How to integrate cognito identity pool with another AWS account for API Gateway access
IMO approach is valid, make sure that APIs resource policy allows only assumed identity role to perform actions (assuming this is your use case).
You can also change the authorization type to Cognito and use the Cognito user access token and scopes to authorize access. Then you do not need to manage policies, see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-cross-account-cognito-authorizer.html.
How to integrate Cognito User Pools with Cognito Federated Identity Pools
The merging of identities is supported by the credentials provider but is not supported by the AWSIdentityManager (a part of the mobile-hub-helper). I have a modified version of the mobile-hub-helper (it is a fork off of the mobile-hub-helper github at https://github.com/BruceBuckland/aws-mobilehub-helper-ios). That fork modifies AWSIdentityManager to support several things: 1) It supports writing new AWSSignInProviders (a mobile-hub-helper protocol) and using them to resume sessions. 2) It supports "Allow Merged Identities" and the merging of identities. 3) It has a couple of helper methods to find which provider is doing the authenticating currently and the friendly name of a provider which is useful for showing the user what is linked, and showing which provider denied a login for example.
There is also a sample app that includes an implementation in swift of an AWSSignInProvider for Cognito User Pools. It demonstrates signin signout and account linking for the three providers (UserPools FaceBook and Google). It implements several capabilities of userpools including signup, signin, forgot password, update attributes, and the confirmation of those. It is at https://github.com/BruceBuckland/SignIn-awsmhh.
Finally I recommend that you take a look at the pdf of notes in the example app. They may help you understand the interactions of the components better. It took me a long time to understand cognito and I pulled my notes together to try to clarify the system for others. They are here: Cognito Notes and Diagram
How do I integrate cognito user pool with identity pool?
Hi The key thing here to understand is that when you call:
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1
identityPoolId:@"IDENTITY_POOL_ID"
identityProviderManager:pool];
The AWS framework will set everything up for you, and the cognito User Pool and integration with federated identity will work seamelessyly.
A key note which I initally overlooked is here: http://docs.aws.amazon.com/cognito/latest/developerguide/getting-credentials.html
[[credentialsProvider getIdentityId] continueWithBlock:^id(AWSTask *task) {
if (task.error) {
NSLog(@"Error: %@", task.error);
}
else {
// the task result will contain the identity id
NSString *cognitoId = task.result;
}
return nil;
}];
Which forces a refresh of your credentials from the server. Objects contained on the user and also the session can be used to confirm the login and associated cognito id, and sessions tokens.
Be careful not to also use MobileHubHelper with the above code. As the mobile HUB Helper will destroy all of that.
AWS Cognito user pools on multi-tenant web app
I had to solve a similar problem this week. Apparently .NET Core doesn't support this out of the box, as it can raise some tricky questions about auth challenges when dealing with a GUI based website: https://github.com/aspnet/Security/issues/1847
I was solving this problem in the context of an API server however, and it was easy to make a few underlying assumptions.
I eventually solved it by implementing my own JwtBearerHandler
class that's mostly the same as the .NET Core one, but reconfigures the JwtBearerOptions
on the fly based on information in the HTTP request. The most relevant changes can be found here: https://github.com/tgittos/AmazonCognitoPrototype/blob/master/AmazonCognitoSpike/Auth/CognitoUserPoolResolver.cs
Basically the gist of the solution is to pull an identifier off of the request in the JwtBearerHandler
and use that to reconfigure the Audience
and Authority
on the JwtBearerOptions
based on what's been stored in a database as the request is coming in. It doesn't add a whole lot of overhead to the request and seems to work well enough.
The whole repo I linked is a proof-of-concept I worked on to get Cognito auth working with multiple user pools, so it might be worth taking some time to read the lot. It's pretty messy and includes classes that I didn't need to replace. The core changes are in CognitoUserPoolResolver
, DSJwtBearerHandler
and DSJwtBearerOptions
.
Related Topics
Using Codable to Encode/Decode from Strings to Ints with a Function in Between
What's the Rationale of Swift's Size Methods Taking 'Int'S
Change Width of a Uibarbuttonitem in a Uinavigationbar in Swift
How Set Custom Fonts for iOS13 Context Menu Actions
Disable Bounce Scrolling for Wkwebview in MACos
Error: Extraneous Argument Label 'No1:' in Call
Get the First Day of Week Without Weekcalendarunit
How to Use Tabs to Evenly Space Out Description Strings in Swift
Why Strings Are Not Equal in My Case
Crash When Running on Device After Second Launch
Shows the Alert When Uitextfield's Are Full or Empty Swift
Type of Optionals Cannot Be Inferred Correctly in Swift 2.2
Create Endless Cgpath Without Framedrops
How to Draw Dashed Line in Arkit (Scenekit) Like in the Measure App
How to Scale/Position Nodes Swift Spritekit? Custom View