Is there any way using the SDK to enable the Cognito User Pool as an identity provider for an app client? We'd like to automate this process with the JS SDK but it doesn't look like an option in the reference docs. We've only been able to do this so far in the AWS console.
Yeah you can use the following key
SupportedIdentityProviders
it takes an array, for example.
await cognito.updateUserPoolClient({
ClientId: webclientId,
SupportedIdentityProviders: [
'COGNITO'
],
AllowedOAuthFlows: ['code'],
AllowedOAuthFlowsUserPoolClient: true,
AllowedOAuthScopes: ['email', 'openid', 'profile'],
CallbackURLs: ['http://localhost:3000/signout'],
LogoutURLs: ['http://localhost:3000/auth'],
RefreshTokenValidity: 1
}).promise();
Related
I have an node application deployed in GCP.
The application includes code to access ressources in AWS-cloud.
For this purpose it uses the aws-SDK with ChainableTemporaryCredentials.
The relevant code lines are...
const credentials = new ChainableTemporaryCredentials({
params: {
RoleArn: `arn:aws:iam::${this.accountId}:role/${this.targetRoleName}`,
RoleSessionName: this.targetRoleName,
},
masterCredentials: new WebIdentityCredentials({
RoleArn: `arn:aws:iam::${this.proxyAccountId}:role/${this.proxyRoleName}`,
RoleSessionName: this.proxyRoleName,
WebIdentityToken: token,
}),
})
await credentials.getPromise()
The WebIdentityToken was received from google and looks good.
At AWS-side I created an proxy-role (the line from masterCredentials RoleArn).
However at runtime I get the error:
Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
I do not understand this error. Because my application runs in GCP and I use temporary credentials I do not understand why I should use aws-credentials in form of an credentials file or environment variables like AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY. I thought the idea to use ChainableTemporaryCredentials is NOT to have direct aws-credentials. Right?
You can see the public code at:
https://github.com/cloud-carbon-footprint/cloud-carbon-footprint/blob/trunk/packages/aws/src/application/GCPCredentials.ts
and documentation regarding env-variables at:
https://www.cloudcarbonfootprint.org/docs/configurations-glossary/
Any help which leads to understanding of this error message is welcome.
Thomas
Solved it. "Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1 was totally misleading." In reality it was a problem with the field-names in the GCP-JWT-token und the policy in aws. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_aud
I have AWS Cognito based auth implementation on a Node App (Server-side, not using Amplify.
I have been using adminInitiateAuth with AuthFlow ADMIN_NO_SRP_AUTH and it gives SOFTWARE_TOKEN_MFA in ChallengeName for MFA which is working well.
Now I need remember/trust this device functionality.
For that, once I send DEVICE_KEY in adminInitiateAuth, I get DEVICE_SRP_AUTH as challenge.
I have tried using adminRespondToAuthChallenge
adminRespondToAuthChallenge({
ClientId: clientId,
UserPoolId: UserPoolId,
ChallengeName: 'DEVICE_SRP_AUTH',
ChallengeResponses: {
PASSWORD_VERIFIER: "PasswordVerifier-used-when-doing-confirmDevice",
USERNAME: "user-id-for-srp",
DEVICE_KEY: "device-key"
}
})
I get SRP_A is required error message. I am not quite sure how to get SRP_A in there and now I am not sure it it is even right way to do remember this device functionality
I was hoping if I get through this, it will skip MFA and give me auth tokens that I need.
Can anyone guide me through this.
I am trying to setup S3QL with Object Storage GE and there seems to be only one piece of information missing.
I successfully installed S3QL thanks to this pretty good tutorial: https://dmsimard.com/2014/09/29/s3ql-a-filesystem-over-http-with-swift/
Now I am stuck when trying to mount an object-container 'test' that I created in region 'Lannion2'.
The URL-syntax requires a 'region' to be defined (swiftks://<hostname>[:<port>]/<region>:<container>) but I have no clue how this maps to the fiware-stack. When trying the following command, s3ql seems to succeed in connecting and authenticating with Keystone but cannot find the region.
mkfs.s3ql swiftks://cloud.lab.fiware.org:4730/Lannion2:test --backend-options no-ssl
Enter backend login:
Enter backend passphrase:
Results in:
No accessible object storage service found in region Lannion2 (available regions: )
Unfortunately no available regions are listed in the response. Authentication works correctly as mistyping login or passphrase results in an authentication-error.
Is there any documentation about the naming of regions in keystone/fiware cloud?
Authenticate to keystone via:
Post http://cloud.lab.fi-ware.org:4730/v2.0/tokens with Content-type application/json and Body: {"auth": {"passwordCredentials":
{"username": "", "password": ""}, "tenantId":"***"}}
In the response, you should receive a list of endpoints, including a swift endpoint. There should be an entry there that looks like:
{"adminURL": "", "region": "Lannion2", "internalURL": ":8080/v1/AUTH_", "id": "", "publicURL": "/v1/AUTH_"}
The question pertains to the level of integration of Wirecloud into IDM and Object Storage, when it comes to getting access to shared Containers. Specifically, from a private WC instance running on FI-LAB and having integrated with FI-LAB IDM using the url http://cloud.lab.fi-ware.org/keystone/v2.0 as a keystone endpoint, I seem to be unable to retrieve all the available tenants from IDM (i just get a single one, being the user logged into from WC - say TENANT-B):
{"tenants":[{"enabled":true,"id":"0000000000000000000000000000EFGH","name":"TENANT-B"}]}
Of course, i can see that when logging into FI-LAB from the portal, the answer i get when calling http://cloud.lab.fi-ware.org/keystone/v2.0/tenants is correct:
{"tenants":[{"enabled":true,"id":"0000000000000000000000000000ABCD","name":"TENANT-A"},{"enabled":true,"id":"0000000000000000000000000000EFGH","name":"TENANT-B"}]}
I am trying to get the tenants using the keystone.getTenant({... options ...}) call:
keystone = new KeystoneAPI(keystone_url, {
use_user_fiware_token : true
});
keystone.getTenants({
onSuccess : onGetTenants,
onFailure : function() {
alert("Could not get a valid tenant list");
}
});
Is multitenancy not supported natively on WC or am I missing something?
Seems to be working now, take into account that the IdM and the Open Stack integration has changed.
I need to get the currently opened tabs of a Google Chrome user in my Java application (not on the same machine). Chrome sync is enabled so the current tabs are synced with Google servers.
According to the documentation of Chrome sync it is done via XMPP. So I guess it should be possible to connect to the Google XMPP server (xmpp.google.com), e.g. via Smack (Java library for XMPP), authenticate and listen for protobuf messages that indicate a tab session change.
Of course the login credentials of the user or the "client_id" Chrome uses to identify clients are available.
But I'm having a hard time getting behind the authentication method that is used to connect to the XMPP server – I can't figure out how it's done in the Chromium source code and there's no documentation available besides the very low-level comments in the code.
The libjingle library Google uses for it's XMPP based services is only available for C++ and not well maintained/documented.
So is there anyone who has done something like that before and who can give any advice/hints on how the authentication process works?
I'm not sure chrome sync uses xmpp, at least on the level when it has to exchange info with client. It uses 'protocol buffers' Google technology. The protocol is given by using .proto protocol description files and you can convert it to your language's objects by using special compiler.
The sync server seems to rest at https://clients4.google.com/chrome-sync and client sends POST requests with the binary body where typed ClientToServerMessage message is placed.
Here's the output from when first connecting to sync server.
The first output Python object is a pprint of 'environ' WSGI variable where HTTP headers are placed too. The second object (after '====' ) is actual protocol message.
{'CONTENT_LENGTH': '54',
'CONTENT_TYPE': 'application/octet-stream',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT_CHARSET': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8',
'HTTP_AUTHORIZATION': 'GoogleLogin auth=MKhiqZsdz2RV4WrUJzPltxc2smTMcRnlfPALTOpf-Xdy9vsp6yUpS5cGuND0awqrYVUK4lhOJlh6OMsg093eBRghGGIgvWUTzU8PUvquy_c8Xn4sRiz_3tVJcke5eXi3q4qFDa6iVuEbT_0QhyPOjIQyeDOKRpZzMR3rpHsAs0ptFiTtUeTHsoIeUFT9nZPYzkET4-yHbDAp45_dxWdb-U6DPg24',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_HOST': 'localhost:8080',
'HTTP_USER_AGENT': 'Chrome MAC 0.4.21.6 (130497)-devel',
'PATH_INFO': '/chrome-sync/dev/command/',
'QUERY_STRING': 'client_id=SOME_SPECIAL_STRING',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_PORT': '59031',
'REQUEST_METHOD': 'POST',
'SCRIPT_NAME': '',
'SERVER_NAME': 'vian-bizon.local',
'SERVER_PORT': '8080',
'SERVER_PROTOCOL': 'HTTP/1.0',
'SERVER_SOFTWARE': 'gevent/1.0 Python/2.6',
'wsgi.errors': <open file '<stderr>', mode 'w' at 0x100416140>,
'wsgi.input': <gevent.pywsgi.Input object at 0x102a04250>,
'wsgi.multiprocess': False,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'https',
'wsgi.version': (1, 0)}
'==================================='
share: "MY_EMAIL_WAS_HERE#gmail.com"
protocol_version: 30
message_contents: GET_UPDATES
get_updates {
caller_info {
source: NEW_CLIENT
notifications_enabled: false
}
fetch_folders: true
from_progress_marker {
data_type_id: 47745
token: ""
notification_hint: ""
}
}
debug_info {
events {
type: INITIALIZATION_COMPLETE
}
events_dropped: false
}
This happens for OAuth based authentication. You can see the OAuth token in HTTP_AUTHORIZATION field. The OAuth token is given to you when you interact with HTML dialog 'Google Account Login'. I'm not sure but seems like the API to get an access token for Google services is available publicly.
If you are looking for XMPP auth instead, please see the description of X-GOOGLE-TOKEN auth mechanism here:
Authenticate to Google Talk (XMPP, Smack) using an authToken
For the X-OAUTH2 authorization, you can access the info here: https://developers.google.com/talk/jep_extensions/oauth
And a sample here: http://pits.googlecode.com/svn/trunk/xmpp.c
Note that you can add XMPP stream flow to the Chrome log files populated on each run of the browser - chrome_debug.log. To enable this, run Chrome with following options: --enable-logging --v=2