IOS - AWS MobileHub Joins Authenticated Provider

There are certain terminological problems in your question:

• When you say developer , I'm not sure what you mean by AWS.
  • AWS uses the term “developer” (as in “developer identifiers”) to refer to externally supported pools, not private ones. AWS has its own product (Cognito User Pools) that you can privately support AWS. AWS does not consider user pools as a developer, but in practice it’s just a complete implementation of the renamed version of the developer identity provider).
• Regarding supporting tokens
  • The IOS SDK supports the tokens required to access AWSS. You should use a Mobile Hub (it has a much nicer object and interface design than the SDK). But regardless of whether you use a mobile assistant hub or SDK, you will never have to manage a token (the SDK does this for you). The documentation (almost brutally) hides this fact (yes, it lags behind the SDK).

3 ways to use Cognito

You must understand that there are 3 different APIs.

• COGNITO API and Updated API Documentation (RESTFUL Interoperability)
• ISO SDK and legacy SDK documentation (SDK is not RESTFUL, it has a ton of status).
• Mobile Hub Hub (MHH) SDK - MHH is documented (a little) by the hub and works pretty well in .h files used to create appledoc documentation.

Regarding Identity and SignIn / Authentication (the topic of this question), aws-mobile-hub-helper (hereinafter MHH) has an elegant design and works well. I would recommend anyone using Cognito to start from the Mobile Hub site (or at least with aws-mobile-hub-helper). MHH is primarily a wrapper for the SDK and helps clarify and separate persistent federated identity and credential / authorization issues for AWS from the issues of Identification, Authentication, and Attributes / Claims for this Identity .

• Authentication in MHH has only 1 AWSIdentityManager class.
• Logging into MHH has one protocol, AWSSignInProvider and two implementations of this protocol (plus one I did):
  • AWSGoogleSignInProvider : OpenID-Connect / OAuth implementation AWSSignInProvider for Google +
  • AWSFacebookSignInProvider : OAuth / Native implementation of AWSSignInProvider for Facebook
  • AWSCUPIdPSignInProvider : OpenID-Connect / OAuth AWSSignInProvider implementation for Amazon AWS Cognito Your User Pools (this is available in the forked repository).

The mobile hub assistant is only documented in .h files. They can be handled in the documentation using appledocs, and the comments there are very good if you had an overview of the class structure (which does not exist, but I will try to provide).

Debug Authentication SDK

The authentication protocol documented by AWS is a simplification and does not help to understand how authentication is performed using the SDK and the assistant mobile hub. The following diagrams show how authentication (authorization) and authorization (credentials) work for using AWS (for example, S3 and DynamoDB).

Understanding Cognito

• Understanding Cognito is initially confused for various reasons: authentication, authorization, and identity management in
  distributed system is complex. There are many parties with different roles and develop prescribed interactions with keys, tokens and
  signatures. End User, Relying Party (RP) Identity
  Provider (IdP) Resource Used (RS) and Resource Owner
  (RO). This terminology is used by OpenId Connect and OAuth2.0.
  regulations. For reasons that become clear, this terminology is not always used by AWS. But they are concepts and all objects are present when using Cognito.
  • There are some good reviews of OpenID connections on the Internet (for example: http://nordicapis.com/api-security-oauth-openid-connect-depth/ ) and a review of these will help.
• Cognito allows non-OpenID Connect Identity Providers, this is an advantage (for example: allowing OAuth / Native Facebook authentication) API), but it also means that Cognito plays "federated"
  role. This role goes beyond OpenID Connect standards.
  documents (Update 1: Recently, I began to wonder if the Cognito Credentials Provider is really an RP (Relying Party), which then provides credentials for AWS. But the main thing here is that OpenId Connect does not define the way in which Identities different IdPs can be merged.), Amazon essentially invents the role, while still having some name problems.

Naming Cognito

• Cognito is one name created by AWS to cover many functions and roles.

