I'm trying to develop a React application that will allow users to login with their Azure AD accounts and their Facebook accounts.
The first thing is that I didn't understand about the 2 tabs "User
Pools and Federation Identities". Do I need both to get it done or
just the User Pools is enough?
My goal is just the authentications. I don't want to allow users to access any AWS service. I just want the authentication token.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth. Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Do I need both to get it done or just the User Pools is enough?
No. Userpool is more than enough if you just need authentication and do not need to use AWS services.
I already got the user logged in via facebook using the Federation Identities and the Facebook SDK, but I don't know how to keep the user data saved after getting the token from facebook auth.
What user data do you need to save. If you want User's profile data to be saved in Cognito, you need to use Cognito Userpool & not Federated Identities. Add Facebook directly to Userpool. Upon using Facebook login, a user is auto-created in the userpool based on all user data available in the token. See this doc on how to add Facebook to a userpool directly.
Also is it correct to use the facebook SDK or should I use Cognito to take care of all authentication methods for me?
Depends on your use-case. If you just want to add authentication to an app, the best way would be to Add Facebook to a Userpool directly, create an app client in the userpool for your application; enable Facebook for that app client & use Cognito Userpool's built-in UI to login using Facebook. This feature (built-in UI) is called App Integration. After successful Facebook login, a valid token will be sent to your app. Do note that the token sent to your app would be from Cognito.
Client--> Userpool built-in UI --> Redirect to Facebook --> Login using username +password --> Facebook sends its token to Cognito ( https://your-user-pool-domain/oauth2/idpresponse)-->Userpool vends its own token & redirects to the URL mentioned in the redirect_uri.
Related
I have a set of users in a Cognito User Pool. These users, and ONLY these users, are allowed to login to my webapp.
Now I want to allow these users, and ONLY these users, to have the option to login either via Facebook or via their login credentials. In other words, I want to allow a person to login to my app using either Facebook or their Cognito login credentials and get access to the same Cognito User account, regardless of whether they logged in using FB or Cognito. Just to be clear, a FB user without a Cognito user account would not be allowed to login to my app. How do I do this? Is this possible? It seems to me that I have to find a way to map each of the Cognito user's Cognito User Pool account with their corresponding Facebook account.
From the Cognito documentation on AWS, it seems that when I add Facebook as a federated Identity Provider, this means a user can login via EITHER Cognito or Facebook, and all Facebook users who can login to Facebook can now login to my app. This is NOT what I want! Just because a person is authorized to use Facebook does not mean they are authorized to use my app!
So, how do I allow a user in my Cognito User Pool to connect his/her Facebook account so that the user has multiple ways of logging in to the same Cognito user account?
Unfortunately, Cognito's design would not permit such a feature to allow only a set of Facebook accounts to log in. When Facebook is enabled for a Cognito User Pool, all valid Facebook users would be able to log in.
I want to allow users to sign up using either a user-pool identity (email + password) or a Facebook-federated identity.
But I also want them to be able to switch later on: either add Facebook federation if they didn't sign up using Facebook initially, or remove the Facebook link from their account if they initially signed up using Facebook.
Is this possible?
Thanks in advance!
Yes, it is. I'm assuming that Facebook is added directly to the Userpool as an IdP.
Splitting your query into 2 parts:
1. User signs up using username & password. Later, he wants to link his Facebook account
This is pretty easy. Give an option in your UI and use the AdminLinkProviderForUser API to link Facebook/Google account to the user. Now, when the user signs in using this Facebook/Google account next time, Cognito will treat it as the native user & generate token for the same. Of course, the Facebook info will be mentioned in the identities claim. If the user wants to remove this Facebook/Google link later, it is possible using the AdminDisableProviderForUser API call.
2. User signs up using Facebook
This is a bit tricky since Facebook login will automatically create a user in your Userpool with status EXTERNAL_PROVIDER (unlike native users who have CONFIRMED status). As the name suggests, this user can only be logged in using the relevant external provider - Facebook in this case. If the user wants to login using a username password, a new account will have to be created using SignUp API or AdminCreateUser API. Also, this account can not be linked to the previous Facebook account using AdminLinkProviderForUser because a pre-requisite is that no Facebook user with the same details (email etc.) should exist in the Userpool. But at this moment, we have an auto-created Facebook user with EXTERNAL_PROVIDER status.
So, in short, you would have to - create a new user using SignUp or AdminCreateUser API, delete the auto-created Facebook user & Finally link the Facebook account as mentioned in case 1.
I have a REST service that my mobile app uses to authenticate when the users click on the Facebook or Google icons.
The service accepts the user's id from the provider and checks if it exists on the database and then issues the access_token to be used for the other methods.
The problem is that I just thought that it could be pretty easy for someone to intercept the calls and discover which service authenticates and what the user id is and then call it with to get a token.
How can I avoid this?
I think you just need to separate the authentication and authorization functions. You can let Google (Google Sign-In) handle authentication. If you follow the API they will securely authenticate the user and send you the token which you can validate.
Once you know who they are for sure, your site can safely authorize that user approriately. For example, they might be an existing user, need to make an account, be an administrator. You can make those authorizations on your site based on the user authenticated by Google (in my example).
Twitter, Facebook and others do the same. Also see OpenID Connect.
I am using Facebook as advertising platform to promote my application on Apple and Google stores. I would like to make windows service which will download daily report(s) about advertising status of my marketing campaign running one Facebook, preferably using 60 day token, or some permanent solution so that token is retrieved when required. I think that i understand everything to do this except how to generate access token to use it with Facebook Graph API. Which token for which Facebook account do I need and how to obtain it?
You'll need a Facebook app and to grant that app the ads_read permission in order to retrieve reports about your advertising efforts via the API (source).
You'll want a long-lived token so that you don't have to re-authenticate very often. The access token documentation details the steps to exchange a short-lived token for a long-lived one.
You may also want to consider managing the app, ad account, and access tokens (via a business system user) with the FB Business Manager.
Create a facebook app.
Go to the Graph API Explorer in Facebook's Tools & Support section.
Pick your app from the drop down.
Hit Get Token > Get User Access Token.
In Select Permissions choose required permissions or select them from extended permissions.
Use the user access token that will be presented to you in the access token form input field.
I need to setup communication between my iOS/Android app and my PHP backend. I want to use facebook account only for logging in, there is no further communication with facebook. I have User accounts in my system and facebook_id is only a parameter to identify user.
Is it ok to verify the user by checking the token on the graph api from my backend just at the beginning and then only use my own tokens for communication or do I need to recheck if the user is still logged in on facebook from time to time (which is actually irrelewant for me as there are no fb interactions).
What else is there to consider?
Do I need a separate token for my server? Or do I use my App Secret
You should be able to use your application token.
The only scenario it might not work in is if the user deletes your app and decides to login again. From what I've read the app scoped IDs may change in this scenario.