Amplify-js: [Help Wanted] Federated Signin against current user group in cognito identity pool
I am able to sign in using auth.federatedSignin()
I would like to add the user thus signed in to a group (eg: Admin) on an already existing Identity Pool(eg: sales-app) and then treat this user as any other user that signs in using email and password.
I need this to allow federated users to be able to access my graphql endpoint.
I've looked up the documentation but couldn't find anything.
aaayushsingh
All 8 comments
@aaayushsingh
Thanks for reach out!
Here is some documentation you might find helpful:
Accessing AWS Services Using an Identity Pool After Sign-in
Getting Started with Amazon Cognito Identity Pools (Federated Identities)
If this isn't what you're looking for, please let us what the gap is.
haverchuck
on 25 Jun 2018
@haverchuck
I can sign in already and also access the graphQL endpoint, so authentication is working fine.
The problem is that the users signed in using facebook are not showing up in any group or pool in the cognito console. A separate 'group for facebook users' is created in identity pool, but even after multiple federated logins, it still says no user.
So I want to know how to add federated sign in user to a pool/group. I've already gone through the documentation you provided.
aaayushsingh
on 25 Jun 2018
I think it's possible, because I think I accidentally did it following one random blog: but I don't know which one!
In my initial Cognito test I set up a web app with a signup page with text fields for user/password. A new user would then correctly appear in the Congito user pool as "STATUS: UNCONFIRMED". Next I tested adding a "signup via google" - the button would redirect to google, the user logged in, and returned to the web app. This would add a new user in the user pool as "STATUS: EXTERNAL_PROVIDER" and with a magically generated user name like "Google_104673016547134647127". However, no entry is generated in the Identity Pool - but I decided to figure that out later...
With the successful test I went on to set up my React Native project - but that uses a whole bunch of other tech, so now using AWS Amplify and Expo (And maybe AWS App Sync? Or is it Mobile Hub? I've lost track of all the frameworks, wrappers, and dependencies at this point!) I can click a button and authenticate with google (via Expo.Google.loginAsync).
This returns the idToken that I can use with Auth.federatedSignIn. Calling this results in an entry in the Congnito Federated Identities tab with a field "linked login: accounts.google.com". But nothing appears in the User Pool tab, and my "user count" is unchanged.
The main difference I see between the two projects is that for the React Native app, in the cognito Identity Pool, I had to add "Google+" to the Authentication providers with a Google Client ID that I generated in Google Developer console (/apis/credentials).
In the web app, I did not have to add this, but instead in the User Pools section I had to add Google as an Identity Provider (under the "Federation") heading - with a Google App ID and Client Secret. I've forgotten where these come from now.
(Note: there is also a bunch of stuff about "Enabled Identity Providers" in the "App Client Settings" in the User Pool section - including checkboxes to enable Google and Cognito User Pools... but these were blank for both of my projects and I'm not sure how they relate to anything.)
So, in conclusion: I sort of got it half working in one situation - but I have no idea what any of this is doing and so now it's time to sleep and have nightmares about tokens, frameworks, and outdated documentation and internet tutorials!
mrspeaker
on 26 Jun 2018
To have a federated user sign in DIRECTLY to a Amazon Cognito User Pool you have to use Amazon Cognito's Hosted UI, which we have documented here (this by-passes Cognito Federated Identities):
https://aws-amplify.github.io/amplify-js/media/authentication_guide#using-amazon-cognito-hosted-ui
More Cognito info about using this 'Social Sign-in' exists here:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-federation-with-social-idp.html
auth.federatedSignin() will not use user pools but instead federate against identity pools and provide AWS credentials. Documentation for this exists here:
https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html
Note: a Cognito User Pool CAN be an IDP on the federated identities pool
Let me know if you require more information. We can reach out to the Cognito team to understand how to better solve your use case.
jordanranz
on 7 Aug 2018
I too have a question about this.
I currently have Amplify setup with Cognito Federated Identity signup / signin using React Native & the React Native Facebook SDK.
I'm currently able to sign in via the Auth.federatedSignIn method, but after sign in I'm unable to access resources in the corresponding AWS AppSync API that was configured in the same project using Cognito User Pools.
I'm guessing this is the case because Cognito does not know anything about the new identity created.
My question is this: Is there no way to use the React Native Facebook SDK to authenticate & then send authorized requests to AppSync using the Amplify API category?
dabit3
on 4 Nov 2018
I am able to sign in using auth.federatedSignin()
I would like to add the user thus signed in to a group (eg: Admin)
If I correctly understand, user group only exists in User Pool but not identity pool.
Adding federated users into groups can be done via User Pool lambda triggers.
Eg. Post authentication lambda trigger or pre-token lambda trigger.
There is no better lambda trigger than these two now and they have to be fired every time every user signed in, though I know adding to groups just need once.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
solariswu
on 23 Apr 2019
I too have a question about this.
I currently have Amplify setup with Cognito Federated Identity signup / signin using React Native & the React Native Facebook SDK.
Using native Facebook SDK instead of OAuth URL directly way, you will have to use cognito-identity-js SDK instead of the OAuth UI.
https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js/src
You need to use custom auth flow and implement Facebook access token validation within the custom auth flow's lambda functions. It would be similar to description in the following blog. Instead of using email code, you can use FB access token for custom challenge validation.
solariswu
on 23 Apr 2019
@aaayushsingh @dabit3 Do the above answers help with your use case questions?
jordanranz
on 26 Apr 2019
Related issues
benevolentprof
路
3Comments
romainquellec
路
3Comments
rygo6
路
3Comments
oste
路
3Comments
ldgarcia
路
3Comments
Most helpful comment
I think it's possible, because I think I accidentally did it following one random blog: but I don't know which one!
In my initial Cognito test I set up a web app with a signup page with text fields for user/password. A new user would then correctly appear in the Congito user pool as "STATUS: UNCONFIRMED". Next I tested adding a "signup via google" - the button would redirect to google, the user logged in, and returned to the web app. This would add a new user in the user pool as "STATUS: EXTERNAL_PROVIDER" and with a magically generated user name like "Google_104673016547134647127". However, no entry is generated in the Identity Pool - but I decided to figure that out later...
With the successful test I went on to set up my React Native project - but that uses a whole bunch of other tech, so now using AWS Amplify and Expo (And maybe AWS App Sync? Or is it Mobile Hub? I've lost track of all the frameworks, wrappers, and dependencies at this point!) I can click a button and authenticate with google (via Expo.Google.loginAsync).
This returns the
idTokenthat I can use withAuth.federatedSignIn. Calling this results in an entry in the Congnito Federated Identities tab with a field "linked login: accounts.google.com". But nothing appears in the User Pool tab, and my "user count" is unchanged.The main difference I see between the two projects is that for the React Native app, in the cognito Identity Pool, I had to add "Google+" to the Authentication providers with a Google Client ID that I generated in Google Developer console (/apis/credentials).
In the web app, I did not have to add this, but instead in the User Pools section I had to add Google as an Identity Provider (under the "Federation") heading - with a Google App ID and Client Secret. I've forgotten where these come from now.
(Note: there is also a bunch of stuff about "Enabled Identity Providers" in the "App Client Settings" in the User Pool section - including checkboxes to enable Google and Cognito User Pools... but these were blank for both of my projects and I'm not sure how they relate to anything.)
So, in conclusion: I sort of got it half working in one situation - but I have no idea what any of this is doing and so now it's time to sleep and have nightmares about tokens, frameworks, and outdated documentation and internet tutorials!