Menu
I'd like to build a react.js web app (and eventually a React Native iOS app too) that relies on Facebook (and later Google) for authentication without a username/password option. I'm planning to host my server-side API (for both web and mobile versions of the app) in AWS API Gateway.
Now I'm trying to understand how AWS Cognito should fit into this app.
First, I'm assuming that I don't need a Cognito User Pool, because I only need federated social logins, not username/password logins. Is this assumption correct?
Second, I'm assuming that I do need a Cognito Identity Pool to easily authenticate my app's calls against the AWS API Gateway. Is this assumption correct? And is it still correct if all of my app's access to AWS services will be via calls to AWS API Gateway endpoints?
Third, is there a public code sample somewhere of a social-only login use-case like this? All the samples I could find in the AWS docs seem to assume that there's a Cognito User Pool being used. The closest I could find is one archived GitHub issue which seems close to my use-case, but it has no responses. ;-(
688
Federated identities are used to "Provide temproary AWS credentials for users ..." - So if you only want to provide temporary access through Federated Logins, then this assumption is correct.
If you want to manage the user groups and profiles as well as other user services you will need the user pool. However, based on your question, this is not a need.
Your assumption is correct, however, I want to add information about authenticating with API Gateway so you understand what other methods exist.
Cognito Identity Pools are one way to authenticate against API Gateway. There are three ways to authenticate with API Gateway
The primary difference between Method 1 and Method 2 &3 is the authentication pattern. The Cognito Identity Pool Authenticated Role Exchanges a JWT for AWS IAM credentials that are used in API calls. In the other two methods the JWT is used as the authenticator. In this answer I explain the difference in more detail.
Because the Cognito Identity Pool returns AWS IAM credentials, it's uses are also broader. If your app will eventually require access to other AWS services (S3 for example) then Cognito Identity Pools would be the preferred method.
Yes! I will try and provide some information on how to do this.
First, I would strongly suggest using the AWS-Amplify library for login. This library provides methods to:
For example, once you have Google (or Facebook) configured as an Identity Provider in your Identity Pool, AWS Amplify can easily allow you to perform the sign-in (AWS Amplify Federated Identities)
However, this can also be done without AWS Amplify using the AWS JavaScript SDK. Example:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:1699ebc0-7900-4099-b910-2df94f52a030',
Logins: { // optional tokens, used for authenticated login
'graph.facebook.com': 'FBTOKEN',
'www.amazon.com': 'AMAZONTOKEN',
'accounts.google.com': 'GOOGLETOKEN'
}
});
Recognize In both solutions (with AWS-Amplify and Without) the authentication is a two step process. First, your app must authenticate with Google or Facebook to receive a JWT. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
This documentation goes into more detail for these steps in regarding Facebook.
In my own experience, I used Okta as an identity provider for my AWS Identity Pool using OpenID. Similar to you, I did not use a User Pool, as these services were managed by Okta.
This is another great resource in understanding "serverless" Authentication.
163
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