  • There is a RESTFUL web API in Cognito, but there is also a Cognito SDK. SDK calls and API messages are not called the same, and SDK calls make multiple and conditional API calls.
  • Cognito can combine identity providers. It can be saved and the association between authenticated users from different identifiers
    providers (so that it can remember your Google + and your facebook
    identities and associated with them with a single identifier CognitoId.)
  • Cognito can provide a persistent identifier (which, if anonymous, follow the iOS device using keychain data) for users as well as authenticated users. They are stored in the so-called identifier pool (not to be confused with the user pool). Your application receives the same identifier for the user on different devices for authenticated users. Identifiers without authentication (guest) follow a single device.
  • Cognito can store (known as "Sync") IdentityIds (on AWS server) status data, which works for authenticated and unauthenticated users.
  • Cognito has an AWSCredentialsProvider (source for AWS credentials for using AWS services (Cognito, but also S3, DynamoDB, etc.).
  • Cognito can create an OpenID Connect server called a user pool, which can be used by the Cognito identifier to authenticate users.
  • Cognito is new, but AWS Federated Identities and AWS Identity Management and AWS Credentials do not, so there are many classes with overlapping responsibilities. And naming conventions are confused (note the name AWSCognitoIdentityCognitoIdentityProvider!). Using a cognitive brand name for users is truly a nightmare. The AWSCognitoIdentity object is the CFI Cognito Federated Identity CFI, but AWSCognitoIdentityProvider is a thing similar to the userpools authentication provider, also called the identity provider.

• SDK class names are confusing. But with few exceptions, classes starting with AWSCognitoIdentity (but not AWSCognitoIdentityProvider) refer to credentialsProvider / IdentityProvider, classes starting with AWSCognitoIdentityProvider belong to Oauth / Open Id Connect providers and other distributed identity providers (facebook).

Glossary / Synonyms

These terms are used freely in all AWS documents and materials. This is an attempt to understand terminology by grouping terms that are interchangeable with AWS.

• Identity Provider, Authentication Provider, Input Provider, Federated Identity Provider
• Amazon Cognito, Cognito credential provider, cognito identity (everything seems to belong to the same class / process)
• Cognito user pool, Cognito Your user pools, user pool. CUP - an identity provider as an authentication provider
• Cognito identification pool, pool, cognito pool, identifier pool. It is sometimes called an identity provider (which seems wrong), but it is never called an authentication provider.
• Developer identifier, developer authenticator, developer provider, developer identity provider, all used to refer to private external identity providers.
• Identity is a term that is often used in Cognito documentation. It is important to understand that Cognito governs two different types of identity. identityId (which must be lowercase) is a permanent unique name that Cognito associates with credentials and uses to combine different Identity providers, and Identity (upper case), which is an authenticated identifier from an identity provider.
• identityId identity, identifier (as in get-id), identity, identityId
• Identification
• Federation means a few things.
• Web Authentication Federation - An earlier way to combine identifiers in AWS
• Cognito Federation Identifiers
• BYOI (provide your own identity), where the user can use Google, Facebook or another identity provider (possibly the identifier provided by the developer), usually through OpenId-Connect.

IdentityId Behaviors

• The identifier identifier looks something like this: we-east-1: 982396fs-841e-3cdd-9r43-e7ac41bhbcb28
• The identifier is supported on the iOS device in the key entry. For an unauthenticated IdentityId, it remains unchanged until you clear the keychain (this can be done in the simulator using Simulator → Reset Content and Settings ...). The moment IdentityId is abandoned. It is not disconnected; it is simply never used again.

• When a user authenticates, authentication disables the unverified identifier identifier (identityId will be permanently marked as DISABLED in the Logins array in the identityPool entry. You can see this on the Cognito console.) That is, currently on the device. There is one exception: if this is the first time authentication is performed for this Identity, then an unauthenticated identifier Id is not left, but is associated with the identifier and is used as an authenticated idID in the future.

