0

Hello Im currently authenticating users through a Cognito user pool. However I now need to add support to federated authentication thought Google as well.

I using AWSCognitoIdentityInteractiveAuthenticationDelegate / AWSCognitoIdentityPasswordAuthentication protocols for authentication and this works well with our user pool authentication. However i cant see how i can implement Google in this flow since the completion expects a AWSCognitoIdentityPasswordAuthenticationDetails(username: **, password: **) object to finish auth.

Did a Google signin poc by using AWSGoogleSignIn and AWSSignInDelegate/onLogin to avoid using AWSAuthUI since i need a local custom UI for at-least the username/password UI. But i dont really see how in can retrofit this in to the current sign-in.

Anyone who have any tips as how to best support both these features and which AWS framework to use instead? I rather not rewrite our current implementation if i dont have to, but seams like i need a more generic authentication implementation.

Daniel Wennberg
  • 95
  • 11
  • Hey, did you figure something out? – Daniel Birowsky Popeski Nov 26 '18 at 12:07
  • Yes. but only by writing quite a lot of custom solutions. such as writing my own own custom AWSIdentityProviderManager and using googles own api for the google sign-in. – Daniel Wennberg Nov 27 '18 at 10:43
  • Did you somehow end up creating cognito user account with status of EXTERNAL_PROVIDER? I'm asking this because in order to link accounts with the same email by calling [adminLinkProviderForUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html), I would need to have the social account be of status EXTERNAL_PROVIDER – Daniel Birowsky Popeski Nov 27 '18 at 10:49
  • are you talking about linking an external provider to the user pool? Im not creating any users in the user-pool from a google signin. I only use the user-pool/Google sign-in to get authentication through cognito by exchanging the token i get from one of the two (idToken/tokenString ) and returning it as the logins map of my AWSIdentityProviderManager class. Any metadata such as name, email, image etc i get from the original provider (either the pool or google) – Daniel Wennberg Nov 27 '18 at 12:30
  • If you don't create cognito user from the Google Sign-In, how do you create session for that user(accessToken, idToken, refreshToken)? I don't see AWSIdentityProviderManager as part of the backend api, that's why I wonder. – Daniel Birowsky Popeski Nov 27 '18 at 12:38
  • The Amazon naming for cognito is terrible. There is the **cognito user pool** and the **cognito identity pool**. The identity pool is what actually authenticates you to AWS services. you can use a user pool identity or a federated identity (such as google) to provide the necessary tokens. – Daniel Wennberg Nov 27 '18 at 15:44
  • AWSIdentityProviderManager has a **logins() -> AWSTask** that is called when auth is needed. I have some custom classes that work as a **CredentialsProviderManager** with all i need to sign-in/out, get meta data etc. there i also have the "provider" that was used wich is what supplies the correct token to logins(). eg. case .google(let user): guard let token = user.authentication?.idToken else { return nil } return["accounts.google.com": token] – Daniel Wennberg Nov 27 '18 at 15:48

0 Answers0