By using AWS re:Post, you agree to the Terms of Use
/Amazon Cognito Federated Identities/

Questions tagged with Amazon Cognito Federated Identities

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Should I use Cognito Identity Pool OIDC JWT Connect Tokens in the AWS API Gateway?

I noticed this question from 4 years ago: https://repost.aws/questions/QUjjIB-M4VT4WfOnqwik0l0w/verify-open-id-connect-token-generated-by-cognito-identity-pool So I was curious and I looked at the JWT token being returned from the Cognito Identity Pool. Its `aud` field was my identity pool id and its `iss` field was "https://cognito-identity.amazonaws.com", and it turns out that you can see the oidc config at "https://cognito-identity.amazonaws.com/.well-known/openid-configuration" and grab the public keys at "https://cognito-identity.amazonaws.com/.well-known/jwks_uri". Since I have access to the keys, that means I can freely validate OIDC tokens produced by the Cognito Identity Pool. Moreso, I should be also able to pass them into an API Gateway with a JWT authorizer. This would allow me to effectively gate my API Gateway behind a Cognito Identity Pool without any extra lambda authorizers or needing IAM Authentication. Use Case: I want to create a serverless lambda app that's blocked behind some SAML authentication using Okta. Okta does not allow you to use their JWT authorizer without purchasing extra add-ons for some reason. I could use IAM Authentication onto the gateway instead but I'm afraid of losing formation such as the user's id, group, name, email, etc. Using the JWT directly preserves this information and passes it to the lambda. Is this a valid approach? Is there something I'm missing? Or is there a better way? Does the IAM method preserve user attributes...?
0
answers
0
votes
2
views
asked 24 days ago

How to dynamically update the policy of user(Cognito identity) from backend/lambda?

I am building an IoT solution using the IoT Core. The end-user will be using Mobile App and will be authenticated and authorized using Cognito. I want to authorize users to allow iot:Publish and iot:Subscribe action only on the devices that the user owns. The IAM Role attached to the Cognito Identity pool has only iot:Connect permission when the user is created. The User won't have any additional permission at this point. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" } ] } ``` Now, when the user finishes the device provisioning, I want to attach the inline Policy to Cognito identity of that user to authorize him to publish and subscribe to the shadow of that device. Let's assume the ThingName is Thing1 so the policy should be as below: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe" ], "Resource": "arn:aws:iot:region:account-id:topic/$aws/things/Thing1/shadow/*" } ] } ``` The user may keep adding new devices and I want to scale this policy to include resource ARNs of those devices. This is an example of IoT Core, but my question is very generic to IAM policies. (e.g. the same can be applied to dynamically allow access to the S3 bucket folders) So, here is my question: 1. What is the best approach for dynamically adding or removing the inline policy granted to the Cognito identity? 2. Can I use the STS service for updating/attaching the policy on my backend/Lambda when new Things are added or removed? Note: 1. I can use the Customer Managed Policy, but it is not the right approach for granting policies to federated users as per my knowledge. 2. I know I can use the intelligent naming of the device as mentioned in this approach. But, I have a very basic requirement. https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/
0
answers
0
votes
2
views
asked 2 months ago

Amplify Storage.put succeeds on iOS, throws axios 403 forbidden error on android (React Native)

We have a react-native app that allows users to import images from a network camera and upload them to an S3 bucket. We recently migrated from Expo Kit (SDK37) to Expo Bare (SDK43), RN Version 0.64.2 On iOS, both the release build and local debug builds work as expected and images are successfully uploaded to our S3 bucket. However, on Android, we get an error saying that the signature doesn't match, and a 403 error from axios. Here's what my setup looks like: ``` System: OS: macOS 12.2 CPU: (8) arm64 Apple M1 Memory: 85.48 MB / 16.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 16.13.1 - /usr/local/bin/node Yarn: 1.22.17 - /opt/homebrew/bin/yarn npm: 8.1.4 - /opt/homebrew/bin/npm Watchman: 2021.11.29.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 98.0.4758.102 Firefox: 97.0.1 Safari: 15.3 npmPackages: @BeeCorp/react-native-volume-control: 1.0.1 @apollo/client: ^3.4.16 => 3.5.9 @babel/core: ^7.12.9 => 7.17.5 @babel/plugin-proposal-class-properties: ^7.14.5 => 7.16.7 @fortawesome/fontawesome-svg-core: ^1.2.36 => 1.3.0 @fortawesome/free-solid-svg-icons: ^5.15.4 => 5.15.4 @fortawesome/react-native-fontawesome: ^0.2.7 => 0.2.7 @react-native-async-storage/async-storage: ~1.15.0 => 1.15.17 @react-native-community/datetimepicker: 3.5.2 => 3.5.2 @react-native-community/masked-view: ^0.1.11 => 0.1.11 @react-native-community/netinfo: ^8.0.0 => 8.0.0 @react-native-community/slider: 4.1.12 => 4.1.12 @react-native-firebase/app: ^14.1.0 => 14.5.0 @react-native-firebase/crashlytics: ^14.1.0 => 14.5.0 @react-native-picker/picker: ^2.2.1 => 2.2.1 @unimodules/core: ~7.2.0 => 7.2.0 amazon-cognito-identity-js: ^5.2.6 => 5.2.6 aws-amplify: ^4.3.14 => 4.3.14 aws-amplify-react-native: ^6.0.2 => 6.0.2 aws-appsync: ^4.1.4 => 4.1.4 aws-sdk: ^2.1013.0 => 2.1077.0 axios: ^0.23.0 => 0.23.0 babel-preset-react-native: ^4.0.1 => 4.0.1 buffer: ^6.0.3 => 6.0.3 expo: ^43.0.0 => 43.0.5 expo-asset: ~8.4.3 => 8.4.6 expo-av: ~10.1.3 => 10.1.3 expo-background-fetch: ~10.0.3 => 10.0.3 expo-barcode-scanner: ~11.1.2 => 11.1.2 expo-constants: ~12.1.3 => 12.1.3 expo-location: ~13.0.4 => 13.0.4 expo-secure-store: ~11.0.3 => 11.0.3 expo-sensors: ~11.0.3 => 11.0.3 expo-splash-screen: ~0.13.5 => 0.13.5 expo-status-bar: ~1.1.0 => 1.1.0 expo-task-manager: ~10.0.3 => 10.0.3 expo-updates: ~0.10.5 => 0.10.15 graphql-tag: ^2.12.5 => 2.12.6 jest-fetch-mock: ^3.0.3 => 3.0.3 jest-mock-axios: ^4.4.1 => 4.5.0 jetifier: ^2.0.0 => 2.0.0 jsdom: ^18.0.0 => 18.1.1 lodash: ^4.17.21 => 4.17.21 moment: ^2.29.1 => 2.29.1 react: 17.0.1 => 17.0.1 react-apollo: ^3.1.5 => 3.1.5 react-dom: 17.0.1 => 17.0.1 react-native: ^0.64.2 => 0.64.3 react-native-animatable: ^1.3.3 => 1.3.3 react-native-background-timer: ^2.4.1 => 2.4.1 react-native-battery: ^0.1.18 => 0.1.18 react-native-collapsible: ^1.6.0 => 1.6.0 react-native-config: ^1.4.5 => 1.4.5 react-native-copilot: ^2.5.1 => 2.5.1 react-native-doc-viewer: https://github.com/mikemeyer30/react-native-doc-viewer => 2.7.8 react-native-flash-message: ^0.2.0 => 0.2.1 react-native-geolocation-service: ^5.3.0-beta.3 => 5.3.0-beta.4 react-native-gesture-handler: ~1.10.2 => 1.10.3 react-native-get-random-values: ^1.7.0 => 1.7.2 react-native-image-picker: ^4.1.2 => 4.7.3 react-native-keyboard-aware-scroll-view: ^0.9.4 => 0.9.5 react-native-keyboard-spacer: git+https://github.com/datso/react-native-keyboard-spacer.git => 0.4.1 react-native-material-design: ^0.3.7 => 0.3.7 react-native-material-dropdown-v2: ^0.11.1 => 0.11.1 react-native-paper: ^4.10.0 => 4.11.2 react-native-queue: https://github.com/mikemeyer30/react-native-queue-asyncstorage => 1.2.1 react-native-reanimated: ~2.2.0 => 2.2.4 react-native-safe-area-context: 3.3.2 => 3.3.2 react-native-screens: ~3.8.0 => 3.8.0 react-native-svg: 12.1.1 => 12.1.1 react-native-torch: ^1.2.0 => 1.2.0 react-native-vector-icons: ^9.0.0 => 9.1.0 react-native-web: 0.17.1 => 0.17.1 rn-swipe-button: ^1.3.6 => 1.3.6 tree-util: ^1.0.6 => 1.0.6 uuid: ^8.3.2 => 8.3.2 npmGlobalPackages: @aws-amplify/cli: 7.6.20 expo-cli: 5.1.1 n: 8.0.1 npm: 8.1.4 react-native-cli: 2.0.1 yarn: 1.22.17 ``` We've been troubleshooting for a little over a week now with no success, so any pointers are greatly appreciated. If there's any additional information I can provide, I'd be happy to do so. Thanks in advance
1
answers
0
votes
9
views
asked 3 months ago
  • 1
  • 90 / page