AWS SDK (JavaScript)
I ported all of my users from a MSSQL DB to a AWS Cognito UserPool.
Now I need to have each one of my Cognito users in my Identity pool.
This needs to happen so I can move my user data into Cognito Sync's datasets.
Problem :
I cannot move each cognito user in my userpool to my identity pool.
I have searched the docs and I cannot seem to findout how to go about this.
I cannot log each user in because each user will need to reset their own password. (this is due to the way things are when porting users from a .csv file)
SOLVED
I loop through users in a batch.
Each user is converted to a Cognito User in a User Pool
Once the Cognito User is successfully added, I then log that user in manually,
Then I have to set the users password with a temp password
Next I get the successful method called
Inside the success method, I now have the user in the Identity pool because I logged the user in manually
Now I get the users Identity ID
Now I can set DataSets
NEXT IMPORTANT I have to set the user back to "RESET REQUIRED"
Then the loop continues and I process the next user in the batch
NOTE Make sure you do not have anything checked in you MFA portion in the Userpool or emails will be sent. Also emails are still sent in special circumstances. To get around this, I performed this task
Change the users email to fake#fake.com
All emails are sent to fake#fake.com
when you are done with the user and all is well, change the users email back to the correct email.
First, Identity Pool does not have users - just identities. Each identity corresponds to a User (A Userpool user or a Google/FB user) in case of authenticated identities and has an IdentityId (for all identities - authenticated & unauthenticated). This is generated when a GetId API call is made with an IdToken from the appropriate IdP (Userpool in your case).
Also, I don't see why you need to generate identities for all the users in your userpool. These identities are supposed to be generated on-the-fly. Design & deploy your app and when a user uses your app for the first time, your app will make a GetId call, thus generating an IdentityId.
Related
I'm trying to allow users to sign up to a Firebase website using only their email and phone number. At a later time, I would like to send them their auto-generated password via email. Is this possible to do with Firebase Auth or Realtime Database?
Sure thing. You'll have to create the account through the Admin SDK, so in a trusted environment like your dev machine, a server you control, or Cloud Functions. There you call createUser(...) with the email the user entered, the a temporary password that you made up.
You could do the same client-side, but in that case the password would be determined from the client too, which wouldn't be secure.
I'm building an AWS-backed site which, broadly speaking, does the following:
Authenticates a user against a Cognito User Pool (the pool is backed by a third-party SAML provider), giving them tokens.
Uses a Cognito Identity Pool to grant the user credentials for use with other services.
Lets the user perform a series of long-running S3 uploads, directly from the front-end S3 client, using the credentials from above.
I'm trying to get clarity on the interactions I will have to have with tokens and credentials. I'm pretty clear on what I have to do with the tokens I get from the user pool:
I can use them to call the Identity Pool, and get AWS credentials I can use for S3.
I can use the refresh token to refresh the other tokens if they expire before I'm done.
The expiration details for these tokens are in the link above. The documentation is pretty clear on all of the above, but I'm confused about the Identity Pool credential functionality, and haven't been able to find explanations in the docs on the following questions:
When I get AWS credentials from my Identity Pool, how long will they last before expiring? How can I configure this value, so that my CognitoIdentityCredentials gives me credentials with my desired expiration?
If my AWS credentials expire before I'm done with my work, what's the right logic for attempting to 1. refresh the credentials and 2. if that fails, refresh the user pool tokens, so as to be able to complete the operation cleanly without making the user restart it?
The user pool is only for user management. Any interaction that the user has with AWS services and resources is done via Identity Pool. You assign the roles via Identity pool.
To answer your 2 specific questions:
Tokens last for 1 hour. This duration is fixed and cannot be changed.
If your tokens expire you can use the refresh token to generate new identity and access tokens. However, most of the front end sdks (even javascript) do this automatically for you. You don't have to worry about tokens expiring. In fact you will have to forcefully invalidate them if you have that requirement.
This tutorial explains how to setup two different IAM user types (user and administrator), in order to obtain a different set of gateway authorization credentials.
How is this setup within within Cognito (How do we assign the IAM user to the person logging in?) such that the the access credentials can be assigned for method level authorization?
I need to be able to have a Cognito User Pool user, with the ability to link several different social providers to that user so they can either login using a email/password (basic cognito auth) or via their social account ('email' being the common data field/username).
The flow I currently have:
1) User clicks sign with Facebook, my app handles the oAuth handshake and eventually get the accessToken and email address
2) At this point I couldn't find a way to detect if the user was already registered in the User Pool, so I attempt a Login call with a random password and infer from the error response if the user doesn't exist at all.
3) If the user isn't registered, I redirect the user to registration page so they can provide a Password. Once confirmed, I call SignUp to create a regular cognito user (unverified).
From this point I am stuck.. How do I then associate the Facebook account to this newly created cognito user?
Note: As I'm using custom UI flow for this so using the HoC from aws-amplify-react-native library isn't possible.
After trying every possible method mentioned in Amplify documentation, it seems social signin with federatedSignin cannot be used with userpool.
I'd like to simplify the authentication workflow in my Firebase app, and let users connect without password:
With third party OAuth providers: Facebook, Google, etc.
or
With email
If the later, the user would just fill in their address, receive a URL, and instantly get logged in without having to type/remember a password.
Whenever they logout, or, their session times out, they would enter their email again, and receive a new link to start a new session.
How to do that with Firebase?
I feel like it's not possible on the client, so what would be the best server side routine to achieve that workflow?
Finally, after taking some time to figure this out, I quickly realised that the email verification process cannot be used to solve this: the function to get this email sent can only be called by already logged-in users (which makes perfect sense). Hence it cannot be used to sign-in.
I ended up using this workflow with Firebase custom authentication :
CLIENT User asks to login, he's asked his email address, and told he will receive a link to complete log in upon form submission.
SERVER Receives the email address. Finds or creates user id belonging to that user, creates a custom token with this uid and sends an authenticated link by email (for example: http://myapp.com/?token=XYZ)
CLIENT User comes back in the app by clicking on that link, and the app can use the token parameter to immediately log-in the user using firebase.auth().signInWithCustomToken(token).
Look, ma, no passwud!
For Email part you can :-
Use custom passwords from Front-End eg:- timestamp's or some random words+timeStamp . And store that timeStamp in the users's Database for future reference for session expiration.
For sending a link for starting a session you can use the verification email to send a link inside and modulate the contents of the mail as per your needs.
For knowing when your session expire's:-
Just retrieve the timeStamp lets say that is timeKeyRetrieved
Check how much time has passed since the timeStamp
PS:- For checking wether user session has expired during the user is online. You will have to use timer. And whenever your users gets online just retrieve the timeStamp in AppDelegate methods or viewWillAppear: