way?
Thank you for your help!
You can define, some access rights permissions base on the user role or id.
Example: roles : {root, admin, staff}
Then, in your routes you can have some checking whether this user have the permission to access the functions or you can do in the controller level to check the access rights.
You need to define model relations between User, UserModel. In your case as I understand you need to have the relations between UserModel and BooksModels.
UserModel hasMany BooksModel
When you call findOne() to retrieve specific user's data, you can just define include: 'aliasModelName', to retrieve the users related book data.
With this way, you can only have 1endpoint users/:id to retrieve users data and book data. It depends on what you really want, you can also have an endpoint users/:id/books to get all books that belongs to this user.
Your model definition will then become
BooksModel belongsTo UserModel
If you use hasMany you can get all the results that you need in just one query.
Hope this helps!
When user sends the login credentials, you check database if the email exists, if yes then you check if the password matches. If user successfully signins you create the token.
const token = jwt.sign({ _id: user._id, email: user.email }, "this-is-secret", {
expiresIn: "1h",
});
this token is sent to the browser, whenever user make requests, it manually attachs this token to the req, and sends the request to your server. You check if the token is valid, by using the secret key (in this case "this-is-secret").
const decodedToken = jwt.verify(token, "this-is-secret")
req.userId = decodedToken.userId;
now "userId" is attached to the req object. Now when you fetch the data from database, the items that you are fetching, you write a query that (implementation depends on which database you are using)
book.userId=req.userId
I am using AWS cognito API to create User in pool. User is being created successfully in Pool.
Following is the code for that . But this code create user with FORCE_CHANGE_PASSWORD state but I want to create user in UNCONFIRMED state. Can someone help me on this?
AdminCreateUserRequest cognitoRequest =
new AdminCreateUserRequest().withUserPoolId(id)
.withUsername(r.getEmail())
.withTemporaryPassword(r.getPassword().trim())
.withUserAttributes(new AttributeType().withName(Constants.EMAIL).withValue(r.getEmail().trim()))
.withUserAttributes(new AttributeType().withName(Constants.EMAI_VERIFIED).withValue("false"))
.withUserAttributes(new AttributeType().withName(Constants.GIVEN_NAME).withValue(r.getFirstName().trim()))
.withUserAttributes(new AttributeType().withName(Constants.FAMILY_NAME).withValue(r.getLastName().trim()));
You can use SignUpRequest to create user with unconfirmed status
SignUpRequest request = new SignUpRequest().withClientId(clientId)
.withUsername(userSignUpRequest.getUsername()).withPassword(userSignUpRequest.getPassword())
.withUserAttributes(emailAttr, groupAttr);
return cognitoClient.signUp(request)
After signup, user will get code on the email mentioned during signup.You can confirm user signup using different request taking code from user as input.
I am using a nodejs lamdas to get authentication tokens from AWS Cognito and in the front end code I am using the "aws-sdk": "^2.74.0" javascript / typescript sdk :
var creds = new AWS.CognitoIdentityCredentials({
IdentityPoolId: environment.identityPoolId
})
AWS.config.update({
region: environment.region,
credentials: creds
});
var lambda = new AWS.Lambda();
when I sign the token and identity id to my AWS.CognitoIdentityCredentials.params the following way :
creds.params['IdentityId'] = output.identityId;
creds.params['Logins'] = {};
creds.params['Logins']['cognito-identity.amazonaws.com'] = output.token;
creds.expired = true;
I am able to get the following lamda.invoke calls to use authenticated role arn configured for my federated identity pool.
The issue I am having is when I try to sign the user out. I read many forums posts but nobody seem to have a clear explanation on this. I tried using the following in my front end logout function which didn't help:
creds.clearCachedId();
creds.refreshPromise();
any examples showing how the javascript aws-sdk would clear the session/authentication information and switch back to unauthenticated user role arn or logout user and update the config so that next call a AWS service ( lambda.invoke in my case ) would use the unauthenticated role arn instead of trying to use the authenticated role. So it seems Cognito is not aware of the sigout, or I am missing the call to make it aware. I was hoping creds.clearCachedId() would do it but apparently not.
Well it turns out I needed to clear the creds.params manually :
creds.params['IdentityId'] = null;
creds.params['Logins'] = null;
I would think the below would do it, but apparently not.
