AWS Cognito Best Practise with Identity Providers - amazon-cognito

I have a half-way running app where the user can sign-up via form or via Facebook.
I am trying to do the following and I was wondering whether this aligns with AWS Cognito best practises or not.
Sign-Up:
Sign-up form ("local user"): User can enter username/password with details (gender, bday etc). The credentials get stored in a AWS Cognito User Pool and all other profile details in a custom database.
Sign-up via Facebook: User can hit the Facebook login button on the page and after he is authenticated, he has to fill out missing information (gender, bday etc) if not provided by FB. The profile info will be stored in the same database as for a user signing-up through the form.
Pools:
The AWS user pool is connected as a identity provider in my AWS identity pool.
Facebook is connected to same identity pool.
Token handling:
"Local user": I get based on the identityId from the user pool the credentials from the identity pool. I use this credentials to access resources on AWS. The credentials will be cached on the client in a secure place.
Facebook user: The same procedure as for "local user".
My questions:
Does the overall approach make sense or are there things that do not align with the design of AWS Cognito?
I save all profile information ("local user" and Facebook user) in my own database because I need more advanced query/search capabilities on the profile info. Cognito does not offer sophisticated search capabilities. Is it a bad practise if I separate from User Pool resp. the User Pool stores only username/password of local users? What are the disadvantages of this approach?
Should I create a user in the user pool for every Facebook identity? If yes, why?

You can do everything your trying to do using the javascript sdk.
Check this link out, it shows how to do pretty much everything you need.
https://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

Related

Delete users registered via social login when they are deleted in Login Provider

We have a system that supports social logins and we have a feature that users can download api access key and secret key to make APIs programatically.
But when a user account is deleted from social login provider the user can't login in the system. But the same user can access APIs programmatically. Is it possible to stop the API login as well ?
Unfortunately this can't be done, unless the social service supports publishing some kinds of events about deleted users (though I highly doubt that anyone would be doing that). Maybe there is another way to verify for you whether a given account exists in the social service (by calling some endpoint, for example). Then you can periodically check with this endpoint which of users exist. Or call this endpoint when you get a request to the API and verify if the user still exists.

How to programmatically log-in to Active-Directory without additional setting on AD?

I need to log-in to Azure Active Directory to display the embedded report on a website using asp.net MVC.
However, the API provided is only valid for only username and password.
For logging-on to the AD, all I need to do is to type-in username (email address) and the log-in portal will redirect me to another log-in page and then type in and username and password.
I wonder is there anyway to do the programmatically log-in without using the application secret?
There are two ways to implement Power BI report embedding using Azure AD authentication:
User Owns Data embedding
App Owns Data embedding
If you don't want user sign-in experience, you can implement App Owns Data authentication in the following ways:
Client secret
Master user credentials (username and password (MFA disabled account))
Please go through this documentation to achieve your goal and also, here is a sample code for it.

How can I authenticate a user from my user pool in Cognito using the Unity SDK?

I can't see how to authenticate a user using the AWS backend instead of a developer as shown here: http://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
I want to login to the user accounts I created in my user pools in the Cognito dashboard. Anyone know how to log into a specific user identity in the Unity SDK?
The link you provided is for developer authenticated identities on Federate Identities which is different than the user accounts you have created in the User Pools.
In User Pools console you can go to the Users tab and see the user data. If you have created the users, you can use the credentials you set at creation to login to the user account.

How can we get all user listing from Userpool & identity both (AWS Cognito)

I'm using AWS Cognito for user authentication.
The users who are logged in through Facebook/ google+ are listed in federated identity pool where as the users who are logged in through custom sign up process are listed in cognito user pool.
So, how can we manage both the list of users? Is there any way to access and manage both the list of users in a single application.
The only way to do this is to have your User Pools pool configured as a provider for your identity pool. Once that's configured, those identities should automatically show up as identities inside the identity pool with user pools as a linked login, and will be included in the ListIdentities results. See the Cognito developer guide for specifics on how to link the two, if you are unsure of how to do so.
I'm unsure from your question if you are integrating them already, but if not, Cognito does not currently support a way to list both sets of users.

AWS Cognito Login Flow Check

BACKGROUND: Obviously I don't know too much about cognito because I spent the last two hours attempting to authenticate my users with cognito and realized that they weren't authentication providers but rather organizers of credentials.Then I thought of an easier workaround instead of creating a entirely new backend for authenticating users and wanted to verify its viability.
PLAN: I was thinking that I would have users come onto my app and automatically be authenticated with Cognito as an unauthenticated user. Then I would use calls to AWS Lambda and Dynamodb (where my data is stored) and use either a facebookID, which would be obtained from a logged in Facebook user, or a username/password combo to do a basic check and authenticate a user.
Please let me know if any part of my PLAN isn't clear and I will elaborate.
Question: Please let me know if my PLAN is a safe way for me to authenticate users without making an intense backend solely dedicated to creating and storing accounts.
If you want to use Cognito Credentials to access Lambda and DynamoDB, that's exactly the use case Amazon Cognito is meant for.
If you want unauthenticated identities to later on migrate to authenticated with Facebook, note than once you link an identity with Facebook the user will always need to be authenticated to get credentials for that identity: you can't access it as unauthenticated again.