I have a Cognito User Pool and need to prompt users select their country from a dropdown list during registration. As far as I can tell, Cognito doesn't provide the ability to customize the registration page with a dropdown. Is there a way to redirect the "Sign Up" link in the Cognito sign-in page to point to a specific URL so I can provide my own registration page (and use the Cognito APIs to create the user)?
Or, if someone knows of a different way to solve this problem, I'm all ears.
My OIDC clients are websites (i.e., not a mobile apps) and I'm using the authorization code flow.
You can create your own registration page and use AWS cognito SDK or amplify to make calls to cognito. For example, if you are using javascript you can use the following code for your signup calls: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#signUp-property
Related
I would like to hide Keycloak's interface from my Customers.
Is it possible to login to Keycloak through an API (specially for Authorization Code grant type), so I can build a React component for example for my customers to login?
Is it possible to build my own Account app, that will interact with Keycloak through an API?
Only my staff should use Keycloak's interface to manage security.
You can redirect your application to the Keycloak login page, and change that login page to have the looks and feel that you desire using Keycloak Custom Themes. To communicate from your Account app to Keycloak Api you can use the Keycloak Admin API.
Yeah, almost every SPA (Angular, React, Vue, ...) developer dreams about replacing of IdP (Keycloak in your case) login screen (because default IdP login is ugly/it doesn't match app style/... and he can build cool login screen on the SPA level :-)).
Sure, it's possible. Switch to Direct Access Grants (Resource Owner Password Credentials Grant) and you can use that. But you will sacrifice security. Let's say you have Google IDP identity brokering, so users will be able to use also own Google account. Will you put your Google credentials to some custom login form, which claims that those credentials will be used only to login and they won't be stolen. I would say no, because app will see your credentials. That is purpose of IdP (OIDC or SAML protocol). It provides user identity to any app (especially for 3rd party apps) without exposing user credentials - that is perfect case for Authorization Code grant type.
So I would say it's possible to use own SPA login form, but it is wrong idea. I would use local app auth in you case.
Second question: you can build own Account based on Account REST API. It is pretty new, so there is no good doc for that and it's only available as an preview feature. New account console should use it - https://www.keycloak.org/2020/09/new-account-console.adoc.html, so you can watch network browser console to see API requests.
I'm trying to develop a React application that will allow users to login with their Azure AD accounts and their Facebook accounts.
The first thing is that I didn't understand about the 2 tabs "User
Pools and Federation Identities". Do I need both to get it done or
just the User Pools is enough?
My goal is just the authentications. I don't want to allow users to access any AWS service. I just want the authentication token.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth. Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Do I need both to get it done or just the User Pools is enough?
No. Userpool is more than enough if you just need authentication and do not need to use AWS services.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth.
What user data do you need to save. If you want User's profile data to be saved in Cognito, you need to use Cognito Userpool & not Federated Identities. Add Facebook directly to Userpool. Upon using Facebook login, a user is auto-created in the userpool based on all user data available in the token. See this doc on how to add Facebook to a userpool directly.
Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Depends on your use-case. If you just want to add authentication to an app, the best way would be to Add Facebook to a Userpool directly, create an app client in the userpool for your application; enable Facebook for that app client & use Cognito Userpool's built-in UI to login using Facebook. This feature (built-in UI) is called App Integration. After successful Facebook login, a valid token will be sent to your app. Do note that the token sent to your app would be from Cognito.
Client--> Userpool built-in UI --> Redirect to Facebook --> Login using username +password --> Facebook sends its token to Cognito ( https://your-user-pool-domain/oauth2/idpresponse)-->Userpool vends its own token & redirects to the URL mentioned in the redirect_uri.
I am using keycloak as security layer and working towards enabling social login.
Social login was working and I was able to integrate Facebook with just configurations using the doicuments.
However I have a requirement where in I need to provide an API end points for the same.
Our mobile devices will be communicating to facebook via the app and will have the token from the facebook (Implicit Flow).
I will then be exchanging the token with keycloak for the keycloak access token.
I have two questions:
Is this approach correct? If not why?
How can I achieve this?
I was thinking of writing a custom authenticator (Am not sure if thats the right approoach as I have to register user are well if FB Access token user is not available with us (We can afford to login user and with jsut emailID as we can onbaord new users later)
I am blocked because authenticator is not working with any build from 2.4.0 onwards
Let me know if my approach is correct and if so how to proceed about it.
I have a REST service that my mobile app uses to authenticate when the users click on the Facebook or Google icons.
The service accepts the user's id from the provider and checks if it exists on the database and then issues the access_token to be used for the other methods.
The problem is that I just thought that it could be pretty easy for someone to intercept the calls and discover which service authenticates and what the user id is and then call it with to get a token.
How can I avoid this?
I think you just need to separate the authentication and authorization functions. You can let Google (Google Sign-In) handle authentication. If you follow the API they will securely authenticate the user and send you the token which you can validate.
Once you know who they are for sure, your site can safely authorize that user approriately. For example, they might be an existing user, need to make an account, be an administrator. You can make those authorizations on your site based on the user authenticated by Google (in my example).
Twitter, Facebook and others do the same. Also see OpenID Connect.
I'm trying to implement facebook login with django-rest-auth (a rest wrapper for Allauth).
I have followed their tutorial (showing how to log in, http://django-rest-auth.readthedocs.org/en/latest/installation.html), but I am bit puzzled concerning the registration part.
The login view expects only a token but there is no Social Register view. Does this mean that django-rest-auth does not handle the registration of new users? Or that it is handled in a separate view?
Thank you very much
The Django rest auth has the RegisterView, it will handles the user registration part and return the Auth Token. The LoginView will takes the user credentials and validate the user and authentication.