Geek Answers Handbook

AWS cognito: login with usernam / password OR facebook

I want to integrate fairly standard functionality: to allow the user (mobile and website) to log in using email / password or with a facebook (google) account with RBAC (different users can have different roles, such as users, moderators , administrators, creators, etc.). Here is basically what I want from the input:

enter image description here

I looked at a number of AWS training materials and other materials. I figured out how to implement it, but I still don't have the full picture. Hope someone can help me here.

Here is my real understanding (please correct me where I am wrong).

1) I use the user pool to register / enter email / password. When the user signs up, I call authenticateUser (I use the JS SDK):

cognitoUser.authenticateUser(authenticationDetails, { .. })

where onSuccess

  • I store identifiers, access and token updates, therefore, the user does not have to enter their credentials every time
  • As users gain access to AWS (e.g. S3), I exchange idToken with AWS
  • Store AWS-Creds in LocalStore for future use when access resources

2) I use Federated Identity to login to facebook

  • get facebook access token
  • with fb token get identifier cognito
  • exchange cognito ID to AWS-Creds and store it in LocalStore

Questions:

Q1. Is it valid and sufficiently complete logic for registration / registration? Did I miss something?

Q2. How should I store facebook users? Can I do this in user pools? I got the impression that this is not possible, but that means that I have 2 different user directories: one in UserPool and the other in another place (say, in DynamoDB)

Q3. If I need to store users in different places (UserPool and DynamoDB), it means that I have 2 users, essentially one user, who first registered by email / password and then decided to use facebook - this is an inconvenience for me as the application administrator and user How to deal with this situation?

Q4. How to manage groups for users who are logged in with a facebook token (for example, users, moderators, administrators, creators, etc.)?

Q5. How do I restrict access to non-AWS resources to Facebook members?

Q6. Any working example for this?

Thanks!

+8
amazon-web-services facebook-login amazon-cognito aws-cognito amazon-cognito-facebook
source share
2 answers

  • I am human and may have missed something, but that sounds very good to me.

  • You cannot store a login with federated identifiers in user pools. Thing is user pools as another identity provider, like Facebook. Dynamo (or something else) would be a way to go.

  • If a user is logged in with both of these logins, you may need to completely exclude user pool attributes and use only dynamo. When connecting two logins for Cognito federated identifiers, only one login is required, but user pools require its login token to view / update attributes. The user will have to log in with the user pool in order to touch these attributes, he will become promiscuous.

  • I do not know that this is supported out of the box, as with user pools. You may need to do this using your hypothetical user database described above.
  • You can also associate your user pool with Cognito as a provider, just like for Facebook. This is how you exchange the identifier token for credentials.
  • There is no official example from the service, although I can not speak for others.
+4
source share

We have added federation support through Facebook, Google and LoginWithAmazon for user pools. This will create the user in the user pool when the user logs in with the federation. You can also capture the attributes of an identity provider using the attribute mapping function.

In addition, if you use the application integration feature, Amazon Cognito User Pools will create a login page for you.

Steps to SignIn / SignUp with a social provider through the Amazon Cognito Console:

  • Configure the domain for your user pool, for example .auth..amazoncognito.com
  • Add any social provider and configure attribute mapping.
  • Enable provider in app.
  • Configure the callback URI, OAuth response type, and allowed areas.
  • Access to the hosted user interface at https: //.auth..amazoncognito.com/login? client_id = & response_type = & redirect_uri =
  • Click on the SignUp / SignIn button with Facebook (or your provider).
  • Authentication with the provider, you will be redirected to the callback URI using tokens / code.
  • Verify the created user in the Amazon Cognito console.
+3
source share

More articles:


All Articles