I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.
But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.
Is this possible?
Thanks in advance!
Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.
Splitting your query into 2 parts:
1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.
2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.
So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.
Related
I am building a GitHub app that requires user-to-server access tokens. I am following the Web application flow so a user can sign in and my app gets the access token.
My question is about the login parameter in the href when requesting the user's identity:
When your GitHub App specifies a login parameter, it prompts users with a specific account they can use for signing in and authorizing your app.
What does specific account mean? Does it mean the currently logged in
GitHub's user account?
What is the point of this parameter?
What is the difference between supplying the parameter and not
supplying the parameter?
Thanks!
The login is a suggested github user. When I supplied a valid login, the authorization screen showed the suggestion on top when I was logged in with a different user account.
So a use case would be if you saved the user name already somewhere and want to remind the user to use that account.
I'm trying to develop a React application that will allow users to login with their Azure AD accounts and their Facebook accounts.
The first thing is that I didn't understand about the 2 tabs "User
Pools and Federation Identities". Do I need both to get it done or
just the User Pools is enough?
My goal is just the authentications. I don't want to allow users to access any AWS service. I just want the authentication token.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth. Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Do I need both to get it done or just the User Pools is enough?
No. Userpool is more than enough if you just need authentication and do not need to use AWS services.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth.
What user data do you need to save. If you want User's profile data to be saved in Cognito, you need to use Cognito Userpool & not Federated Identities. Add Facebook directly to Userpool. Upon using Facebook login, a user is auto-created in the userpool based on all user data available in the token. See this doc on how to add Facebook to a userpool directly.
Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Depends on your use-case. If you just want to add authentication to an app, the best way would be to Add Facebook to a Userpool directly, create an app client in the userpool for your application; enable Facebook for that app client & use Cognito Userpool's built-in UI to login using Facebook. This feature (built-in UI) is called App Integration. After successful Facebook login, a valid token will be sent to your app. Do note that the token sent to your app would be from Cognito.
Client--> Userpool built-in UI --> Redirect to Facebook --> Login using username +password --> Facebook sends its token to Cognito ( https://your-user-pool-domain/oauth2/idpresponse)-->Userpool vends its own token & redirects to the URL mentioned in the redirect_uri.
I'd like to offer our users a Facebook login option. But I'm not sure how to identify existing users (without a stored Facebook ID).
From the docs:
https://developers.facebook.com/docs/facebook-login/multiple-providers#addingfacebook
After a successful login using Facebook, you will have the person's
email address, Facebook ID, and access token. Your app should search
for an existing account that has been created with that same email
address. If one exists, you should merge the two accounts and add
the Facebook info to the existing account - as recommended above.
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
Your concern...
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
TL;DR
Facebook Registration process
Go to facebook.com/reg.
Enter the name you go by in everyday life.
Enter your email or mobile phone number.
So...
Facebook needs your email or phone number, that means there's no way someone can use another account's email or phone number to sign up again.
My advice to you is...
You have two or more authentication methods - 1 manual (email & pass) | the rest (social login).
You already have users, so when users login using OAuth and a matching email or phone number is found, you ask permission to link their Facebook account to your app or site account with a matching credential.
At this point you should authenticate the persons identity one last time, by having them enter the password for their account on your app or site.
Now you can safely assume this person is who they say they are and store their info in your DB.
Is it possible to login to facebook directly (facebook.com) using the test user account created using the Facebook Developer app feature (Roles / Create test users)? What password should I use? I understand we can use the "Switch to " option after logging in as myself to facebook, but I want to be able to login directly using the test user accounts, so that I can provide these user details for other testers who do need to use their personal facebook account in any way related to the testing of the application.
Yes, we can login directly facebook(facebook.com) with test user accounts.
Step 1
Create test user by clicking Add button
Step 2
Click Edit button where have all option
Change name
Set Password
Generate access token etc.
You can simply change the password of the Test User by issuing a POST request to this URL
https://graph.facebook.com/TEST_USER_ID?password=NEW_PASSWORD&name=NEW_NAME&method=post&access_token=APP_ACCESS_TOKEN
Then you can give other people the account info of that user with the newly set password and they can log in to Facebook as that user.
I am creating an app in which you can login via Facebook, Twitter, or our own internal mechanism. The issue is the following scenario:
I open the app and login using Facebook
I logout
I open the app and login using Twitter
The above scenario will result in me as a user having two accounts in the system. How do I prevent this from happening so that I have one account and it doesn't matter whether I login using Facebook/Twitter?
Every time a user login using Facebook I am as well creating an internal account, with the Facebook username and Facebook id as password. The same thing when I login using Twitter I am creating an internal account with the Twitter user name and id as password.
An idea came in my mind to solve this:
When a user logs in using Twitter check the name and email if a user with that information already exists in the database. However, the name and email they use in both Facebook and Twitter might not be the same, so this might not work all the time.
You can't make this work with your current flow (when the user logs in then logs out again). Instead you should allow a user to login with either their Facebook or Twitter credentials and then, whilst they're still logged in, get them to associate their account with their other service with that user.
So, the flow would be something like:
New user arrives at site User logs in with Facebooks oauth2
mechanism
Your server receives their FB ID and generates a new user
in your systems. Stores their FB ID against that user.
You prompt
the user to add their twitter auth credentials. User logs in with
Twitter oauth2 mechanism
Your server receives their twitter ID,
checks to see if a user is currently logged in with your
application. Because there is, you save the twitter ID agains the
current user.
Later, the user can log out and then log in with either service.