问题
I would like to use only Cognito User Pool, and therefore I want to use identity federation with Cognito User Pools, without Cognito Federated Identities (identity pools).
I have followed the documentation, but I couldn't succeed.
http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social.html
Her is my User Pool configuration.
How can I combine Google and Cognito in User Pool without using identity pool (Federated Identities). Or is that possible?
回答1:
Based on your comment to Summer Guo, here's what it seems like you're having an issue with...
A lot of details missing here, but if you're using a Cognito Authorizer in your API Gateway, then it doesn't know about any 3rd party IdP -- it just knows about your Cognito User Pool. So sending the CUP JWT will work, while sending anything else won't. If you want to use a Google auth token, then you need to implement a Custom Authorizer that verifies this token with Google.
I presented on this topic during reInvent. Here's the video that goes into the details: https://www.youtube.com/watch?v=VZqG7HjT2AQ
回答2:
it is possible to have a user pool with google configured as an identity provider without using Cognito Federated Identities. Cognito has SDKs available for Android, iOS, and Javascript, you can find them on github(https://github.com/aws/). Can you be more specific about the problem you are running into when trying to do this?
回答3:
Looks like they only allow User Pool Federation with their own UI/SDK. What I ended up doing for react-native was
get facebook token
sign up the user into the user pool with a custom attribute to track facebook Id and generic password
use the temporary credentials (need to setup IAM for cognito user pool - adminMovetoGroup to move the user into the auto created user pool federated group.
create lambda function to auto-confirm the end user.
This way the user can log in and get credentials using federated identities, but then they also have an account in the event they stop using facebook. They would also need to reset their password.
回答4:
If you are using your own Custom UI, you will need to create a button/anchor to redirect to the user.
This is what I use to create a url (JS Code):
`https://${domain}/oauth2/authorize`,
`?redirect_uri=${redirectSignIn}`,
`&response_type=${responseType}`,
`&client_id=${userPoolWebClientId}`,
`&identity_provider=${providerName.toString()}`
providerName is either Facebook/Google
responseType is either token/code
domain your domain in cognito userpool config
redirectSignIn your redirect sign in in Cognito User Pool Config
You will need to call window.location.assign({the url generated above}). When user clicks the button, it will redirect to either Facebook/Google page asking for Account/Permission.
As for as I know, Facebook/Google dialog for custom UI is not yet supported.
Example code from AWS Amplify
import { Auth } from 'aws-amplify';
const config = Auth.configure();
const {
domain,
redirectSignIn,
redirectSignOut,
responseType } = config.oauth;
const clientId = config.userPoolWebClientId;
// The url of the Cognito Hosted UI
const url = 'https://' + domain + '/login?redirect_uri=' + redirectSignIn + '&response_type=' + responseType + '&client_id=' + clientId;
// Launch hosted UI
window.location.assign(url);
Link: https://aws-amplify.github.io/docs/js/authentication
Another thing, you can link federated identity to a user pool account. https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminLinkProviderForUser-property
来源:https://stackoverflow.com/questions/46023143/using-cognito-user-pools-without-cognito-federated-identitiesidentity-pools