Using manually created Cognito User Pool with an amplify project - aws-cloudformation

I'm trying to use my existing Cognito User Pool when adding AWS Amplify to a react project.
In result, I want to use Amplify Datastore functionality for existing users in my manually created Cognito User Pool. Also, I like the Amplify CLI functionality for managing GraphQL schema for API, so, this means that I need to initialize amplify project inside my react project.
I started by this chapter https://docs.amplify.aws/lib/datastore/getting-started/q/platform/js. But this chapter uses API Key authentication.
I know, that I can add Authentication to the amplify project by amplify auth add, but it has no option for using existing User Pool.
I can use my User Pool without initializing amplify project by amplify init - by using manually composed aws-exports.json. But as I pointed, I need also add amplify project for API.
I would combine configs, something like Amplify.configure({...aws_config_by_amplify, ...my_aws_config}), but it still unclear how to manage amplify api authentication with my user pool then.
Ideally, it would be great to use some command for amplify project configuration with an existing user pool, but I have not found one.
Also, I suppose that it's possible to make some manual changes in amplify project's cloudformation template/params, and to update the stack with that, but, unfortunately, I am not so good in CloudFormation usage.
How to solve this?

The solution was found here: https://github.com/aws-amplify/amplify-cli/issues/779
Init amplify project amplify init
Add API amplify add api with choosing of GraphQL
Update ampilfy/backend/api/backend-config.json, changing defaultAuthentication to
"defaultAuthentication": {
"authenticationType": "AMAZON_COGNITO_USER_POOLS"
}
Update ampilfy/backend/api/amplifyDatasource/parameters.json:
{
"AppSyncApiName": "amplifyDatasource",
"DynamoDBBillingMode": "PAY_PER_REQUEST",
"DynamoDBEnableServerSideEncryption": "false",
"authRoleName": {
"Ref": "AuthRoleName"
},
"unauthRoleName": {
"Ref": "UnauthRoleName"
},
"AuthCognitoUserPoolId": "<USERPOOL ID>"
}
(I am unsure that authRoleName and unauthRoleName are needed)
amplify push, and voila, the Appsync will have the user pool as the default authentication.

One solution, assuming you want to use the Amplify UI Authenticator component in your React project:
(Note this does not require any Amplify add/pull/push, config file generation, or any of that. It's 100% client side, you just drop in a component, configure it, and use it).
npm install #aws-amplify/ui-react aws-amplify
In your top-level style file, import the theme:
import '#aws-amplify/ui-react/styles.css';
Note: if you are in a Next.js project or get some complaints about pure selectors, import this in your top level app file, like _app.tsx
Add your config object to _app.tsx:
Amplify.configure({
Auth: {
region: 'us-west-2', << whatever region
userPoolId: 'your-userpool-id',
userPoolWebClientId: 'you-web-client-id', << found in App Integrations
},
});
Note that you can get your region from the userPoolId (at least, at this time), it's the part to the left of the underscore.
Add the Authenticator to your markup:
<div className="authenticator">
<Authenticator>
{({ signOut, user }) => (
// Next.js
<Component {...pageProps} signOut={signOut} user={user} />
// react-router-dom
<Routes>[Your Routes]</Routes>
)}
</Authenticator>
</div>
Import note: to use this component, make sure in your user pool Advanced app client settings -> Authentication Flows, "ALLOW_USER_SRP_AUTH" is in the list. The Authenticator component sends data a certain way and needs this protocol.
That's pretty much it. It assumes the userpool has things like verification and an app integration configured correctly, but as for the client side the above is all there is to it, I've used it a number of times recently.

Related

What is the workflow for a basic Auth OIDC with Keycloak

I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.

How can I resolve 400 bad request in Google Picker dialog in test application?

I'm running into trouble with test users and the Picker component in my web applicaton.
A subset of my test users are receiving a 400: The server cannot process the request because it is malformed when attempting to access the picker. Some of them experience a looping sign-in beforehand.
The picker is constructed in the following way inside of a useEffect in a React component:
// if there's a non-config related bug, I would imagine it must be related to getting the access token here.
const accessToken = gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().access_token;
const view = new picker.DocsView(picker.ViewId.DOCUMENTS);
view.setIncludeFolders(true);
const pickerDisplay = new picker.PickerBuilder()
.enableFeature(picker.Feature.MULTISELECT_ENABLED)
.setAppId(appId)
.addView(view)
.addView(new picker.DocsUploadView())
.setOAuthToken(accessToken)
.setDeveloperKey(apiKey)
.setCallback(pickerCallback)
.build();
setPicker(pickerDisplay); // sets picker state
Because I am not receiving the error message and the application has not been verified, I believe this likely has something to do with the IAM.
I believe I've been able to eliminate managed browsers settings,
cookie settings, and extensions as possible sources of error.
I've also added the users to the GCP project with the Browser role, though
they did not receive invites. What do I need to try next to resolve
this issue?
I cannot provide a minimum reproducible example because this only seems to be confined to a subset of my users' browsers.
I reached out to Google support, but unfortunately this is not covered.
I need to get this application into production relatively soon, so I'm very seriously considering just writing my own Drive microservice and recreating the Picker. I would love to avoid this though.

Hello.js Demo Twitter Error

hellojs twitter error
When i run the twitter demo from demo folder and clicked on twitter button it give me following error
url is undefind in hello.js file on this line if(url.indexOf(x)>-1){
how to fix this error
thanks
When running the demo page in question
http://adodson.com/hello.js/demos/twitter.html
You'll see...
hello.init({
'twitter' : TWITTER_CLIENT_ID
},
{
redirect_uri:'../redirect.html',
oauth_proxy: OAUTH_PROXY_URL
});
The setup includes an OAUTH_PROXY_URL variable. This tells HelloJS the location of the server-side shim in order for this to work with OAuth1 authorisation providers like Twitter (unlike OAuth2 providers which can share authentication tokens purely client-side)
If running this from a local domain like //localhost this will have been an undefined value.
You'll need to do two things to get the demo working.
Define the oauth_proxy option in the demo code. See http://auth-server.herokuapps.com for setting one up. OR remove it entirely and by default it will use the above service - you'll need to register third party apps there (recommended).
Change your development environment in your host file to something other than //localhost, that way you can register OAuth2 providers which are domain sensitive and often wont let you use localhost when registering your apps callback URI. If you change your development environment to be local.knarly.com with hello.js project as a subfolder - then you can skip step 1 as the oauth_proxy will be defined correctly.

App with no DB: You must call the "WebSecurity.InitializeDatabaseConnection" method before you call any other method of the "WebSecurity" class

First things first. I'm a complete OAuth newbie. This will be my first stab at it, and things are getting hairy...
I'm writing a single page application using Durandal & Web API.
The user needs to be able to login using any social network.
I don't have access to a database whatsoever, I have to call an unprotected 3rd party web service which I consume server-side, and need to protect using OAuth.
So I've managed to add the files to my solution which generates the login using facebook contol/button (created a new MVC4 web application, and did a manual copy and paste of all the auth related files, updated bootstrappers etc..), and the code seems to work for the most part.
When facebook redirects back to
[AllowAnonymous]
public ActionResult ExternalLoginCallback(string returnUrl)
{
AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(this.Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
if (!result.IsSuccessful)
{
return this.RedirectToAction("ExternalLoginFailure");
}
if (OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
{
return this.RedirectToLocal(returnUrl);
}
//code removed for brevity ....
}
I get the error specified once the following line tries to execute.
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false)
I've removed the [InitializeSimpleMembership] attribute from the controller, as I don't have a database.
Please forgive me if this is the dumbest question ever, but...
Why does the login fail? I mean at that point, isn't the app trying to log into facebook, why does it need a databse? Or am I correct in saying I can remove/replace that code section, with a login/authorise call on the web-service I'm using?
Not the dumbest question ever. Not by a long shot. But you are getting the error because your membership provider is still set to use the SimpleMembershipProvider and OAuthWebSecurity will use the default membership provider. If you don't want to use a database you will have to create or find a different membership provider to use.
EDIT:
I know you said you don't have access to a DB but if you can use SQL Compact you can just stick with the default SimpleMembershipProvider(check out Hanselman's blog) or DevArt has a SQLLite provider. Also the MemFlex Project has a RavenDb provider. If none of those work I think you might just have to write your own.

Salesforce IOS error requested scope is not available

I have started a new project from salesforce template o XCODE, then I created a fresh remote acces application on Salesforce web.
Then I replaced the RemoteAccessConsumerKey and the OAuthRedirectURI on the AppDelegate.
When I run the application it says, invalid_scope -> requested scope is not available.
my scope params are:
[NSSet setWithObjects:#"visualforce",#"api",nil] ;
What is the callback URL from your Remote Access object?
One guess is that your callback URL begins with something like "https" rather than a custom scheme like "testsfdc" (which is what the template app provides). Try using a custom scheme instead ie "myapp:///mobilesdk/detect/oauth/done"
Just had this on a legacy hybrid app I had to update for iOS10. I noticed that the Salesforce SDK persists its initial oAuth endpoint data. So switching from sandbox to production will return the above error.
Solved by deleting the app completely and compiling with production config.
Hope this helps.