Cognito Developer Authenticated Identities with Node - node.js

I'm trying to create a login system with Node as the backend/web service for the app, also with an iOS app. I'm trying to use Amazon Cognito to do this, but I can't figure out how to register/authenticate users from either end. The only tutorials I've been able to find use Facebook login, which don't help me.
Edit: I have unauthenticated identities working somewhat, but I'm still clueless as to the authenticated developer identities.

While I understand you are looking specifically for a Node sample, we do have a full end-to-end sample with a Java backend and iOS and Android clients.
The clients also handle transition from unauthenticated to authenticated, linking multiple logins with your developer identity and more. Hopefully this will help fill the gaps you have. If not, please let us know what we can do to improve.

Related

DialogFlow Authenticating with external application/API

We are prototyping in dialogflow which is going well but I have what is more of a strategic question. Our app will interact with APIs in a third party system that requires user/password credentials, I am wondering if anyone can recommend an appropriate approach.
For example when I start the app in Google Assistant it knows who I am from my google account, this account however has no authorization for the target system - it needs an ID / password. I can prompt the user for these and they can type/say the values with which we can connect but this prompts more questions:
Is this secure? Clearly speaking my password isn't a great plan.
If this approach is reasonable is there a way to save my credentials within the app so that I don't have to enter them next time?
Are there other approaches to remote authentication you'd recommend? I have searched around but so far without any success.
Any tips would be much appreciated.
Chris.
Google provides build in authentication options for Google Assistant. Have a look at the documentation. If you wish to connect your Google Assistant app to your own login you want to have a look at the 0Auth or Google Sign-in + OAuth options. Depending on your requirements, one might be a better fit.
Accountlinking is a build in solution, if you implement this you will have done it in a secure way and it is integrated with the users Google Account, so when they come back into your app they won't have to enter any credentials again.

Ability for Admin to Link Social Media to a User's Account

I'm faced with the current dilemma. My application flow is as follows:
Admin logs in
Has to select a list of clients
The selected Client data is then loaded in
Admin should now be able to Link Facebook, for example, to that
client's account with their credentials on a click of a button. Same
would apply for other social media accounts that the user has. The
reason that's important is the app then goes and fetches data from
their social media, such as Facebook Insights.
Is there a way I could achieve is ? I was thinking maybe Auth0 but I had a look on their documentation and it seems I could do it but only if Admin was the one linking his own social media account to his account. Can't really see a way where he could link other accounts to the Client's account currently selected.
I'm working with a React-Redux, Express and MongoDB app.
Even a push in the direct direction would be greatly appreciated.
This is certainly achievable using Auth0 - take a look at the Link Accounts API (User) - you want to use the second option using an API v2 token
See sample here that illustrates how this might work using Node.js.
You could possibly rework this to your technology stack pretty easily. Since you are using a Management Token you'd want that to remain server side (Express) and the react/redux app could make ajax calls via the Express Server side component - which in turn calls out to the Auth0 endpoint to perform the user search / linking actions.

User Auth - oAuth questions

I have in the past done a hand rolled app that stores a user token on client side $window.sessionStorage.
I have since then realized this is not safe. I am now looking for the most safe, standard way to secure an app that uses a node/express backend api that I will make, and also uses a front end that makes requests to this api such as angular for web or a native mobile app. Plus, whenever I would close the browser, I would have to re-log in because the $window's session storage was wiped out.
From what I've researched thus far, one of the safest ways to date if you're going to handroll it is to store a jwt in an http only secure cookie.
However, I'd kind of like to use a service that already exists, such as oAuth. Couple questions:
1) How safe is oAuth in terms of keeping ownershp of your userbase? What if 3 years from now oAuth just suddenly or slowly dies out? Aren't all my users technically stored on their server? How would I keep my users native to my app?
2) If I'm going to be creating a startup app in the same realm as snapchat, twitter, tumblr, etc... would it be generally recommended to use a service like oAuth to handle my authentication? Of course the future is unknown, but assuming the best, that my app would reach millions of users, would using a service like oAuth still be a smart choice? It seems like once you start using oAuth, there's never any going back to storing your users in your own database a year or two down the road.
Thanks
OAuth is an open standard for authorization.
Maybe you're thinking about Auth0. There are a lot of services that can handle user authorization for you, including Auth0, Stormpath, Apigee, UserApp, AuthRocket or Amazon Cognito. Whichever you choose, make sure that you can get the database from them in case you want to stop using their service. Not everyone explicitly offers an easy way to leave them but if that's important for you then make sure who suits your needs and who doesn't, and base your decision on that.
As for OAuth, see the https://en.wikipedia.org/wiki/OAuth article.
There's a huge list of OAuth providers on Wikipedia but those are services like Twitter, Google or Facebook. In a way you can use one of those services to manage all your logins but as soon as they see you as their competition, you're in trouble. I've heard stories like that.
Some interesting read on the subject:
The dangers of OAuth/Social Login
Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
OpenID Vulnerability report: Data confusion
Social Login Setups – The Good, the Bad and the Ugly

using OAuth in node application

I am developing an application which is only going to be required to be used by a few people within the organisation. It is being developed using Yeoman and expressJS.
What i need to do is only authenticate a few users to use their google accounts as they require access to google calendars etc which they currently share within their organisation. The only difference is that it will be used within the application.
The users will need to login but trying to find out how i can use their google accounts to login and colloborate?
I only want to limit it to certain users.
Hope someone can assist.
Regards
Passport.js is a popular choice of authentication/authorisation library. You can easily integrate it with express. It has a strategy for google account using OAuth as passport-google-oauth.
I have never used it, but it seems very straightforward.
If you have ever used the google API the examples seem easy to understand.
https://github.com/google/google-api-nodejs-client/

What's the right way for mobile app to authenticate google credentials?

3rd party mobile app wants my google credentials, bad. but do they have an alternative?
I know about OAuth and I know that on the web, apps/websites are already ask users to login to their facebook/google/twitter/OID account and just get a token for authentication.
My question is:
1. Can mobile apps do the same (Android, WP7 specifically)
2. If the app is a RSS reader that wants to be the Google reader app (since three is no google app for WP7, a 3rd party made such an app). Can that app function as my google reader on the phone without me giving it my usrname/pswd?
It just seems way to risky to give away my google credentials to a random 3rd party app...
There are some attempts to use OAuth. Twitter has XAuth (I forget how broken it is, and it might still be in beta). There's also Facebook Connect. They're all broken.
There are two main problems:
There's no trusted UI except the web browser (and it's not hard to write a similar-looking "fake browser"). Involving the web browser is clunky, and I'm not sure the browser can launch apps on Android.
There's no accountability, because any app can pretend to be any other app. Any secrets you embed in the app aren't going to be that secret. (I personally think this is more of a UI issue.)
I can think of one half-decent solution: Have an official Google Account app. On Android, you launch it as an activity and it gives you an auth token when it finishes. On iOS, you'd do the same thing with URLs. I'm not sure how it'd works on WP7 or BB.
This solves the first problem because the user is expected to be already logged in, and the second problem because you're generally provided with some identifier of the app that started you. (Well, it solves the problem for users who don't enter their password into random apps.)

Resources