How do I integrate cognito user pool with identity pool?

Question

I'm practicing with the CognitoUserPoolsSample iOS Obj-C app and trying to add integration with Cognito Identity. I've set up a user pool and an identity pool with the user pool set up as an authentication provider for the identity pool. The user pool is working fine, but the users are not showing up in the identity pool. Here's what I have in applicationDidFinishLaunchingWithOptions:

//setup service config
AWSServiceConfiguration *serviceConfiguration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:nil];

//Configure user pool
AWSCognitoIdentityUserPoolConfiguration *userPoolConfiguration = [[AWSCognitoIdentityUserPoolConfiguration alloc] initWithClientId:@"CLIENT_ID"  clientSecret:@"CLIENT_SECRET" poolId:@"POOL_ID"];
[AWSCognitoIdentityUserPool registerCognitoIdentityUserPoolWithConfiguration:serviceConfiguration userPoolConfiguration:userPoolConfiguration forKey:@"UserPool"];
AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:@"UserPool"];

//configure identity pool
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                      initWithRegionType:AWSRegionUSEast1
                                                      identityPoolId:@"IDENTITY_POOL_ID"
                                                      identityProviderManager:pool];
AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;

Is this correct so far? What is the next step from here? How come when I sign up a new user it doesn't show up in the identity pool? The identity pool console shows zero identities created.

score 1 · Answer 1 · answered Aug 03 '16 at 09:17

1

You need to supply the token from Cognito user pools to the Cognito federated identity service. This is exactly how you would integrate Facebook or Google or any other provider with Federated Identity service.

This dev guide page and blog post go over this process in details.

answered Aug 03 '16 at 09:17

Chetan Mehta

5,491
1
22
21

Thanks for responding @ChetanMehta. The code I've listed above is what those guides recommend. The one part that I haven't figured out is where the guide says: "After the user is authenticated, add that user's identity token to the logins map in the credentials provider." How do I do that? Thanks! – MaxB Aug 03 '16 at 16:31
There was a [similar question](http://stackoverflow.com/questions/37137278/aws-cognito-credentialsprovider-login-always-shows-nil-swift/3715113) a while back which I answered. Hopefully it will help. – Chetan Mehta Aug 03 '16 at 21:19
Hi @ChetanMehta, I'm back to working on this. I'm now getting the error: "Invalid login token. Issuer doesn't match providerName, __type=NotAuthorizedException" when I call getIdentityId on the credentials provider. Do you have a recommendation for debugging this? – MaxB Sep 19 '16 at 18:15
The invalid login token error disappeared when I upgraded the AWS SDK from 2.4.6 to 2.4.9. – MaxB Sep 27 '16 at 18:29

score 1 · Accepted Answer · answered Aug 20 '16 at 00:48

Hi The key thing here to understand is that when you call:

AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                      initWithRegionType:AWSRegionUSEast1
                                                      identityPoolId:@"IDENTITY_POOL_ID"
                                                      identityProviderManager:pool];

The AWS framework will set everything up for you, and the cognito User Pool and integration with federated identity will work seamelessyly.

A key note which I initally overlooked is here: http://docs.aws.amazon.com/cognito/latest/developerguide/getting-credentials.html

[[credentialsProvider getIdentityId] continueWithBlock:^id(AWSTask *task) {
    if (task.error) {
        NSLog(@"Error: %@", task.error);
    }
else {
       // the task result will contain the identity id
       NSString *cognitoId = task.result;
   }
return nil;
}];

Which forces a refresh of your credentials from the server. Objects contained on the user and also the session can be used to confirm the login and associated cognito id, and sessions tokens.

Be careful not to also use MobileHubHelper with the above code. As the mobile HUB Helper will destroy all of that.

Could you elaborate on your statement: "Be careful not to also use MobileHubHelper with the above code. As the mobile HUB Helper will destroy all of that."? — cyanware, Oct 17 '16 at 15:48
Are saying that if I included Amazon's AWSMobileHubHelper.framework from their Mobile SDK 2.4.x, then it would be incompatible with Cognito User Pools? Currently, I am not able to link my User Pool logins with my Federated Identities after authentication, and I am at a lost as to why. It's supposed to be "automatic" and "seamless", but it not working for me. — cyanware, Oct 17 '16 at 15:55

How do I integrate cognito user pool with identity pool?

2 Answers2