Creating a user authentication system for iOS (previously with Parse hopefully AWS) [closed]

Answer 1

Yes, I use AWS Custom Authentication all the time.

Check this out and another answer I posted for custom authentication here

So the steps are:

1. Set up Cognito to authenticate UNanthenticated users
   • You have to do this otherwise they won't be able to access anything before logging in.

AND your authentic user Developer Name <- important part

2. Set up DynamoDB (or whatever) to store your Username-Password information

3. Go to IAM and make an AUTHENTICATED role and an UNAUTHENTICATED role.

4. You give the UNAUTHENTICATED role, assign:

   AmazonCognitoDeveloperAuthenticatedIdentities AmazonDynamoDBFullAccess (if you want a Login & Register system) AmazonDynamoDBReadOnlyAccess (if you only want login)

5. Also go in and do:

Edit Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "cognito-identity.amazonaws.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "cognito-identity.amazonaws.com:aud": ""
            },
            "ForAnyValue:StringLike": {
                "cognito-identity.amazonaws.com:amr": "unauthenticated"
            }
        }
    }]
}

6. Now make your AUTHENTICATED role, and assign:

   AmazonCognitoPowerUser AmazonDynamoDBFullAccess AmazonSNSFullAccess - for example, and whatever else you'd like

7. Also go in and do:

Edit Trust Relationship

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Federated": "cognito-identity.amazonaws.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "cognito-identity.amazonaws.com:aud": ""
            },
            "ForAnyValue:StringLike": {
                "cognito-identity.amazonaws.com:amr": "authenticated"
            }
        }
    }]
}

PLEASE NOTICE THE ONE CHANGE MADE - "authenticated" and "unauthenticated"

8. Now this should be mobile hubs responsibility, but since they came out with that, everyone thinks they're relieved of responsibility! Not the case! You need to know what sts:AssumeRoleWithWebIdentity

9. Now that you have everything set up, start your xcode project form Mobile Hub

10. Fill in all the data (if its not there, which it should be because Mobile-Hub is nice to us) for your AUTHENTICATED ARN and your UNATHENTICATED ARN

11. Set up your login page

12. When the user goes to login, (encrypt their password) and send that and the username to DynamoDB.

12B. I really like using Lambda PARTICULARLY for mobile because you can really do a lot more AND you are less prone to errors AND you have more control, etc.

So with that said, go back to to step 4 & 6 IF you want to use Lambda and add and Inline Policy to the Roles. IAM -> Roles -> Your Role -> Create Role Policy And pop in:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }]
}

Now that you have the base set up, go back to Xcode.

13. IF you are using Lambda, send in your username and password, let lambda pull the row from DynamoDB AND do the check on does the user exist, if so do the passwords match

Should look something like this in Lambda:

const
    AWS = require('aws-sdk'),
    ddb = new AWS.DynamoDB()

exports.handler = function(event, context) {
    var params = {
        TableName : '',
        KeyConditionExpression : 'userType = :v_type AND username = :v_user',
        FilterExpression : 'password = :v_pass',
        ExpressionAttributeValues : {
            ':v_type' : { S : '' },
            ':v_user' : { S : event.username },
            ':v_pass' : { S : event.password }
        }
        //ProjectionExpression: 'email, joinDate, phone' (OPTIONAL)
    }
    ddb.query (params, function(err, data) {
        if (err) {
            context.fail (JSON.stringify(err, null, 2));
        } else {
            if (data.Count !== 0)
                context.succeed (data.Items);
            else
                context.succeed ('Wrong Info');
        }
    });
};

Once you get your data.Items back in Xcode, call this Lambda function, send in your variables, and when they say "good", call:

credentialsProvider.setLogins({developerAuthenticationProvider.getProviderName(), developerUserIdentifier});

Followed by credentialsProvider.refresh();

That part above should be in your Xcode project from MobileHub.

Now, this is were things get weird. There are a ton o` ways to do this. TVM, Cognito Assume Auth, server side, etc.

I always reassume authentication from Unauthenticated to Authenticated, but you have to do a lot of back end stuff if you want to get real analytics from both web side and mobile side if you're making this for both. But once you have your authenticated user, you now have a well authenticated user, ready to access whatever you listed in Step 6 as authenticated!

Hope this helps.

Update --- This is a dirty, unsafe, but fast way to do this. NOT FOR PRODUCTION.

In cognito, don't even make an Authenticated user role. Give your Unauthenticated user role all the permissions to do everything (DynamoDBFullAccess, S3FullAccess, EC2FullAccess, etc)

Then handle your authentication in the phone - Check the username and password against DynamoDB and then if it returns the information, set a variable to TRUE. This is not safe because the user now has access to all your stuff but it would look like this:

BOOL loggedIn = FALSE;
if (loggedIn) {
    [self loadView];
} else {
    [self loadLoginView];
}

- (void) loadLoginView {
    DynamoDBCall (username, password) withCompletion () {
        if (allGood) {
            _loggedIn = TRUE;
        }
    }
}