THIS POST IS CRAP. WAIT TILL IT IS DONE OR GIVE FEEDBACK TO IMPROVE

Cognito is a collection of pieces useful for authentication. Depending on how you intend to use them they can be relatively obtuse. In this article I will go through building up an authentication mechanism which will provide social logins. Later we will add Cognito User pool for local user accounts.

Setting up Google

We are going to create a project in the Google-API Developer Console, select the API’s we want to use and grab the credentials.

Once the project is created you can go to the API Manager add all the API’s that you intend to use. We wanted to use Calendar, Drive and GMail API.

The next step is to create credentials. This requires creating an OAuth consent screen with sane information then create a OAuth Client ID.

Take a copy of the client ID as it will get used in AWS.

Setting up AWS Cognito

In this step we will configure google as a valid OpenId identity provider and setup the Cognito Identity Pool to accept google openid authentication.

Adding Google to IAM identity providers.

If you haven’t done it before, you need to go to IAM and specify google as a valid identity provider using the Identity Providers tag in the dashboard. You then have a “Create Provider” button to get the following:

Once this step has been completed you the provider will be visible in the Cognito Identity Pool configuration screen.

Creating a Cognito Identity Pool

This step will configure a Cognito Idenity Pool which is responsible for identifying authenticated and unauthenticated users. If you have previously added identity providers you when you go to create the Identity Pool and select OpenId as an authentication mechanism, you will see accounts.google.com as a valid provider option.

After this the wizard will guide you through setting up roles for authenticated users and specifying the permissions required.

Creating a test client

The following test client assumes you have the AWS-SDK and google platform available:

1
2
3
4
5

<script src="https://sdk.amazonaws.com/js/aws-sdk-2.5.6.min.js"></script>
<script src="https://apis.google.com/js/platform.js" async defer></script>

<div class="g-signin2" data-onsuccess="googleSignIn"></div>

It also assumes that you are going to transpile the source using babel.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

async function googleSignIn(googleUser) {

  AWS.config.region = 'us-west-2'
  let CI = new AWS.CognitoIdentity()

  # First step getId
  let Logins = { 'accounts.google.com': googleUser.getAuthResponse().id_token }
  let IdentityPoolId = '[COGNITO_IDENTITY_POOL_ID]'
  let {IdentityId} = await CI.getId({Logins, IdentityPoolId}).promise()

  # Second step get credentials for identity
  let cred = await CI.getCredentialsForIdentity({Logins, IdentityId}).promise()

  # Setup credentials
  AWS.config.credentials = new AWS.Credentials(data.Credentials);
  AWS.config.credentials.refresh((err) => { console.log(err); });

  #Just for logging
  let profile = googleUser.getBasicProfile();
  console.log('DATA: ' + JSON.stringify(data));
  console.log('ID: ' + profile.getId());
  console.log('Name: ' + profile.getName());
  console.log('Image URL: ' + profile.getImageUrl());
  console.log('Email: ' + profile.getEmail());

  return profile
}

Once this is done you can setup a bucket with access controls that require a user to be logged in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-wicked-awesome-bucket/*",
            "Condition": {
              "StringEquals": {
                  "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-abcd-abcd-abcd-123456790ab",
                  "cognito-identity.amazonaws.com:sub": [
                      "us-east-1:12345678-1234-1234-1234-123456790ab",
                      "us-east-1:98765432-1234-1234-1243-123456790ab"
                  ]
               }
            }
        }
    ]
}