I am building an app using Angular and NodeJS.
I've heard about AWS Cognito and would like to use it in my app. However it is very unclear in the documentation how it is supposed to work.
There is an example on how to use Cognito with an Angular SPA, but there is no word on how I can use it to authenticate users on my backened NodeJS server.
How is NodeJS supposed to know if a user is logged in? I can think of several possible answers, but none appear in the documentation and there is surprisingly no code sample. So I decided to ask here before investing a lot of time in trial and error.
You can use AWS Cognito Userpools in your backend NodeJS server to authenticate users. The steps are as follows.
Create a Cognito Userpool and setup an App Client.
Create a Cognito Userpool ( Optionally Cognito Federated Identities if you want your users to directly allow controlled access to AWS services).
Configure Cognito Hosted UI ( Built in Signin page and optionally Signup page).
For User Signin, redirect the User to this Domain URL for Signin.
Setup an App Client with redirect URLs to your App for Oauth2 flow.
After user Signin, you will receive an id_token (e.g In implicit grant flow) in URL which you can forward to your NodeJS server where you can validate it using NodeJS middleware.
You can decide whether to store the id_token in a cookie or in browser storage and implement the storage and validation accordingly for subsequent requests.
Note: Since the id_token is a standard JavaScript Web Token (JWT) you can find a library to validate it. Refer AWS documentation Using Tokens with User Pools for more details.
Related
I've a NodeJS app that serves ReactJS frontend.
I'm using AWS Application Load Balancer authentication with a Cognito user pool.
I've set up a role in my load balancer and as soon as the user enters the url of my app, the authentication is being performed and two AWSELBAuthSessionCookie cookies are set.
This flow works perfectly, but the thing is that I would like to obtain also the current user info from Cognito (name, email, etc..).
As i understood the other parameters like X-amzn-oidc-data are not available in the frontend and only available to the backend.
My questions is, how can i obtain this information assuming that i have only the AWSELBAuthSessionCookie available in my NodeJS backend?
Any help would be appreciated.
You would have to build a back-end API endpoint that exposes that user information. Something like yourdomain.com/api/get_user_info. Then have your front-end ReactJS application call that API endpoint to retrieve it from the back-end.
I am currently developing an API project using ClaudiaJS API Builder to build and deploy it on AWS Lambda with it's endpoints exposed on AWS API Gateway. I am planning to have at least a webapp and a mobile app for this platform, so I'm focusing mostly everything on API's, including the authentication methods(signup, signin, logout, verify account, ect.).
Unfortunately, as I am not using Express in this project, I can't find a good way to build these auth methods since every library I find has some dependency on Express (e.g PassportJS).
My initial thoughts for the login workflow are:
User submits login form containing user/pass stored in PostgreSQL
DB.
Front app calls auth API.
API method compared credentials against the user DB (Using BCrypt).
In case of success, API method generates JWT containing a few user details on it's payload and returns to the consumer app.
Is there any good approach for achieving this goal without using Passport and/or Express? Are there any other libs for this purpose or should I just use a regular db query and generate a JWT in case the evaluation succeeds?
Thanks for everyone in advance.
Best regards,
Enrico Bergamo
I am working on an application in which i need to authenticate user. I am using firebase for database. I have used node.js for getting data from firebase. Now all i want is to create login page and in that i need to authenticate user by their email address and password. And i want to use the same method how i am fetching the data that is using node and i don't want to use angularfire for the authentication. Is it possible to perform? If it is can you please share how can i accomplish that?
Authenticating from a server-side process with the Firebase 3.x SDK requires the use of a service account. From the documentation:
When you authenticate a server, rather than sign in with a user account's credentials as you would in a client app, you authenticate with a service account which identifies your server to Firebase.
If you want to custom handle the authentication of your users, you'd create a custom token for your users on the server and then have them pass that to Firebase.
In general I'd recommend reading this article about common application architectures when using the Firebase Database.
I have read this post and the AWS reply on
How do I use a Cognito token with API?
and this one how to use AWS cognito with custom authentication to create temporary s3 upload security token
I am not yet clear whether there is a simpler solution to securing S3 access.
