Serverless + cognito hosted page


#1

Hi,
I’m developing a serverless web app and I would like to use the cognito hosted page for signup/login but I cannot understand how to integrate the auth flow.

anyone have experience with the cognito hosted page?


#2

anyone?
I’m currently using auth0 for the auth flow (and hosted page), but I would like to switch to cognito because auth0 is too limited


#3

Hmm, what specific part of the authentication flow are you having trouble with? I believe that giving more details might result in better response :slight_smile:


#4

I’m having issues with starting the auth flow, for example how can I redirect the user to the hosted page with all the required params? I’ve tried to use the auth0 approach but I get an error about invalid params on the hosted page


#5

You want aws-amplify


#6

thank you for the link, but it seems that amplify doesn’t allow cognito hosted page, only client side auth via js


#7

Yes, AWS does not host the auth pages for you, you have to host them yourself. Auth0 is definitely easier, but it is more money.


#8

cognito provide an hosted page too, here is an example https://wla.auth.ap-southeast-2.amazoncognito.com/login?response_type=code&client_id=1t80si9ch1voi0bdusm5c9svn&state=00a4715e-13b3-4da3-8553-dcc757d1d544&redirect_uri=wla://signin&scope=openid&code_challenge=CHdOC4yZEQWOg3jZNCTm8b8v8jPnKjizRipIF0ltvr8&code_challenge_method=S256


#9

I forgot about that, User Pools support OAuth, that page is part of the OAuth flow. OAuth is another way to get to your User Pool. Something like Auth0 would use an OAuth flow to access your Cognito User Pool.

I have been using the amazon-cognito-identity-js SDK which is also used in aws-amplify


The SDK uses direct API calls and does not follow the OAuth protocol.

The SDK manages things like exchanging the token for credentials and refreshing the credentials when they expire. If you go the OAuth route you have to implement that yourself.


#10

xzx got me to check this out, there is new support for social logins on Cognito user pools.

I was able to add this, https://www.npmjs.com/package/redux-implicit-oauth2, into a demo react/redux app and get Cognito/Google/Facebook logins going in about an hour. AWS is handling all of the Google/Facebook stuff for you. Downside, only Cognito/Google/Facebook/Amazon.

It automagically made this page for me:

https://digispeaker.auth.us-east-1.amazoncognito.com/login?client_id=71hfsop6tn8sr85kqg088emdkr&redirect_uri=https%3A%2F%2Flocalhost%3A3000%2Fredirect.html&response_type=token&scope=openid%20profile%20email&state=cjanc9fdf0000325kmnz959zq

I’m going to chuck my aws-amplify stuff and switch to this.


#11

this is what I was looking for… but I don’t use redux, do you think this is possible to do the same with aws-amplify ?


#12

Look for packages that support Oauth2. That screen is from an Oauth2 login flow. But… there are only four providers available - User Pool, Google, Facebook, Amazon - and you can’t add anything else.

aws-amplify uses the Cognito javascript SDK and has a different set of APIs, it is not using these pre-built pages. Instead it expects you to write your own pages. For example if you needed to integrate a corporate login you can’t use the pre-built page from the User Pool.

Note - it is possible to combine lots of Oauth2 sources, that is what Auth0 does. But it is a fair amount of work.


#13

so with aws-amplify you cannot do something like auth.login() and the user is redirected to the cognito hosted page? i.e. https://xxxx.auth.us-east-1.amazoncognito.com/login?client_id=&redirect_uri=&response_type=token&scope=openid%20profile%20email&state=


#14

I don’t think so. aws-amplify is building it’s own UI in react.

I have discovered a problem with that OAuth page generated by the User Pool. With federated logins it is storing the federated ID in the user pool, then when it accesses the federated pool it uses the ID from the user pool. This is in conflict with the mobile app code generated by Mobile Hub. The code from Mobile Hub directly inserts the federated users into the federated pool and does not give them an alias in the user pool. ie so if you sign on with Google from a browser, and then sign on with Google from a mobile app, they don’t end up as the same user in the federated pool. Of course this is only a problem if your users can switch between app and browser like mine can.

To fix this I can’t use the federated support provided by the user pool. I can still use OAuth with the user pool, I just have to turn off the federation support. Then I have to go back to writing code that directly hits the three different OAuth providers – User Pool, Google, Facebook. Now when I present the token to the federated pool is will be a true Facebook or Google token and not an aliased on from the user pool. These true tokens will match the tokens from the mobile apps.

There is a great deal of the left hand not being coordinated with the right hand going on at Amazon. Often one group doesn’t even know of the existence of another option somewhere else in AWS. User authorization is definitely not handled in a coordinated manner.

Edit: The problem with user pool Social OAuth is that when it gets a token from Google/Facebook it remaps that token into a User Pool token instead of just handing me back the Google/Facebook token. It’s that remapping that breaks the mobile/web portability. Since the token has been remapped, it doesn’t match the unaltered tokens from mobile so the federation pool considers them two different users.


#15

Thanks, @jonsmirl & @xzx

You both save me a lot of time to set Cognito.

@jonsmirl

Did you finally work it out with OAuth2 + Cognito, any codes share to me?


#16

Thanks @jonsmirl! I had configured cognito but for the life of me I couldn’t find out what the autogenerated URL was… but I was able to figure it out from looking at your link. Did the aws console / cognito dashboard provide you with that URL?

Fortunately in my case I only have a web client so this flow should work for me. I had implemented it in JS but I don’t want to handle every use case - renewing passwords or forgotten passwords for example.

There is a great deal of the left hand not being coordinated with the right hand going on at Amazon. Often one group doesn’t even know of the existence of another option somewhere else in AWS. User authorization is definitely not handled in a coordinated manner.

That’s exactly how I feel as well. For example whilst setting up my identity pool, I get to choose that only administrators can create users, which is great. However, if I add social logins / federation, then I can login with Google as a user that was not created by an admin and still get a token back and a successful login… I also can’t seem to set the hosted_domain param in the autogenerated cognito login page, so I might have to just revert to what I had before. Unfortunate, because I was looking to care less about authentication, and have someone else handle it for me! :slight_smile:


#17

AWS docs are assuming you know a decent amount about how OAuth works. You would need to know about endpoints, then if you search on endpoints you can find the doc.

http://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html