7

I have a mobile app with signup/signin options. Mobile app makes calls to Rest APIs and the APIs use Python boto3 CognitoIdentityProvider client to create users in AWS Cognito user pools. SignIn using email/password works fine.

For social sign-in, mobile app is updated with google sign-in and fetch idToken,accessToken. How do I use google returned signIn token to signin/create user in Cognito user pool from the backend python environment? Is this feasible?

For username/password options, I use signup and admin_initiate_auth methods. But not sure what to use to allow users to sign or create users in UserPool when using google/facebook signin option.

Essentially is there a way in Boto3 or other AWS libraries to create users in UserPool using google/facebook returned idToken>

suman j
  • 6,710
  • 11
  • 58
  • 109

1 Answers1

5

get_id method from boto3 CongnitoIdentity service addresses the concern.

Using the google returned ID token, call get_id to create federated identity.

    client = boto3.client('cognito-identity',
                        aws_access_key_id=ACCESS_KEY,
                        aws_secret_access_key=ACCESS_SECRET_KEY)
    response = client.get_id(
        AccountId='YOUR AWS ACCOUNT ID',
        IdentityPoolId='us-east-1:xxxdexxx-xxdx-xxxx-ac13-xxxxf645dxxx',
        Logins={
            'accounts.google.com': 'google returned IdToken'
        },
    )

Response includes the Cognito IdentityId:

{
"ResponseMetadata": {
  "RetryAttempts": 0,
  "HTTPStatusCode": 200,
  "RequestId": "xxxfb049b-1f77-xxxx-a67c-xxxfb049b",
  "HTTPHeaders": {
    "date": "Sun, 04 Mar 2018 06:43:13 GMT",
    "x-amzn-requestid": "xxxfb049b-1f77-xxx-a67c-xxxfb049b",
    "content-length": "63",
    "content-type": "application/x-amz-json-1.1",
    "connection": "keep-alive"
  }
},
"IdentityId": "us-east-1:xxx-2xx1-1234-9xx2-xxxx"
}
suman j
  • 6,710
  • 11
  • 58
  • 109
  • 3
    I don't understand why this answer is accepted and getting upvotes... The question is about authenticating a user with a user pool and the answer it about authenticating a user with an identity pool.. Am I missing something? – abumalick Jul 14 '21 at 12:02
  • 2
    IMO these names AWS have chosen are confusing as hell. In brief, the User Pool is what has the list of users and manages things like registration, login, lost PW, etc. for normal login. The Identity Pool is the layer that gives permissions to use AWS services. A User Pool has an ID Pool, "sits on top of it" in a sense. Now, obv federated manages its own users and AWS links that to an ID Pool to give perms to services. But where it gets really confusing is that a you can associate a User Pool with fed logins and it will create a passwordless user in the User Pool to represent them...I think...! – Hari Honor Jan 19 '22 at 16:31
  • @HariHonor, your comment makes sense, however, it is still unclear to me which value should be used for IdentityPoolId in this case to use the solution proposed? – João A. Veiga Jun 21 '23 at 19:10