How to authenticate user using identity providers in User Pool #508
Comments
I have a similar use case, I haven't found any sample code or docs. Is there anyone that can help us? EDIT: Are you looking for Federated Identities on Identity Pools or Federation on User Pool? These are two different scenarios. I want to provide the ability to authenticate via Facebook or Google and then authenticate the user on my User Pool to obtain a Token ( so in my case would be Federation on User Pool ). What about you? |
I have a very similar problem. However I think in such case the approach should be oposite (as previously I used Auth0 and that was very similar):
Would be great to have this flow covered with the lib API (this feature was added not that long ago to User Pools - federated authenticators, so I guess libs are not yet updated). |
@danilotorrisi I'm looking for Federation on User Pool too |
+1 |
2 similar comments
+1 |
+1 |
I've explained the process here: You would have to use the Auth sdk to interact with the authorize/token endpoints. https://github.com/aws/amazon-cognito-auth-js/ That would have you login with Facebook if Facebook is an identity provider for your user pool. A corresponding user is created in your user pool and the auth SDK saves that username and tokens in a local storage location (same location where this SDK retrieves it from). By using use case 16 in this SDK you can retrieve that user and the session containing the tokens. |
@itrestian Thank you for the answer. Is it posible NOT to use built-in AWS UI for signing up and signing in users? I want to use my own UI. Is it possible to authenticate user in User Pool by Facebook access token? |
@itrestian This is not the answer, as stated above we want to authenticate just with FB access token, not to trigger the external UI flow. @ildar-icoosoft Please see my answer - by specifying |
Would also like to see fed integrated in user pools. Any update on how this might be achieved / when the libs are being updated? Where might I find aws docs and examples? |
@rafalwrzeszcz, we do not accept Facebook token directly as of now. But if you hit /authorize endpoint with identity_provider=Facebook and the end user is already logged in, it will not show the Facebook UI to the end user (except the first time, when they need to grant the permissions to the Facebook App). Isn't this simpler as you do not have to deal with Facebook tokens? Any feedback is welcome on this. |
@rachitdhall: Totally, this is even the flow I proposed in my first post here. The only issue is that the lib doesn't provide possibility to do that. By specifying provider option I don't mean to add handling of Facebook token, but just URL |
@rachitdhall I use the cognito authentication within a native application and it makes things easier to just take the facebook sdk to get the Access Token and use this to register / authenticate on cognito (which can validate the access token at facebook in the background) . because on native applications, redirections don't work so well.. |
@rafalwrzeszcz Thank you! It works for me. I have a function googleLogin, that opens Here is my code: googleLogin() function. Pay attention to lines:
without them the session disappears after the page is refreshed
<redirect_page> - Page in popup window:
|
@davideickhoff you can try cordova in-app-browser plugin for Facebook. But it will not work with Google. Google denied access from web view |
I get an error on - CognitoUser does not exist on CognitoIdentityServiceProvider. If I get CognitoUser from amazon-cognito-identity-js it gives an error about no method cacheTokens() on cognitoUser .
|
@ajaxon it looks like you didn't included amazon-cognito-identity.js script.
|
Hmm yeah my imports are:
|
So this is related to the typescript types file. I'll take a look at fixing that. |
@ajaxon try to replace import "amazon-cognito-identity-js"; to import "amazon-cognito-identity-js/dist/amazon-cognito-identity.js"; It should help |
I just edited the index.d.ts file to include the methods I needed. Everything is working now , however when I make a social login request I only get back the idToken and accessToken without the refreshToken. How are you keeping the social user token refreshed? |
@ildar-icoosoft thanks for the code but is there a way not to use aws-sdk ? |
@ajaxon I was wondering the same and after some digging, I learned that in order to get a When With the authorization code grant flow, we get an authorization code sent back as a query string parameter in the redirect url, which we'd then pass with a request to their /oauth2/token endpoint and get a json response back with the refreshToken included. I got up to this point but get a |
I also struggled with this and managed to make it work for me, at least in minimal level. Finally, I created a simple app with setup instructions (see repo link below). Hope it is helpful for someone. |
I just made it using firebase in ~30 mins 😕 For now it's required using the hosted UI in AWS, but what about those that want to have their own UI? not using redirects on external services, seriously why? hope you adapt this in futures release.... About the jwt token from cognito for authenticate to AWS API Gateway? I just made my own authorizer for jwt using the firebase implementation and gets all working in my way... |
Can someone from AWS confirm whether it is possible or not to use the new "Federation" approach without the need to use the hosted UI? |
@djar I have figured out that if an app client only has a single identity provider then it will default to that provider and skip the hosted UI. So what I have done is made a Facebook client and a Google Client. Then the Facebook and Google login buttons on my site run use case 1 with the respective client ids. It seems like a work around, but gets the job done. |
Hi sam @sam-jg, I tried the same you say, however it still shows the hosted UI but only showing |
It would be good of AWS to provide a response or information on this rather than letting the community guess and flounder. |
@sebelga are you using hosted-UI ? |
No, I am opening my own modal with a url like: let authUrl = `${authHost}/oauth2/authorize?identity_provider=${identityProvider}&redirect_uri=${redirectUri}&response_type=${responseType}&client_id=${clientId}&state=${state}&scope=${scope}` |
AWS Amplify is trying to help solving the problem. Please take a look here, help us improve. AWS Amplify is a library, leverages Amazon Cognito service in authentication. So limitation to Cognito also applies, for example no OAuth only OpenID.