• Combining multiple identifiers (which means non-IdentityIds user names) from different identity providers refuse (disable) one of the identifier identifiers and associates both identifiers with another identifier. Disabled Identifiers are created whenever this happens. These abandoned identifiers are marked as DISABLED in the Logins array in cognito identityPool.

• In practice, this process creates the wise use of unique identifiers with disabled ones only created when the user authenticates to the new device (this can be annoying when testing, because it creates a barrage of disabled and unused identifiers when the tester logs out and several times with several identifiers). But in practice, a common precedent will not create this obstacle for the disabled. User:

• Connect - get the identifier without authentication - authenticate - and use the same I AM. No abandoned identifier is created.

• Connect to another device - here it will instantly receive a new unauthenticated id - and when it is authenticated and received an identityId for his / her identity, this identifier without authentication will be disconnected and left.
• Each merge of identities from two identity providers will also create a disconnected and abandoned identifier.

AWSIdentityProviderManager

• AWSIdentityProviderManager is a protocol that manages federated AWSIdentityProviders

• In the AWSIdentityManager mobile hub assistant is AWSIdentityProviderManager

  • All you need to do is return the login credentials to the credential provider with the vendor name and ID. AWSIdentityManager returns only the provider name and token for a single provider identifier. It just gets the name and token from AWSSignInProvider and returns. (There is a plug with a modification that adds the ability to return all current registered providers in the login dictionary.)

  • As modified AWSIdentityManager supports an NSDictionary called cachedLogins. Each new login adds a login (identifier provider name and id identifier) ​​to the cache. Then logins always return all loginCache. This is what supports identity merging.

• When the credential provider calls the AWSIdentityProviderManager login method associated with it and finds a list of logins instead of one, it will combine the identifier for these logins in its database and disable the identifier of the identifier of one of them. How to make it know with what identifier the login is sent? The ID contains (insert the token in https://jwt.io to see yourself) a set of requirements, one of which is an identifier (for example: username)

• Note. Despite the fact that you have an identifier with several connected logins, in Mobile Hub Helper you are only ever authenticated with one AWSSignInProvider. Credentials are associated with a federated identifier, but an active AWSSignInProvider (authentication provider) is always used in accessing the mobile helper hub for this identifier, even if you are registered with multiple identity providers. Your application can track all AWSSignInProviders and access them independently of the AWSIdentityManager, but from the perspective of AWSIdentityManagers, you are logged in with one of them. In practice, this has little effect (until you try to get "claims", for example, imageURL from different providers).

About Merging Identifiers

• AWSIdentityManager does not currently support identity merging. I have a forked repository https://github.com/BruceBuckland/aws-mobilehub-helper-ios from the github repository, which adds this feature and adds the Cognito user ID provider AWSSignInProvider user (AWSCUPIdPSignInProvider.swift),

• You can probably think of all kinds of gotchas when merging identities.

• What if I try to combine two identifiers from the same provider (will the dictionary keys be the same?)

• What should I do if I try to combine two identifiers, each of which has a different identity of the same provider associated with it (and again they will create two objects with the same keys).

• Cognito does a great job of this and rejects merge attempts that cannot be combined. Failure occurs during login (when you try to get credentials, the credential provider will reject the login dictionary, which contains an un-mergeable identityId)

Where Cognito digs its data

• Cognito stores the keychain on the device, which contains the last identifier that was used. This is used by the credentialsProvider / identityProvider object when calling credentialsProvider.credentials (the name of the IOS SDK) to reuse an existing identifier (for example, an unauthenticated one) and to prevent the creation of unused identifiers unless the user logs in or resumes.

• Mobile-Hub-Helpers AWSSignInProviders and AWSIdentityManager store state indication of an open session in NSUserDefaults. They are used to restart the session if the application is completed and restarted.

• AWSSignInProviders also store NSUserDefaults, and sometimes in Keychain IOS, for their own internal purposes (for example, maintaining constant permanent access to a username or imageURL or token)