AWS Cognito #
Two type of pools #
- User pool - user directory. User pools can have hosted UI
- Identity pool - to allow cognito auth users to call AWS resources (like S3, SQS etc).
Identity provider roles #
https://bobbyhadz.com/blog/aws-cdk-cognito-identity-pool-example
Τo enable user pool groups with different IAM permissions per user group #
The role attached to the user pool group should be assumed by Federated service principal cognito-identity.amazonaws.com and use action sts:AssumeRoleWithWebIdentity
const s3ListRole = new aws_iam.Role(this, 'Role',
{
assumedBy: new aws_iam.FederatedPrincipal('cognito-identity.amazonaws.com', undefined, 'sts:AssumeRoleWithWebIdentity'),
description: 'Role for testing iam groups'
}
);
To reset a new user’s password that is in “Force change password” state #
aws cognito-idp admin-set-user-password –user-pool-id <> –username <> –password <> –region <>
OAUTH authentication methods: #
from https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html
- “Authorization code grant” should be used when there are back-end components to exchange the authorization code for user pool token
- Select Implicit grant to have user pool JSON web tokens (JWT) returned to you from Amazon Cognito. You can use this flow when there’s no backend available to exchange an authorization code for tokens. It’s also helpful for debugging tokens.
Understanding Amazon Cognito user pool OAuth 2.0 grants #
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
OAUTH Scopes #
OAUTH scopes are set ot ‘attributes’ that the oauth client requests, e.g. the email scope requests the IDP to return the email and is_email_verified claims
AUTH claims #
AUTH claims are the attributes that the IDp returns to the client (in the jwt token)
S3 bucket calls through Cognito clients #
When trying to call S3 API from clients authorized through Identity pools, then the bucket should have the proper CORS configuration