|
@richardzcode thanks but it also uses the hosted UI ? |
@flieks you can build your own UI. Just use Google button:
Facebook button:
Both:
|
Thanks @richardzcode so this uses the federation approach which doesn't need the redirect to the hosted UI ? |
For logging in users through Cognito and other Identity Providers with Federated User Pools, the code posted by @ildar-icoosoft is a valid starting point. Using that snippet, with minor adjustments, you should be able to log in users without having to use the hosted UI at all, and without depending on Contrary to what @cl2205 mentions you can keep using the regular implicit flow, but you do need to add |
@yuntuowang @hilkeheremans Is there sample app/ documentation to save the facebook user into userpool with custom UI? |
@joe455 Currently, we don't have doc/sample for this specific use case. But I will bring this up in our meeting and discuss with team. Thanks. |
Hi @yuntuowang , I am able to save the facebook user into userpool.Now how can retrive the current user logged in? getCurrentUser() returning me null always. |
getCurrentUser() returns null when it is not authenticated. I was able to check the result of getCurrentUser() after using authenticateUser! not sure how cognito works... especially tokens.. Does refresh token help users not to log in again?? for like.. if I set the expiry time 10years? I saw the maximum is 3650days... |
Hi @joe455 and @Kmiso, since we pushed the bug fix last week, now the SDK works well. Refresh token is used for refreshing id token and access token when they are expiring, therefore you don't need to log in again. @Kmiso is correct, the upper limit of refresh token is 3650 days. About tokens: |
@yuntuowang If I call the token endpoint and retrieve the tokens (access, id & refresh) for the user, is there a way to store this information as I would if I had used the SDK to handle everything? At the moment I seem to have to manage the information in the tokens, and refreshing them, manually however I want to be able to call cognito user pool and get the user from that. |
Hi @louisfoster, actually the auth SDK will cache tokens(store these info) after you sign in. When the current user's id token and access token are expiring, the SDK will check if refresh token is valid and refresh session as needed(when refresh token is valid). To get the user, do you mean get the current signed in user? |
I have more than 1 SAML identity providers in my user pool. When the user enters the username is there a way to know based on the username which identity provider i should send the authorize request to? |
Basically, when you sign up from a Identity Provider, e.g. Google, then the username saved on Cognito User Pool is like "Google_100338449557987692243". You can see this username under Cognito User Pool console "Users and groups" tab. |
thank you for your response, so when user with account "myAccount@IDP123" signed in using his identity provider "IDP123" on the hosted UI, that user got added to my UserPool and shows up as "IDP123_1000121342133211134" as you mentioned above. But i dont want to display all the identity providers under my user pool on the login screen, I need the user to be able to just enter "myAccount@IDP123" in the username textbox of my login screen and want to be able to determine behind the scenes his identity provider to get his access token. When I enter "myAccount@IDP123" in the username text box of the hosted UI I get the error "User does not exist" |
Hi @hetalmadhani, I understand your situation. Currently, we don't support that you can sign in directly using "myAccount@IDP123" in the username text box of the hosted UI. You need to click the identity provider button to sign in. So basically, you need to display all the identity providers under your user pool on the login screen. |
Hello @yuntuowang and others in my same situation... I'm attempting to implement my own authentication flow and UI/UX in an iOS mobile app, using a Cognito User Pool (not Federated Identities), and I use the Facebook SDK to allow the user to authenticate, meaning they don't have to provide a password. Upon the user successfully authenticating via the Facebook SDK, I receive back from Facebook an accessToken. As I understand from the documentation specified here: Thanks for your help. |
Hi @timricker, I cannot open this link: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social.html But I think I understand your situation. So if you authenticate using Facebook, then the answer is YES. It will automatically create a user with your Cognito User Pool. What do you mean by accessing the newly created user? You can check this user on Cognito User Pool console under "Users and groups" tab. The username should be similar with "Facebook_100338449557987692243". |
@timricker I share your situation in Android. Unfortunately doing so won't get your user info saved into user pool, it has to go through the hosted UI which I don't want to use as it breaks my application UI/UX. I still desperately wait for AWS to support a native way. You can reference to the issue I posted here |
@yuntuowang, I'm not sure why you can't access that url (it works fine for me) but thank you for clarifying that a user is automatically created in the user pool after configuring the OAuth redirect url within my Facebook app settings. What I meant by asking how to access the newly created user is:
The user will not have specified a password (nor should they have to as this is the benefit of using facebook connect). It seems that @daole has raised the exact same issue above here and cognito does not support this functionality at this time. If this is indeed the case I would strongly suggest prioritizing this feature request as it makes cognito completely unusable for any serious mobile app that wants full control over its experience and not have to use the hosted UI. |
I have implemented 'Login with Google' in android hybrid app with the federated identities which is working fine and I am receiving accessKeyId, secretAccessKey, sessionToken. AWS.config.region = region; I haven't seen any document which clearly states the process. |
@yuntuowang - we need a cheat sheet. a google doc slide said another way - I get the app from mobile hub - when I go to user pool > users + groups - |
I need to authenticate users using federated identity providers in User Pool (docs). I can get access token from google or facebook but I don't know what should I do with this token to authenticate user in User Pool. Can you please give me an example how to do it using js sdk or link to API Reference method?
AWS Console User Pool screenshot
The text was updated successfully, but these errors were encountered: