I have a web application where people can upload files and I want a login for this so some functions can only be accessed by people who are logged in. I want to have one fixed pair of username and password, so there should be no option for users to create their own account (only the people who have the right information can access). I have a login paige where I proof with JavaScript if the fields are filled and if they are there should be invoked a lambda function to set the user to auth in Cognito to login. I created a fixed user in Cognito with username and password and I now want to proof if the entries of the fields are the same like the created user so that the user is logged in and can use the functions on the web app.
I read a lot of tutorials how to set up an authentication with cognito and lambda, but totally different to what I want to do. So I really have no idea how I can write the lambda function to do what I want.
Has anyone an idea how I can build up my plan or is it a bad idea like that?
Thank you for your help
you don't need the user/pass, in api gateway in the lambda method set the auth type to AWS_IAM, so only auth users will be able to call the lambda method... and then only that specific user will be able to call your lambda method.
inside the lambda method you can access
event.requestContext.identity.cognitoAuthenticationProvider
and
event.requestContext.identity.cognitoIdentityId
to get the user that was auth by AWS
Related
i'm using Cognito for user authentication on a site I'm working on for a client, and I need to add (if possible) a way for an admin (of the site) to login as a user. It's mainly used to see issues that the user is experiencing.
Do you know if there's a way to do that with Cognito, basically signing in as someone else if you have a specific code or belong to a specific group, or any other way?
Thanks
Not easily.
Effectively Cognito doesn't want you to be able to do this, as it opens no end of security issues within your application.
However, you can take control of the authorisation process by using Custom Authentication. By writing your own custom authentication, you can effectively allow user impersonation so long as the authenticating user can pass your authentication "tests".
I'd invite you to think hard about this method, however, as it does mean that you are now responsible for making sure no one else can use this backdoor.
In AWS Cognito, I want to allow the user to login only after confirming both phone number and email. Is there any way similar to GetUserAttributeVerificationCode API call where I can get the code without requiring the AccessToken from the user ?
I am on similar situation where I want to send verification code through lambda. I tried post authentication lambda trigger to check if we get accesstoken but no luck(which is a good thing from security point of view)
So, unfortunately, there is no AdminGetUserAttributeVerificationCode or any other method that lets you send verification code to a user without access token. The idea behind that seems to be that only the logged in user should be able to send verification code to himself and not to anyone else.
May be this restriction is to prevent anyone(including AWS) to send mass verification codes to public without their consent (spamming).
I'm operting a website, which enables users to login via facebook or/and google+ to access their user profile. If a user logs in with facebook, I want to show if the user also granted permissions to log in via Google+.
I have an G+ access- and refresh token in a database. I've tried to use the G+ client's "setAccessToken()" function and afterwards "isAccessTokenExpired()" to do a check. The problem is that "setAccessToken()" expects the accessToken param as a JSON string (the same you receive as you log in with google+). So I think that's not the way to go...
Does anyone has an idea how to check if the user granted permissions to log in (without logging in)?
Best regards
ninsky
Maybe it's not the best solution, but I've used a refresh token to check if I can get a new access token. If that fails, the user revoked access.
You're not specifying the library you're using (if any), but most of the Google-provided libraries require that the access_token object that was returned (which contains both the access_token and the refresh_token, along with other values) be the one that is passed to the API for authentication. In general, best practice is to store the entire JSON object and not the individual values in it.
I want my user to get authenticated just once and then I will save the required detials for the user, as I want to use the API for the mentions, hot tweets, popular tweets,etc.
Is their any way I can directly access the API functions without using the authentication process of login to twitter again when I want to use this functions.
Any kind of help will be appreciated.
It is already like that. You ask for authentication only for once then store access token of that user. Whenever you send requests to Twitter on behalf of that user, you will pass that token. This is how it is done unless the user revokes your access..
Has anyone successfully implemented the Google Identity Toolkit, an implementation of an Account Chooser. I followed the initial steps here, but I still have a few questions, as I don't quite know how to handle the entire data flow. I'm using Clojure / Compojure in the back-end:
http://havethunk.wordpress.com/2011/08/10/google-identity-toolkit-asp-net-mvc3/
http://code.google.com/apis/identitytoolkit/v1/acguide.html
A) don't quite understand how ID Provider authentication, fits into my data model
when implementing the callbackURL, what data should I expect, and
how's that session state managed by GITkit (and all Account Choosers)
B) Is there a way to set this up the 'callbackURL' for development.
the identity provider would need a URL that it can redirect back to
C) How can the GITkit / Account Chooser workflow let my users register an account that's native to my app?
Thanks in advance
The questions aren't entirely clear, but I've done an implementation of GITkit in ruby and can give you some pointers.
A) The callback URL is what handles the assertion from the identity providers. Rightnow GITKit only does OpenID, so the URL will contain an OpenID response either in the query parameters or as the POST body. You'll need to do a few things:
1) Call verifyAssertion in the gitkit API and pass the params/post body. This will return a JSON response that contains the user details (assuming assertion is valid). There are some other checks you should do as well
2) Decide what to do with the assertion. If it is an existing user, most likely you'll just establish a session and save the user ID. If it's a new user, you can either create a new account and start a session immediately, or defer that and redirect them to a signup page.
3) Render HTML/JS to notify the widget. There are different status codes and data you can return that changes the flow.
GITKit itself doesn't really manage session state, that's up to your app. Some of the reference implementations have code to help, but it's not part of the API. The widget does have some state that you can control with JS (add account, show as logged in, etc) and uses local storage in the browser.
The docs give some details and example code for how this should be implemented.
B) Of course. The URL is just configured in the javascript widget when you call setConfig() It can be set to localhost or any staging server for development. So long as your browser can reach it you're OK.
C) By "native", I assume you mean where they're signing up with just a username/password instead of using an IDP. If so, the user just has to enter their email address when logging in. If that email address matches a known IDP it'll attempt to authenticate with OpenID, otherwise if it's a new user it'll redirect to whatever signup page you configured in the widget. That signup page would just ask the user to create a password like you normally would. You should also return whether or not accounts are 'legacy' (password) accounts in the userStatus checks.
Hope that helps.
For anyone's future reference. I was able to resolve the issue. You can follow this thread of how's it's done in Clojure.
I got it working with Ring/Compojure, and another fellow showed me his solution in Webnoir.
HTH