Aws-sdk-android: RFC - Auth workflows: improvements and additions

What does the timeline look like for enabling using SAML based authorization?

Sorry, to fulfill my part of the bargain since you're soliciting feedback.

I've utilized Amplify within several web applications, and am now attempting to do so with Android.

Our application flow will be signing in immediately to one of the SSO providers, then making API calls with the assumed IAM role against API GW.

1. In our application we'll be using both a user pool and an identity pool in order to sign our users in and allow them to interact with our API GW endpoints.
2. In this case, we won't be using the drop-in UI because we'll be using SAML connections.
3. I don't have enough experience with the drop-in UI to answer this question
4. See 3
5. In this application, we will not
6. 0
7. If I were utilizing social sign-ins I'd rather utilize their SDKs than the hosted UI.
8. Not at all
9. Not in this case.
10. Yes, we will have SAML federation in our applications. If the timeline of the aforementioned RFC is within reason I will not have to write my own implementation of SAML federation.
11. Device remembrance is not a high priority for our application.

My main need at the moment is SAML from the AWSMobileClient.

As a developer, I don't want to do any of the listed things (sorry about that).
I know I was the one that asked for developer authenticated federation, but after it wasn't around we decided to put everything through user pools. Unfortunately, this is leading to other issues, like #646

Here is my other feedback

1. Are you using Cognito UserPools(authentication) and Cognito IdentityPools(authorization) both in your app?

Cognito User Pools.

1. Are you using drop-in UI in your app?

No, as the minimum version would mean we lose 5% of our users (also, it doesn't seem to support Open ID Connect federation)

1. Do you want more functionality in drop-in UI or more/ easy-to-use APIs in AWSMobileClient to better provide functionality in your app UI?

No.

1. Do you want to use drop-in UI as an onboarding mechanism and then move to your own UI before production or use available customizations to match drop-in UI to your app theme?

No.

1. Do you have social providers authentication in your app?

Yes, Open ID Connect through Cognito User Pools, and eventually Facebook and Google

1. How many social providers (and which) are part of your app?

1 (at the moment)

1. Do you prefer native social providers' SDK(e.g. FBLoginSDK) or hosted solutions(CognitoAuth)?

I would like to use native providers, but that would not work in combination with Cognito User Pools.

1. How important is framework size?

Relatively important. <10MB would be nice.

1. Do you have more than 1 configuration for same resources in your app? (e.g. 2 UserPools for the same app based on region)

Our app is on a "whitelabel" basis, so we will most likely have 5+ pools.

1. Do you have SAML federation in your app?

No.

1. Do you have features to remember user device in your app?

Kind of. We don't want a user to login with more than one device on the same account.

@andymartinwork,

Would you want to use the drop-in UI if it supported lower API versions? or are you saying you would rather write your own UI?

most likely have 5+ pools

Is this in the same app in when released? or do you have 5 versions of the app that may have 5 configurations?

Would you want to use the drop-in UI if it supported lower API versions? or are you saying you would rather write your own UI?

We would probably rather write our own UI anyway, as we need it to be very customised. But even if we did want to, 5% of our users are currently lower than 6.0. Our users are a bit more techy than usual, as the android dashboard says 25% of the global users are below 6.0

https://developer.android.com/about/dashboards/

Is this in the same app in when released? or do you have 5 versions of the app that may have 5 configurations?

We will have 5 versions of the app with 5 different configs, so it's easy for us to swap out the awsconfiguration.json file in our build step.

2.i
2.v
2.vi
Disable email/password completely and only rely on Google

Are you using Cognito UserPools(authentication) and Cognito IdentityPools(authorization) both in your app?
Yes
Are you using drop-in UI in your app?
Yes
Do you want more functionality in drop-in UI or more/ easy-to-use APIs in AWSMobileClient to better provide functionality in your app UI?
Both
Do you want to use drop-in UI as an onboarding mechanism and then move to your own UI before production or use available customizations to match drop-in UI to your app theme?
drop in
Do you have social providers authentication in your app? Yes
How many social providers (and which) are part of your app? Google
Do you prefer native social providers' SDK(e.g. FBLoginSDK) or hosted solutions(CognitoAuth)?
Native
How important is framework size? 3/10
Do you have more than 1 configuration for same resources in your app? (e.g. 2 UserPools for the same app based on region) No
Do you have SAML federation in your app? No
Do you have features to remember user device in your app? No

Our initial use case was to use phone number registration (With OTP) and setup a password to recover or login to that account on another device. (As we do not want to recover with SMS OTP because the phone number might have been recycled to someone else)
Since this is simply not possible without custom sign in & recover server side code we decided to use social sign in using NATIVE SDK for Google, Facebook, Twitter but this prove to be very tricky to setup using AWS sdk (I haven't finished it yet, still trying to figure out how to do the federate login using the token from the third party)

We never need drop-in UI as we want a fully integrated UI which match our app style. (No webview's either)

Btw aws-android-sdk-auth-google should support lower than API 23+ (It should be 19 or 21) (We are min 21) but no matter the min sdk it is using deprecated code which requires the user to approve runtime permissions. The latest google sign-in doesn't do this anymore.

https://github.com/aws-amplify/aws-sdk-android/issues/685
Google auth works with user pools but not facebook.....

Edit: Add 2.xii Lower the API level requirement to 15.

Edit: SDK version 2.12.5 release; updated question list

Hi team,

Is support for Cognito User Pool custom auth in AWSMobileClient on the roadmap?

Thanks.

Adding Manual Refresh of tokens to the list as requested in https://github.com/aws-amplify/aws-sdk-android/issues/696.

I would like to see Federated login implemented in the drop-in UI using the social SDKs. This would support rapid prototyping of apps to show clients. The clients all want social logins and they are used to seeing the social SDK login flows. You don't want to have to develop a custom authentication solution before the client is sold on the project. Start with a functioning drop-in supporting social SDKs and then you can start customizing things.

Some of the above comments are from people who are in the custom auth flow stage of development. I would not expect those developers to switch back to the drop-in UI.

I also find the documentation to be quite confusing.
This page tells you how to build a social UI...
https://docs.aws.amazon.com/en_pv/aws-mobile/latest/developerguide/mobile-hub-add-aws-mobile-user-sign-in.html
But those instruction don't reconcile with this page...
https://aws-amplify.github.io/docs/android/authentication

To figure things out I had to read the source code in the android SDK which led me to this issue. Now I see the SDK lets me build a social UI, but there is no simple way to get it functioning. There needs to a way for someone to get a social auth page running without a month's worth of work.

Thanks everyone for your comments! We're going to close this RFC for now.