Authenticate social identity federation user to AWS Userpool? - Android

Question

We have used com.amazonaws:aws-android-sdk-cognitoidentityprovider:2.6.8 SDK for username and password based login and register flow. Following the approach mentioned here https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-integrating-user-pools-android.html. Sign up and Login Process is working as required.

For Facebook and Google authenticate through federation, We do not want to use the hosted UI for this purpose and are not using federated identities. We had followed this link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html.

1. We have setup user pool with an application client and a user pool domain.
2. Setup Facebook as a social identity provider.
3. Added android call back URL to mobile.

First Approach

We look into CognitoSyncDemo Sample application, It was using federated identity so we had to discard it. We are just using federation in userpool.

Second Approach

We have used the webview and load the below URL. The URL takes me directly to Facebook, after authentication, it returns me back to redirect URL with access_token, auth_type, expires in and id_token. But no refresh token. URL https://yourdomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=redirect_app_path&response_type=code&client_id="client_id"&identity_provider=Facebook

But there is a problem using this approach. I couldn't find a way to push the access token to cognitoUserSession in SDK which is managing a user session. So every time I sign up with Facebook (using webview), there is no session maintain in SDK. Hence I am redirected to login view again. How to ensure the Facebook user is authenticated and signed in by cognitoidentityprovider? How to create user session in SDK when getting access_token and id_token?

Third Approach

We tried to use the Cognito Auth Demo https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo. For this, we have to add another library com.amazonaws:aws-android-sdk-cognitoauth. After clicking on sign in, it used to take us to hosted-ui. After looking into similar IOS project, we made tweaks in android library project (com.amazonaws:aws-android-sdk-cognitoauth for android). We added identity_provider in URI for sign in. It then takes us directly to Facebook on chrome tab. After authentication, it set the session in our application. But it has own authentication object which is AuthSession but previously we were using CogintoUserSession for normal sign up. AuthSession is do not have User Attributes and nor offer any get user details or authentication handlers. If we use this approach, then how to link AuthSession with CognitoUserSession and manage user session in the application?

Summary

In short, We had tired AWS samples, it is taking us to web-based hosted UI. We need to authenticate a user via Facebook to userpool using only federation identity provider. We need to maintain session in Cognito SDK without affecting our username and password based login flow. We want to open Facebook directly or on webview in our application on button click, authenticate the user and maintain session in the application using only Cognito SDK.

Answer 1

To connect to user pool i had included aws-android-sdk-cognitoidentityprovider. But if you need to add social sign up, you need to add cognitoauth as well.

1. Ensure cognito sdk version are same otherwise you might run into complication error.

2. As per the need of project, i need identity provider to pass into sdk so it could directly navigate directly to my social identity provider page. But current sdk version '2.6.24' didn't provided me with this provision. I had downloaded the android-sdk-cognitoauth sdk from awslab github and included in my project. I alter Auth.java class added identity provider variable in it.

3. Next step, i alter AuthClient.java method launchCognitoAuth. I place additional condition to check if identity provider present or not. Then i set it in sign in uri.

   if (pool.getIdentityProvider() != null) { builder.appendQueryParameter(ClientConstants.DOMAIN_QUERY_PARAM_IDENTITY_PROVIDER, pool.getIdentityProvider().toString()); }

4. After making above alteration, i can configure identity provider through my app in auth.builder(). The hack worked, i directly navigated to my provider page. After authentication, sdk set session it self.

To sum up, I found difference between android and ios project implementation. In iOS project, aws has given provision to add identity provider directly. I followed the flow of ios project and made tweak to android congitio-auth project. The difference has been reported as well to aws-sdk-android-sample issues.