Authenticating a Cognito User in Browser JS using tokens from cognito itself as an Identity provider

1

Hi,

We have a multiplatform app consisting in an Android app and a website that share a User Pool for the login procedure. In the browser, for the login, we use without any problem the flow described in case 4 @ https://www.npmjs.com/package/amazon-cognito-identity-js :

var authenticationData = {
	Username: 'username',
	Password: 'password',
};
var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(
	authenticationData
);
var poolData = {
	UserPoolId: '...', // Your user pool id here
	ClientId: '...', // Your client id here
};
var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);
var userData = {
	Username: 'username',
	Pool: userPool,
};
var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
	onSuccess: function(result) {
  (...)

We also have an android application where users can also login using the Amplify framework, the login works as described in https://docs.amplify.aws/lib/auth/signin/q/platform/android/#sign-in-a-user

Amplify.Auth.signIn("username", "password",
    { result ->
        if (result.isSignInComplete) {
            Log.i("AuthQuickstart", "Sign in succeeded")
        } else {
            Log.i("AuthQuickstart", "Sign in not complete")
        }
    },
    { Log.e("AuthQuickstart", "Failed to sign in", it) }
)

But, now, we need to authenthicate the users in another browser scenario (a webview inside the android Application) without asking for a password or username (as they are using the app, they already logged), I guess using the tokens generated in the Android login. I don't see any way to do such an authenthication using methods described in: https://www.npmjs.com/package/amazon-cognito-identity-js

I'm tempted to use in the browser webView, as described in https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html,

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: '<the pool that is shared by android and browser app>',
  Logins: { 
					'cognito-idp.<region>.amazonaws.com/<the_POOL_ID>': <the_jwt_token_derived_from_the_android_login?>,
  }
});

But this is not working at all. The AWS.config.Credentials show an expired token and no login has been made, I cannot retrieve a Cognito Session. Does anyone know how to handle this situation?

Thanks in advance for you time

  • Hello, My question is, if the user is already authenticated, why do you need to send a token to cognito again? Just have a "if" statement in your code to see if the user is logged in, and if not, make another call to cognito. Unless i'm missing something here...

1 回答
0

Hi,

No your example:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: '<the pool that is shared by android and browser app>',
  Logins: { 
					'cognito-idp.<region>.amazonaws.com/<the_POOL_ID>': <the_jwt_token_derived_from_the_android_login?>,
  }
});

is in order to use Cognito Identity Pool to exchange an OAuth2 Identity token for Temporary AWS Credentials. It does not allow to solve the challenge you have.

There two options for you:

  1. Loading the URL in the webview with an Authorization header set to the value Bearer <Base64 encoded Access Token> expecting this to load the content in the webview from an API Endpoint authenticated by the provided Access Token
  2. Access back the Hosted UI in the web view, if you logged in less than 1 hour ago through the Hosted UI, there will be a SSO mechanism kicking in

Neither of those are provided by the Cognito JS library and required your own implementation.

Jeff

AWS
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则