creds.clearCachedId();
creds.refreshPromise();
I follow the steps described in the link: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html to integrate my user pool with cognito identity. But every time I am trying to access amazone S3 using the Authentication providers I get the following error:
E/CognitoCachingCredentialsProvider: Failure to get credentials
com.amazonaws.services.cognitoidentity.model.NotAuthorizedException:
Logins don't match. Please include at least one valid login for this
identity or identity pool. (Service: AmazonCognitoIdentity; Status
Code: 400; Error Code: NotAuthorizedException; Request ID:
ff4da8ad-9a96-11e6-9c64-67a5c841c727)
at
com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:712)
at
com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:388)
at
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:199)
at
com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.invoke(AmazonCognitoIdentityClient.java:558)
at
com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient.getId(AmazonCognitoIdentityClient.java:444)
at
com.amazonaws.auth.AWSAbstractCognitoIdentityProvider.getIdentityId(AWSAbstractCognitoIdentityProvider.java:172)
at
com.amazonaws.auth.AWSEnhancedCognitoIdentityProvider.refresh(AWSEnhancedCognitoIdentityProvider.java:76)
at
com.amazonaws.auth.CognitoCredentialsProvider.startSession(CognitoCredentialsProvider.java:561)
at
com.amazonaws.auth.CognitoCredentialsProvider.getCredentials(CognitoCredentialsProvider.java:371)
at
com.amazonaws.auth.CognitoCachingCredentialsProvider.getCredentials(CognitoCachingCredentialsProvider.java:441)
at
com.amazonaws.auth.CognitoCachingCredentialsProvider.getCredentials(CognitoCachingCredentialsProvider.java:76)
at
com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4369)
at
com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1704)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.uploadSinglePartAndWaitForCompletion(UploadTask.java:203)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.call(UploadTask.java:85)
at
com.amazonaws.mobileconnectors.s3.transferutility.UploadTask.call(UploadTask.java:44)
at java.util.concurrent.FutureTask.run(FutureTask.java:234)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
at java.lang.Thread.run(Thread.java:864).
Here is the code:
public static TransferUtility getTransferUtility(Context context) {
if (sTransferUtility == null) {
sTransferUtility = new TransferUtility(getS3Client(context.getApplicationContext()),
context.getApplicationContext());
}
return sTransferUtility;
}
public static AmazonS3Client getS3Client(Context context) {
if (sS3Client == null) {
sS3Client = new AmazonS3Client(getCredProvider(context.getApplicationContext()));
}
return sS3Client;
}
private static CognitoCachingCredentialsProvider getCredProvider(Context context) {
if (sCredProvider == null) {
sCredProvider = new CognitoCachingCredentialsProvider(
context.getApplicationContext(),
Constants.COGNITO_POOL_ID,
Regions.EU_WEST_1);
Map<String, String> logins = new HashMap<>();
logins.put("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxxxx", idToken);
sCredProvider.setLogins(logins);
}
return sCredProvider;
}
Here how I get the token
AuthenticationHandler authenticationHandler = new AuthenticationHandler() {
#Override
public void onSuccess(CognitoUserSession cognitoUserSession, CognitoDevice device) {
Log.e(TAG, "***Auth Success***");
idToken = cognitoUserSession.getIdToken().getJWTToken();
AppHelper.setCurrSession(cognitoUserSession);
AppHelper.newDevice(device);
closeWaitDialog();
launchUser();
}
The transferutility is part of com.amazonaws.mobileconnectors.s3.transferutility package.
Thank you for your help.
felini
The problem may be configuration or the way you have created your token (the provider name part looks right). But most likely you just need to GetIdResult.
"Logins don't match. Please include at least one valid login for this identity or identity pool." is coming from the "AWSCognitoIdentityService.GetCredentialsForIdentity" api request (in java i think it is GetCredentialsForIdentityResult)
This can happen when you have an identityId for one identity, then you provide logins for another. If you change identities you need to do a "AWSCognitoIdentityService.GetId" (in java i think this is GetIdResult)
The error is telling you that either it could not find the identity provider associated with the identity pool, or the pool does not have that identity provider configured (I think this generates a different error but not sure) , or it could not associate the identityId with the logins entry token (if the username claim in the ID token did not match the identity it had for instance).
I think you need to either fix your logins dictionary, or do a GetIdResult call to make sure you have the right identityId for the logins hash you are providing.
Or... if it is configuration, make sure that you have the user pool and client id properly configured in the Authentication Providers list as a Cognito user pool authentication provider. Note that if you also configure it in IAM as an identity provider you must have the audience match that same client id. (which also works).
Note: This problem might happen if you configured "unauthenticated" access, then tried to get credentials with a logins hash, but using the unauthenticated identity. I think you would need to do a getIdResult to switch.
It was a configuration problem. I added to an existing identity pool, Cognito user pool as Authentication Providers. I provided the user pool Id and client Id.
Then I click save changes. It was shown in green on the dashboard that my changes was saved. But in reality it was not! That was the reason of the error.
As solution I created a new identity pool from scratch and added during the creation, cognito user pool as authentication provider. Only then it was properly saved after the pool creation.
In case anyone else has the same warning, it is possible to login to a Cognito Identity Pool with an unverified email, but that same user will not be able to authorise against a Cognito Identity Provider, instead this error will be thrown:
Error: Logins don't match. Please include at least one valid login for
this identity or identity pool.
A user can be set to 'Confirmed' via the Cognito console. This does not equate to 'email verified'. The user CAN login to the pool though.
A fully unconfirmed user cannot login at all.