Adding google to IAM's Identity Providers OpenID Connect - google-plus

This was hard to find so I'll add it here in case anyone needs it.
When adding google sign in as a cognito authentication provider for both Android and iOS I need to use the OpenID rather than Google+, but when adding in google as an OpenID I couldn't find the provider URL in google's documentation

The provider URL is hardcoded accounts.google.com for any credential you create, and add all the clientIDs under Audience.
To add google sign in to Cognito for both iOS and Android:
Go to IAM -> Identity providers
Create a provider
Choose OpenID Connect
In the provider url write https://accounts.google.com
In Audience write one of the app's client_id that you can get from the credentials console
Go back to Cognito:
Under authentication providers go to OpenID
Select accounts.google.com

Related

Is it possible to authenticate a user using google identity without provider's sign in page

Background
I have a web application "APP1" (front-end: Vue.js & Back end:Azure function) deployed in azure app service. I have implemented client directed sign in (easy auth using this), after that I can authenticate user using provider's sign in page [both AAD & google].
Target
I have another web application "APP2" deployed in on-primes server. I want to redirect to APP1 from "APP2" and automatically sign in without provider's sign in page. I will read credentials from environment variable.
Tried solutions
I have found a similar issue here, however I am unable to use the solution because the DB between AAP1 and AAP2 can't be shared
I have also checked the google identity providers documentation, however I am unable to find how to programmatically sign in without provider's sign in page
Question
Is it possible to programmatically sign in to google identity to get token without provider's sign in page
The whole point of google identity is to prove the identity of the person behind the machine.
OpenID Connect is an open standard that companies use to authenticate (signin) users. IdPs use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information. (id_token)
OAuth 2.0. This standard provides secure delegated access. This means an application created by a developer, can take actions or access resources from a server on behalf of the user, without them having to share their credentials (login and password). It does this by allowing the identity provider (IdP) to issue tokens to third-party applications with the user’s approval. (access_token, refresh_token)

How to login into Google workspace using OIDC with my own identity provider

I am building an SSO system for android where I am the identity provider. And I want users to sign in from my app that will automatically log them in to google workspace (or any other enterprise application e.g salesforce). I cannot figure out what and how to send identity values from my Idp to Google workspace.
This can't be done this way round. When a user signs in to your app she can't be automatically signed in to any other application. The options that you have are:
When a user signs in to your application you can ask Google for an access token. As part of your sign-in process, you can run an OAuth flow against Google Authorization Servers and ask for proper permissions. This will allow the user to additionally log in to their Google account, consent to release information to your app and you will then get an access token that will enable you to call Google's APIs. This way your users will have to log in twice (both to your app and to Google).
You can rely on Google to log users into your app. So, Google will be the OIDC Provider and your app will only be the client. People will log in to their Google account, and you will get an ID token in return. You can use the data from the ID token to create user accounts and sessions in your app.
In the first case, you will want to have a look at OAuth flows, like the code flow. In the latter, you will need OIDC flow, e.g. the OIDC code flow.

Google OpenID Connect User Authorization

We have a SPA web application that supports OpenID Connect login from external Identity providers. Our application supports different user types (roles). We want to support Sign in with Google using Google Identity service (https://developers.google.com/identity/protocols/oauth2/openid-connect) but the Access Token seems to be for Google APIs only (we want to protect our own APIs). The ID Token is a JWT we can validate, but there is nothing in the claims we can use for Authorization.
Is it possible to add custom claims to the Google ID token that we can use for Authorization?
From the link above...
This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified
I guess this means they ONLY support Authentication and not Authorization? Is this true? Or is there some other Google service we need to use to get user roles (Google Cloud IAM, etc.)?
How does Google expect us to Authorize users they Authenticate?
To get control over what the tokens contains, then my recommendation is to add a separate identity provider in-between your applications and Google. In this way, your applications only need to trust your local provider and it can provide the tokens that you need and you can add additional user information/claims to the tokens.
Just like this picture tries to show:

AWS Cognito use custom auth flow with external identity provider

is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.

Inconsistencies between SAML and OIDC in Firebase Auth Signin

Base Scenario
There is a user in Firebase Auth with userID 1234 and email user#email.com with an additional facebook provider linked.
Signing in with an OpenID Connect Provider
Create an OpenIDConnect Provider within Google Cloud Platform's Identity Platform
Use the newly created provider to sign in with the email user#email.com
Result: You'll get an auth/account-exists-with-different-credential error with the credentials sent back. This is the expected behavior.
However:
Signing in with an SAML Provider
Create an SAML Provider within Google Cloud Platform's Identity Platform
Use the newly created provider to sign in with the email user#email.com
Result: The SAML provider is automatically linked to the original firebase user with the userID still 1234. However, it also replaces the previously set Facebook Provider.
Is this a known issue? Am I doing something wrong? The real issue is the replacing of the providerID, but the inconsistencies seem troubling.
-- UPDATE --
Authentication is performed for both OIDC and SAML similar to these docs:
https://cloud.google.com/identity-platform/docs/how-to-enable-application-for-oidc
Specifically:
let provider = new firebase.auth.OAuthProvider(providerID);
this.firebaseApp.auth().
signInWithPopup(provider)
where providerID is either saml.someprovider or oidc.someprovider