Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Developer authenticated federated logins #577

Closed
andymartinwork opened this issue Nov 16, 2018 · 7 comments
Closed

Developer authenticated federated logins #577

andymartinwork opened this issue Nov 16, 2018 · 7 comments
Assignees
Labels
feature-request Request a new feature mobile client Issues with AWS Mobile's client-side Cognito wrapper pending-release Code has been merged but pending release

Comments

@andymartinwork
Copy link

Amplify Auth for Cognito Identity logins using Developer Authentication

With AWS Mobile you used to be able to login to AWS using developer authenticated credentials.
I looked up the enum for federated login and found this:

package com.amazonaws.mobile.client;

public enum IdentityProvider {
    AMAZON("www.amazon.com"),
    FACEBOOK("graph.facebook.com"),
    GOOGLE("accounts.google.com"),
    TWITTER("api.twitter.com");

I noticed in the javascript repository, there is support for developer logins:

https://github.com/aws-amplify/amplify-js/pull/425/files

Is there any reason why developer logins were not included in amplify? I need to use it before I can migrate existing users over to Cognito User Pools.

The previous guides to get this done, including the CognitoSyncDemo and the links on other documentation were deprecated and removed. Why would they be deprecated when there is no replacement feature in the new library?

https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-using-developer-authenticated-identities-an-end-to-end-example/

@minbi minbi self-assigned this Nov 16, 2018
@minbi minbi added mobile client Issues with AWS Mobile's client-side Cognito wrapper feature-request Request a new feature labels Nov 16, 2018
@minbi
Copy link
Contributor

minbi commented Nov 16, 2018

Hi @andymartinwork ,

The enum is provided for convenience. The federatedSignIn(String, String) api accepts a String, so you may pass in the required value.

@minbi minbi added the pending-community-response Issue is pending response from the issue requestor label Nov 16, 2018
@andymartinwork
Copy link
Author

It turns out federatedSignIn wasn't what I wanted in the end, since that would mean storing the secret in the app.

I managed to dig up the Cognito Sync Sample Demo from an old commit and create a DeveloperAuthenticationProvider.

https://github.com/awslabs/aws-sdk-android-samples/tree/a73f92a5e6a86c711f613ee3cc4cbfe91babe72a/%5BDEPRECATED%5DCognitoSyncDemo/src/com/amazonaws/cognito/sync/demo

In the end, I had to remove any reference to Amplify, since there is no existing way to do this in the amplify framework, and use the lower-level libraries.

@frankmuellr
Copy link

Hi @andymartinwork,

Can you elaborate why you think that using federatedSignIn requires storing the secret? Also, can you describe your specific use case? Could User Pools work for your use case, and if not why so?

Thanks,
Frank

@andymartinwork
Copy link
Author

I want to do this:

screen shot 2018-11-29 at 08 57 12

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-4-enhanced-flow/

My company has an existing user database which we may move into user pools eventually, but are not doing that right now. I want our app to access amazon services (specifically IoT) using our developer authentication.

To authenticate with our backend login system, our backend needs to authenticate with Cognito and pass back open id credentials. I then use these open id credentials to authenticate the client app with amazon, so I can access the services directly.

I tried to pass in the open id token and cognito-identity.amazonaws.com as the parameters in the federated login but got the reply:

"com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Invalid login token. Can’t pass in a Cognito token. (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: NotAuthorizedException;"

The only way I have found to solve the problem is by creating a CognitoCachingCredentialsProvider with the open id details to set up an AmazonCognitoIdentityClient and call getCredentialsForIdentity.

@frankmuellr frankmuellr removed the pending-community-response Issue is pending response from the issue requestor label Dec 3, 2018
@minbi minbi added the pending-release Code has been merged but pending release label Feb 12, 2019
@mutablealligator
Copy link
Contributor

@andymartinwork Thank you for your detailed response. We are tracking this issue as part of the effort in #634.

@andymartinwork
Copy link
Author

One more comment - do you know if this was done on iOS as well?

