I'm using a federation identity pools with aws-amplify (https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities) and I'd like to restrict the scope of domains to just my google domain organization (ex. [email protected]).
There doesn't seem to be a way to lock it down on either the Google API console or the AWS Cognito Identity Pool settings, just a hint that an hd parameter can be appended to the google request to restrict it by domain (which would still require modifying the aws-amplify core package), and it still wouldn't be secure since anyone could just make the same request without the hd and gain access to cognito.
My question is this: is there a way to restrict a google oauth key to only allow @foobar.com email addresses, or to implement the same restriction with aws cognito?
Q: Which public identity providers can I use with Amazon Cognito Identity? You can use Amazon, Facebook, Twitter, Google and any other OpenID Connect compatible identity provider.
You can use federation to integrate Amazon Cognito user pools with social identity providers such as Facebook, Google, and Login with Amazon. To add a social identity provider, you first create a developer account with the identity provider.
Amazon Cognito supports authentication with identity providers (IdPs) through Security Assertion Markup Language 2.0 (SAML 2.0). You can use an IdP that supports SAML with Amazon Cognito to provide a simple onboarding flow for your users. Your SAML-supporting IdP specifies the IAM roles that your users can assume.
By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory. Setting up federation between Active Directory and Cloud Identity or Google Workspace entails two pieces:
Limit authentication by creating new Cloud Identity or Google Workspace user accounts only for users that need them and are known to not have an existing consumer account.
The federated user clicks the Google Apps SSO link to AWS in their browser. If the user has not already logged in, he will go to the Google Apps account login portal.
To federate with Google Workspace domains, use SAML/WS-Fed identity provider federation. Important
I believe I found a solution (from several quick tests it seems to be working fine)
Don't try to control the hosted domain part via the Trust Relationship in the Role.
Go to: Cognito / Edit Identity Pool / Authentication Providers
Select Google+
In "Authenticated role selection" select "Choose role with Rules"
Now require claim "hd" to be "equals" to
<your-domain>
set "Role resolution" to "DENY"
Source: https://forums.aws.amazon.com/thread.jspa?messageID=527303
Here's a cloudformation stack to set everything (identity pool, roles, etc.) in one go. YOU NEED TO MAKE THE NECESSARY ADJUSTMENTS at all places marked with an EDIT HERE:
comment.
AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"
Resources:
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: identity_pool_a
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
# EDIT HERE:
"accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"
IdentityForbiddenRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: None
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
IdentityAllowedRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
# EDIT HERE:
Action: "s3:GetObject"
# EDIT HERE:
Resource: "arn:aws:s3:::my-bucket/*"
RoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !GetAtt IdentityForbiddenRole.Arn
authenticated: !GetAtt IdentityForbiddenRole.Arn
RoleMappings:
accounts.google.com:
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: hd
MatchType: Equals
# EDIT HERE:
Value: mydomain.com
RoleARN: !GetAtt IdentityAllowedRole.Arn
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With