aws cognito user pool domain - Invalid_Request - amazon-cognito

I have created a user pool and setup domain with app client settings () to host sign up and sign in pages in the cognito itself. When I tried using the url similar to -
https://myDomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=fkjfkasjfkasjfdweinfskfsfsfnk&redirect_uri=https://google.com
in the browser I am redirected to
https://myDomain.auth.us-east-1.amazoncognito.com/error?error=invalid_request#
Note: I tried using Cognito User Pool and Facebook identity providers without OAuth2 enabled.
Am I missing something?

It works for me with following User Pool settings.
App integration
App client settings
Enabled Identity Providers
☑ Facebook ☑ Cognito User Pool
Callback URL(s)
https://google.com
OAuth 2.0
Allowed OAuth Flows
☑ Authorization code grant ☐ Implicit grant ☐ Client credentials
Allowed OAuth Scopes
☐ phone ☐ email ☑ openid ☐ aws.cognito.signin.user.admin ☐ profile

You're doing everything correct from what you've describe, but you should check the following,
Have you added https://google.com in App Client Setting as Callback URL?
Have you checked your Identity Provider in Enabled Identity Providers?
In Allowed OAuth Flows, you must have checked "Authorization Code Grant".

In my case it was a required attribute (Name) that was set to Mutable: False.
After login user was prompted to reset their temporary password and set the name.
On form submission, An error was encountered with the requested page error appeared.
Making the Name attribute editable fixed the issue.

Enable Authorization code grant under Allowed OAuth Flows in the AppClientSettngs tab
Change the redirect_uri like
https://myDomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=fkjfkasjfkasjfdweinfskfsfsfnk&redirect_uri=https://myDomain.auth.us-east-1.amazoncognito.com
This worked for me

Related

Is possibile SAML authentication with login form in service provider page?

I think this scenario :
Authentication with IDP Provider by rest api passing username, password and a saml request , Is it possibile?
I would like to have my web application which have the page with login and password, on submit we invoke IDP rest api (send username, password, saml request)
s possible to have login form in our page and "invoke" an IDP via rest api and receive saml response by IDP endpoint?
Will Single Sing on work in this way?
Thanks :-)
Image authentication Flow
Is this https://docs.axway.com/en-US/bundle/SecureTransport_55_DeveloperGuide_allOS_en_HTML5/page/Content/DevelopersGuide/restAPI/SSO_REST_API.htm my solution?
Thanks
[07/02/2023] Solved:
No Sso with The resource owner password credentials (ROPC) flow
The OAuth 2 resource owner password credentials (ROPC) grant allows an application to sign in the user by directly handling their password. In your desktop application, you can use the username/password flow to acquire a token silently.
Constraints for ROPC
The following constraints apply to the applications using the ROPC flow:
Single sign-on is unsupported.
Multi-factor authentication (MFA) is unsupported.
Check with your tenant admin before using this flow - MFA is a commonly used feature.
Conditional Access is unsupported.

oAuth2 SSO without Cookie

We're having a native iOS and Android app that has a custom login form to authenticate a user directly via an authentication endpoint of an oAuth2 enabled indentity provider (the app sends the user credentials via HTTP request to the identity provider and gets a JWT as response).
The app does not have the possibility to open a browser with callback url or an in-app-browser to open the login form of the identity provider directly - so there is no possibility to set a cookie for SSO.
The app does sometimes redirect the user to other services (in the web browser) that are using the same identitiy provider. Until now, the user is forced to enter his credentials again to signin.
We're now looking for a (secure) way to implement SSO with the app, without the need of using a cookie enabled (in-app-)browser for the app login.
A solution we thought about:
sending a valid access_token to the identity provider together with the target url of the service
the identity provider validates the token and the target url
the identity provider authenticates the user after successfull validation and redirects the user to the service
Can this be considered as a secure solution? Is there a standardized way we don't know about to do something like that?

Silent authentification with oauth2 (prompt=none)

Hi I have SPA(Single page application) where I use oauth2 implicit grant for authorization. As Identity server I have Wso2 identity server 5.4.1.
I am able to authorize the app and everything works as desired - also I configured to skip the consent.
Here goes the problem:
I am trying to silently reauthenticate logged user with following link with help of .../oauth2/authorize service and attribute prompt=none:
https://xxx:9447/oauth2/authorize?response_type=id_token token&nonce=123&prompt=none&client_id=xxxx&scope=openid&redirect_uri=http://localhost:63342/myapp/www/index.html&id_token_hint=previous_user_token
With promp=none as written here:
http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
I should be able to authenticate user when he is logged and the consent is configured to be skipped or always approve.
But I always get the same error back in URI:
http://localhost:63342/myapp/www/index.html#error_description=Authentication+required&error=login_required&session_state=state124124125125.1251512
This error login_required means that your user is not logged in on the IP. You must first ask him to connect by redirecting it to the authorization endpoint without the prompt parameter set to none.
See : http://openid.net/specs/openid-connect-core-1_0.html#AuthError
login_required
The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication.
According to the documentation, it seems that the user must choose the option on the consent page: Approve Always. Have you tested with this option?
Docs: https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground
Click Approve to provide consent to this action. The screen mentions
the service provider by name and requests for user consent to provide
user information to that particular service provider. The user can
either Deny to provide information to the service provider. Approve
to provide user profile information to this service provider only for
this time.
Approve Always to provide approval to share user profile
information with the service provider even in the future without
prompting for consent again.

IdentityServer4 Password Grant

I've stood up an instance of identityserver4, an API project, and a UI.
The workflow is as follows:
User visits the UI.
User provides user name and password to UI.
UI sends credentials to back of web app, which uses a password grant to authenticate the user with IdentityServer4.
IdentityServer4 returns a token.
Token is used to identify who the user is to the UI and that the user has access to certain sections of the site.
When the user needs to do something within the site, the token is passed to the API via bearer auth.
The password grant isn't negotiable, as this is a first party app and it makes no sense to redirect the user away from the main site.
What's the proper set of middleware to use for this? Should I just use a CookieAuthenticationMiddleware and attach the token as a claim? I'll need to access the claims from HttpContext.User claims. Do I need to use IdentityMiddleware?
You can request identity scopes using the password grant type and use the userinfo endpoint to resolve them to claims - like in this sample:
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Clients/src/ConsoleResourceOwnerFlowUserInfo
And yes - you can use the cookie middleware to persist those claims and the access token for later usage.

OAuth2 but require Multi-Factor Authentication (MFA)

I have an app with confidential PII (social security number, payroll information). I'd like to enable users to login with OAuth IDs (Google, Linked In) for convenience but require those accounts have multi-factor authentication enabled in the identity provider, i.e. fail the login through OAuth2 if the user hasn't enabled MFA in their underlying identity provider account. This allows me to avoid exposing my confidential information to a weak GMail password.
Is there any way to do this?
Unfortunately, no.
In the case of Google and Linkedin, the authentication level is not linked to a specific scope. The Oauth response doesn't specify either if the user used an OTP token or not..
Even if the user is enrolled in MFA, the user can register the computer he's using as a trusted one and in this case, Google will never prompt him for an OTP. This behaviour may prevent many users to access your application.
Actually, I believe you could check on your own session / token to see if it was done through Google, Twitter, Facebook, etc and then require MFA / 2FA / OTP on the first use of that token. Does that make sense?
You could run your own TOTP microservice using Browser Authenticator which has the components you need to generate and verify a key and token in the browser and Node Authenticator which has the complementary server-side code.
Just add your own storage mechanism and an https call to microservice, update the session / token, and viola, you've added two-factor / multi-factor / one-time password authentication right on top of them.