9

I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:

enter image description here

I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.

Here is my current understanding (please correct me where I'm wrong).

1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):

cognitoUser.authenticateUser(authenticationDetails, {
..
})

where onSuccess

  • I store identity, access and refresh tokens, so, user doesn't have to enter his credentials every time
  • Because users will be accessing AWS servicess (e.g. S3) I exchange idToken to AWS credentials
  • Store AWS creds in LocalStore for further use, when access resources

2) For the facebook sign-in I use Federated Identity

  • get a facebook access token
  • with fb token get a cognito identity
  • exchange a cognito identity to AWS creds and store those in LocalStore

Questions:

Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?

Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)

Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?

Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?

Q5. How should I restrict access to resources other than AWS for facebook signed-in users?

Q6. Any working example for this?

Thanks!

Victor Kim
  • 1,647
  • 2
  • 16
  • 33

2 Answers2

7

We added support for Federation through Facebook, Google and LoginWithAmazon for User Pools. This will create a user in user pool when a user logs in with federation. You can also capture the attributes from the identity provider using the attribute mapping feature.

Also if you use the app integration feature, Amazon Cognito User Pools wil generate a sign-in page like this for you.

Steps to SignIn/SignUp with a social provider through Amazon Cognito Console:

  1. Configure a domain for your user pool like .auth..amazoncognito.com
  2. Add any social provider and configure attribute mapping.
  3. Enable the provider on the App Client.
  4. Configure the callback URI, OAuth response type and allowed scopes.
  5. Access your hosted UI at https://.auth..amazoncognito.com/login?client_id=&response_type=&redirect_uri=
  6. Click on the button to SignUp/SignIn with Facebook (or your provider).
  7. Authenticate with the provider, you will be redirected to the callback URI with tokens/code.
  8. Check the newly created user in Amazon Cognito console.
Rachit Dhall
  • 1,601
  • 11
  • 12
  • Thanks, Rachit. That's awesome! A few weeks/months back I saw just SAML support was added to User Pools Federation, but no social. And didn't expect fb/google logins to appear any time soon (actually was about to implement own user directory as discussed above). Will definitely play with it. Keep up quick features/fixes delivery. – Victor Kim Aug 11 '17 at 04:48
  • 3
    The doc says it's possible. And I am trying to implement it to my app. But I am having some difficult time to do it. Is there any official sample or tutorial for this? – supergentle Aug 31 '17 at 14:40
  • Any luck @Supergentle? im also stuck trying to use FB with user pools. – juankuquintana Sep 22 '17 at 02:21
  • 2
    The documentation shows using the cognitoidentitycredentials object. How does this create a user in the user pool with attribute mapping? I ca see the identity in the federated identity pool but I cant see any users in my user pool? I have the federated identities setup in the user pool also. How does this create Facebook users?? – Tim Glenn Sep 24 '17 at 16:59
  • For using federation through user pools you do not need any code with CognitIdentityCredentials Object, you can achieve user creation by just configuring from the Amazon Cognito Console. Updated the answer to reflect detailed steps, do let us know if you face any more issues. – Rachit Dhall Sep 25 '17 at 18:38
  • 1
    Thanks for the details @RachitDhall but can I do this without the custom auth ui? I’m trying to build a signup flow in react-native and would like to just call Facebook then cognito to auth new users into the pool – Tim Glenn Oct 03 '17 at 15:13
  • I've been searching for this answer myself. The steps above don't really help when trying to integrate into your own application. I get to the point where I have a CognitoIdentityCredentials object in my app with all the AWS credentials I need after performing a facebook login, but I don't see any of the mapped attributes that I setup in Cognito. I also have never seen my facebook users show up in my user pools. Has anyone actually ever gotten this flow to work? I've been searching for a sample for days with no success. – JasonPerr Oct 12 '17 at 16:05
  • Seems like you have integrated Facebook with Cognito Federated Identities and not Cognito User Pools. Have you tried running this sample (https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo) after the configuration above? – Rachit Dhall Oct 13 '17 at 18:28
  • Tried this [but failed](https://imgur.com/a/PKIUY). Note that in step 5, I did not know what to put for `response_type`, and for `redirect_uri`, I just put whatever I have in "Callback URL(s)" in the console. – Daniel Birowsky Popeski Dec 07 '17 at 16:42
  • @RachitDhall I tried this but I'm getting issues because Facebook is not returning an email, which is required for my app (and probably 99% of apps) . See my question here https://stackoverflow.com/questions/48135017/login-with-facebook-using-cognito-is-redirecting-to-url-with-an-error – CodyBugstein Jan 07 '18 at 07:23
  • @CodyBugstein I just answered your question, please let me know if it works or not. – Rachit Dhall Jan 08 '18 at 19:10
6

  1. I'm human and may have missed something, but that sounds pretty good to me.

  2. You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.

  3. If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.

  4. I don't know that this is supported out of the box, like it is with user pools. You might have to do this using your hypothetical user database described above.
  5. You can also link your user pool to Cognito as a provider, much like you do for Facebook. That's how you exchange an id token for credentials.
  6. No official example from the service, though I can't speak for others.
Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
  • thanks for the answer! Follow-up questions for #3: 3.1) What did you mean by avoiding user pools attributes? And what kind of attributes? 3.2) Did you mean to use hypothetical DB (e.g. Dynamo DB) even if authenticate with user pools, to store user profile info, like email, username, identifiers (from cognito user pools identity, from facebook federated identity , etc.)? Another question is regarding mentioned LocalStorage - I read that it's not secure to store tokens there - what are the best practices for that (in mobile and web) – Victor Kim May 16 '17 at 23:15
  • 3.1: User pools stores various attributes against a user (e.g. name, address, phone number, or a custom attribute). My answer is assuming you'd want to populate some form of those. 3.2: Yes, exactly. Specifics are up to your app needs, you could do something like encrypting it without too much trouble. – Jeff Bailey May 17 '17 at 05:43
  • Thanks a lot, Jeff! – Victor Kim May 22 '17 at 03:14