I have a mobile client and a node.js backend. The client authenticates with the backend and receives a jwt accesstoken for further calls to my backend. In addition to communication with my own backend, users should be able to upload and download files to and from S3. I am looking for the simplest solution to make sure only users who have a valid accesstoken for my backend can upload to S3.
Can I do the following (this is based on this blog post http://blog.backspace.academy/2015/03/using-cognito-with-nodejs-part-2.html):
Client authenticates with my custom node.js backend and receives custom accesstoken from my backend
My node.js backend gets CognitoID AWS temp user credentials. However, the AWS documention says we also need a session token (presumably by calling CognitoSync), so I assume my backened needs to get the session token as well.
My node.js backend passes those temp credentials plus session token to client
Client uses them for calls to S3 with AWS SDK passing in the credentials + session token.
Am I missing something? Is there an easier way to do that? I assume there is no way to simply have the client pass my own custom node.js user accesstoken to AWS/S3/Cognito and have S3/Cognito authenticate the token by calling my own node.js API that could authenticate this token.
You've pretty much got it. You can get credentials from your backend and deliver the AWS credentials to the client. You will need the session key when using temporary credentials that will expire - and you definitely should use temporary credentials with mobile app clients.
If you want to authenticate the user with your own backend (using username/password with your backend) you can use Amazon Cognito's Developer Authenticated Identities feature. If your users will be authenticating with Facebook, you can just pass the Facebook access token to Amazon Cognito as described in the Facebook Integration topic.
Either way, the "standard" flow you'll see in AWS documentation is that you let Amazon Cognito deliver the AWS session credentials directly to the mobile app (rather than via your backend). When using Developer Authenticated Identities, the mobile app exchanges the OpenID Connect Token (retrieved from Cognito's GetOpenIdTokenForDeveloperIdentity call by your backend and delivered to the mobile app in the response to the authentication request) to call Cognito's GetCredentialsForIdentity. When using Facebook, you can just pass in the Facebook access token instead of the OpenID Token. Either way, by using this flow, you'll be able to use the "standard" Cognito to get AWS credentials to the app as shown for iOS, Android, JavaScript, Unity, and Xamarin in the Getting Credentials topic.
With that said, you can indeed get the AWS Credentials on behalf of the user from your backend and push them down to the client, but just keep in mind that all of the AWS Mobile SDK examples will assume you're using Cognito as shown in the Getting Credentials topic above, so you'll have to take that into account. If you want to see an example of routing credentials through your own backend, see the API Gateway Secure Pet Store sample (backend code, client code)
I wrote the NodeJS and Cordova Cognito tutorials from BackSpace Academy you are referencing. The tutorials were designed at the time to give much needed guidance on implementing Cognito. Notwithstanding this, Cognito is not always the most suitable solution (KISS principle).
I think you may be over complicating your solution:
You don't need Cognito to securely access S3 from Browser or Server.
A federated user (oauth/Facebook) can access S3 directly from
browser or through your NodeJS app.
If you don't need the Cognito key value data store then just use
a federated user on the browser side. Is a NodeJS server actually required?
If you can do everything from the client you don't need a NodeJs
server.
I would suggest you consider doing everything on the client side with a federated user. This is detailed in the AWS browser SDK docs under "Configuring Web Identity Federation in the Browser".
CAUTION! NEVER PUT YOUR AWS CREDENTIALS IN YOUR CODE, INCLUDING SERVER SIDE. Always use a federated user (oauth) on the browser side and on server side create an IAM role for your EC2 instance to connect to an S3 endpoint at your VPC. For some stupid reason the AWS S3 browser example hard codes credentials.
I am developing REST API Server in Node.js and it is almost Ready. Now I am trying to implement Authentication to API server. I decided to use OAuth2 for this. I think I will be Using grant type password, as most of the Apps that will use my service will be under my control.
There are some modules available https://github.com/jaredhanson/oauth2orize, I am confused on storing access token for the authorised users and mantaining sessions. As this is REST server do i need to mantain the Session, Or should i just store active tokens and related users to db and check for each request if they are valid or not?