Reputation: 578
Verify user identity using cognito
I'm creating a back-end service and I'm using AWS Cognito. Right now, I'm using my Developer Authenticated Identities. So, my user can login using my own system. This part is done.
However, I'm having problems to authenticate the user after the login. Let's say that the user send me a request to access some private function of my API. How can I identify and authenticate this user?
If I use facebook as login provider, I can fulfill the the http header with his Cognito ID and his facebook access token. Then, I can authenticate him, trying to get a Cognito Token using the function GetOpenIdTokenRequest.
I will have something like
providerTokens.put("graph.facebook.com", "xxxxxxxxxxxx");
tokenRequest.setLogins(providerTokens);
AmazonCognitoIdentityClient identityClient = new AmazonCognitoIdentityClient();
identityClient.setRegion(RegionUtils.getRegion(Configuration.REGION));
GetOpenIdTokenResult tokenResp = identityClient.getOpenIdToken(tokenRequest);
However, I'm not using Facebook.
So, I tried some something like this
providerTokens.put("customdeveloper.authentication.com", "xxxxxxxxxxxx");
tokenRequest.setLogins(providerTokens);
Getting a error that my developer authentication is not a public provider.
I'm quite confuse if I going on the right direction. I basically want to authenticate my user. Something similar to oauth2 where I receive a token can check the user identity.
How is the right way of doing it using Cognito?
Upvotes: 4
Views: 3466
Answers (2)
Reputation: 993
Yes, using the identity ID and Cognito Token, you can call getCredentialsForIdentity and determine that the token is valid and belongs to that identity.
You can then use these credentials to call different services as that user.
Another option is to put your backend server logic behind API Gateway: http://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
Then your users would get credentials client side, and make calls using those credentials to API Gateway which fronts your server-side logic.
Upvotes: 2
Reputation: 578
The Cognito documentation is pretty vague on the server-side, however I figure out a way of doing it.
So basically, you need to pass the Identity ID and the Cognito Token to the server. Then, on the server you do something like this:
// Create the request object
Map providerTokens = new HashMap();
providerTokens.put("cognito-identity.amazonaws.com", "auidhashaisdhals");
tokenRequest.setLogins(providerTokens);
AmazonCognitoIdentityClient identityClient = new AmazonCognitoIdentityClient();
identityClient.setRegion(RegionUtils.getRegion(Configuration.REGION));
GetCredentialsForIdentityRequest request = new GetCredentialsForIdentityRequest();
request.withLogins(providerTokens);
request.setIdentityId("us-east-1:XXXXX-9ac6-YYYY-ac07-ZZZZZZZZZZZZ");
GetCredentialsForIdentityResult tokenResp = identityClient.getCredentialsForIdentity(request);
If you have the right Cognito Token, then you should be able to get the identity and authenticate. If the token if invalid, then, you don't authenticate your user.
Amazon throws a exception if the token is invalid, so you can catch and return a 404 error.
Upvotes: 1
Related Questions
- JWT refresh token flow
- How to get user attributes (username, email, etc.) using cognito identity id
- Single sign-on flow using JWT for cross domain authentication
- aws service difference between cognito user pool and federated identity
- Cognito User Pool: How to refresh Access Token using Refresh Token
- SPA best practices for authentication and session management
- AWS Cognito: Identity Pool Facebook Integration
- Amazon Cognito Invalid login token Android
- Android and AWS Cognito Developer Authenticated Identities