@minbi
Copy link
Contributor

minbi commented Mar 15, 2019

Hi @andymartinwork ,

This feature was also released on the iOS side.

awsmobilesdk pushed a commit to awsmobilesdk/aws-sdk-android that referenced this issue Apr 12, 2020
awsmobilesdk pushed a commit to awsmobilesdk/aws-sdk-android that referenced this issue Apr 12, 2020
* Secure information stored in SharedPreferences

* Lower aws-android-sdk-core-test compile and target sdk version to 27

* Add a symlink to android-23.jar for core

* Add a gradle task that creates a symlink to android-23.jar for AWS Core

* Fix the gradle task that creates symbolic link to android-23.jar

* Change config.yml to setup android-23

* Enable core, cognitoidentityprovider and cognitoauth integration tests on CircleCI

* Enable core, cognitoidentityprovider and cognitoauth integration tests on CircleCI

* Fix pom.xml

* Improve exception handling in AWSKeyValueStore

* [2.12.3] Bump the patch version of 2.12.z

* Update 2.12.3 CHANGELOG

* Add the missing bucket prefixes to CleanupBucketIntegrationTests

* Fix a bug where migrating expirationDate in CognitoCachingCredentialsProvider crashes

* [2.12.4] Update changelog and bump version

* Annotate code specific to API Level 23 and above in AWSKeyValueStore

* Added API to accept key-value pairs which are appended to the connection username (aws-amplify#765)

The connection username is used as user metadata by the service for the purpose of metrics calculation.

* build android sdk with android-10 (aws-amplify#782)

* Add sign out options

* [MobileClient] Cleanup javadocs and remove unnecessary try..catch blocks

* [MobileClient] Add developer authenticated identities to federatedSignIn fixes aws-amplify#577

* [MobileClient] Add test for developer authenticated idenities federatedSignIn

* [MobileClient] Persist identity id for developer authenticated identities

* [MobileClient] Add AWSMobileClient as client usage tracker in user agent

* [MobileClient] Add device operations; Add error message to ReturningRunnable

* [MobileClient] Add global sign-out functionality

* [MobileClient] Add custom role arn to settings in federated sign-in persistence

* [MobileClient] Add forgot password test; Fix sign out globally test

* [MobileClient] [Userpools] [CognitoAuth] Add HostedUI and OAuth 2.0 code grant flow support

[MobileClient]
Add HostedUI and OAuth 2.0 code grant flow support

[Userpools]
Fix threading issues reported in issue aws-amplify#722

[CognitoAuth]
Added methods to reset AuthHandler and get session without launching UI
Fix erroneous user cancelled when redirecting back to app fixes aws-amplify#328

* [MobileClient] Fix multiple adds of SignInProvider to provider list fixes aws-amplify#766

* [MobileClient] Fix git merge issues

* [MobileClient] Fix integration tests for new configuration

* [CognitoAuth] Fix NPE when ASF feature turned off

* [MobileClient] Finalize APIs before release, add persistence flag to OAuth 2.0 and HostedUI features

* [AuthSDKs] Update maven repositories in pom to maven.google.com

* [Core] Fix NPE when setting persistence in AWSKeyValueStore after initialization

* [MobileClient] Ignore manual tests in automation

* [MobileClient] Ignore drop-in UI test due to timeout; Default OAuth 2.0 client to persist

* Fix the transition between persistence enabled and disabled in AWSKeyValueStore

* Enable core, cognitoidentityprovider and cognitoauth integration tests on CircleCI

* Update changelog for 2.12.5; Add mobile client; Remove IoT metrics

* Skip reserved keynames (aws-amplify#791)

* Skip reserved keynames

* Add log when reserved key names are encountered

* Bump version 2.12.5 (aws-amplify#792)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Request a new feature mobile client Issues with AWS Mobile's client-side Cognito wrapper pending-release Code has been merged but pending release
Projects
None yet
Development

No branches or pull requests

4 participants