I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.
You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().
If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.
Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.
Related
We have a multi tenant application with supporting role based access by getting users' attributes like tenantId, role etc. from a datastore in AWS Custom Authorizer Lambda and injecting tenant and user specific information into request context. However, we are not using OAuth 2.0 flows for users authentication and authorization. It is a classic username/password registration in AWS Cognito to get a valid JWT access token which is validated again in our Custom Authorizer. I was wondering if this is a good practice or should we introduce an OAuth 2.0 flow like Authorization Code Grant? AWS Cognito doesn't have the same capabilities as AuthO has which means we can't figured out a way to limit user's accesses to specific APIs which are protected with specific scopes. For example; userA has weather-api:write and userB has weather-api:write and weather-api:read scopes who are from the same tenant. There is no way configuring this approach with one Cognito AppClient.
I appreciate for any comments. Thanks!
I want to restrict access to an AWS S3 bucket so that new objects can only be created by users who have authenticated through a specific Cognito User Pool. Looking through the AWS documentation I can't work out how to specify the user pool as a principal in the policy. Can anyone help me with this?
If this isn't possible then I'd appreciate some pointers/guidance which might help me achieve the desired result using some other technique. Thanks.
I think a User Pool will not allow you to do this, seen as you only get an access token for an authenticated entity. You'll probably need to create an identity pool, which allows users in your user pool to retrieve temporary IAM credentials. In the identity pool, you can also configure the role these logged in users get with their temporary credentials. You can use these roles to restrict access to the S3 bucket to only those authenticated users.
In the example below, you can see the settings of an identity pool configured with a Cognito user pool as authentication provider. It will either use the default roles configured on top (big red rectangle) or you can choose a custom role for the Cognito authentication provider (small rectangle). All roles can be managed using IAM.
We are planning to setup three applications, two of them are based on WordPress, and third one is based on Magento. We will deploy these three apps on AWS. We are looking for a tool to centralize the management of all the users for these three apps. We could grant different privilege and allow the different users have different right to these three apps. So, we should choose AWS Cognito or SSO?
You can use both if you go with cognito route. Cognito User pools handles your user management (registration, login, granting tokens) while Cognito Identity Pool lets you use any of the identity providers including user pool to exchange tokens for temporary aws credentials based on what role you have attached to the group of users.
Identity pools also accept SSO with 3rd part authentication providers (federated identity). You can sign in users on your user pool using social identity providers (facebook, google, amazon) or create one using Auth0.
AWS Cognito is the right fit for your application. AWS SSO is essentially a layer between active directories and services like Cognito or Firebase. AWS SSO helps in delegating access to AWS services and provides SAML/Oauth gateways connected to the active directories.
AWS Cognito on the other hand, allows you to easily integrate your login systems with any auth providers like AWS SSO, Okta, Auth0 and social media channels too. Hence, definitely considering your requirements, AWS Cognito user pool is the best fit.
I want to know the difference between AWS-Cognito and Shibboleth. I am unable to find the difference.
From what I can see shibboleth is a general SSO solution. It is comparable with cognito user pool which too provides user management services. The main difference between user pool and shibboleth would be that since user pools are a service offered by AWS they can be used by other AWS services directly like api gateway. IAM can be used to restrict access to signed admin API calls in userpool (eg: adminInitiateAuth)
Then we have cognito identity pool. This is used to grant access to aws resources. You can use various federated identities like facebook, amazon, openid etc as well as cognito user pool to authenticate and request for resources. You can also allow unauthenticated users to access resources.
I'm using AWS Cognito for user authentication.
The users who are logged in through Facebook/ google+ are listed in federated identity pool where as the users who are logged in through custom sign up process are listed in cognito user pool.
So, how can we manage both the list of users? Is there any way to access and manage both the list of users in a single application.
The only way to do this is to have your User Pools pool configured as a provider for your identity pool. Once that's configured, those identities should automatically show up as identities inside the identity pool with user pools as a linked login, and will be included in the ListIdentities results. See the Cognito developer guide for specifics on how to link the two, if you are unsure of how to do so.
I'm unsure from your question if you are integrating them already, but if not, Cognito does not currently support a way to list both sets of users.