6

I'm looking for documentation on how to extend our existing Cognito Authentication process to include additional "Enabled Identity Providers".

Currently we do the following

var userPool = new CognitoUserPool(poolId, clientId, provider); var user = new CognitoUser(username, clientId, userPool, provider); var context = await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest { Password = string.IsNullOrEmpty(temppassword) ? password : temppassword });

If the resulting context.AuthenticationResult is not null then we're away to the races, and I can use the context.AuthenticationResult.IdToken as the OAuthBearerToken in subsequent calls to to AWS API Gateway endpoints, that are protected by the same Cognito user pool.

All that works great but now we're trying to Enable other Identity Providers (starting first with Auth0) and I'm now at a loss on how to get an IdToken that the API gateway will recognize from Cognito, for a user that is in one of the enabled Identity Providers.

Ralph Shillington
  • 20,718
  • 23
  • 91
  • 154
  • Wondering if you ended up finding resources for this (I know this was a few years ago now) as I'm in the same situation and can't figure out how to go about it. – Steven Evers Aug 04 '21 at 18:33

1 Answers1

-1

I haven't work on AWS user pools. But I have gone through few documents which I believe gives the answer for your problem.

Q : All that works great but now we're trying to Enable other Identity Providers (starting first with Auth0)

A :

First of all, Common Amazon Cognito Scenarios highlight different scenarios on how AWS coginito can be used. I prefer you going through it and understand them.

There you can find Authenticate with a User Pool.

Your app users can sign in either directly through a user pool, or federate through a third-party identity provider (IdP).

Also if you visit Amazon Cognito User Pools you can see they highlight the same,

Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.

What you need now is to configure your OpenID Connect provider (Auth0 as you said) for federation.

According to docs, user pool can be configured for variety of third party sign-in. This is highlighted in Adding User Pool Sign-in Through a Third Party.

For OpenID Connect related configurations, documentation can be found through Adding OIDC Identity Providers to a User Pool section. Finally the flow and what goes behind the scenes can be found at OIDC User Pool IdP Authentication Flow.

Q: I'm now at a loss on how to get an IdToken that the API gateway will recognize from Cognito

A:

About tokens, well in this flow, AWS user pool acts as the relying party. So OpenID Connect provider(ex:- OAuth0) issue tokens to AWS. Once tokens are obtained and validated, your app will receive token from AWS which are standard ones as if you obtained through SRP authentication. This is highlighted as below,

With the built-in hosted web UI, Amazon Cognito provides token handling and management for all authenticated users, so your backend systems can standardize on one set of user pool tokens.

Unfortunately I'm not sure about code samples.

Hope this helped.

Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46