Using Cognito User Pools, without Cognito Federated Identities(identity pools)

Question

I would like to use only Cognito User Pool, and therefore I want to use identity federation with Cognito User Pools, without Cognito Federated Identities (identity pools).

Answer 1

it is possible to have a user pool with google configured as an identity provider without using Cognito Federated Identities. Cognito has SDKs available for Android, iOS, and Javascript, you can find them on github(https://github.com/aws/). Can you be more specific about the problem you are running into when trying to do this?

Answer 2

Based on your comment to Summer Guo, here's what it seems like you're having an issue with...

A lot of details missing here, but if you're using a Cognito Authorizer in your API Gateway, then it doesn't know about any 3rd party IdP -- it just knows about your Cognito User Pool. So sending the CUP JWT will work, while sending anything else won't. If you want to use a Google auth token, then you need to implement a Custom Authorizer that verifies this token with Google.

I presented on this topic during reInvent. Here's the video that goes into the details: https://www.youtube.com/watch?v=VZqG7HjT2AQ

Answer 3

If you are using your own Custom UI, you will need to create a button/anchor to redirect to the user.

This is what I use to create a url (JS Code):

`https://${domain}/oauth2/authorize`,
  `?redirect_uri=${redirectSignIn}`,
  `&response_type=${responseType}`,
  `&client_id=${userPoolWebClientId}`,
  `&identity_provider=${providerName.toString()}`

providerName is either Facebook/Google responseType is either token/code domain your domain in cognito userpool config redirectSignIn your redirect sign in in Cognito User Pool Config

You will need to call window.location.assign({the url generated above}). When user clicks the button, it will redirect to either Facebook/Google page asking for Account/Permission.

As for as I know, Facebook/Google dialog for custom UI is not yet supported.

Example code from AWS Amplify

import { Auth } from 'aws-amplify';

const config = Auth.configure();
const { 
    domain,  
    redirectSignIn, 
    redirectSignOut,
    responseType } = config.oauth;

const clientId = config.userPoolWebClientId;
// The url of the Cognito Hosted UI
const url = 'https://' + domain + '/login?redirect_uri=' + redirectSignIn + '&response_type=' + responseType + '&client_id=' + clientId;

// Launch hosted UI
window.location.assign(url);

Link: https://aws-amplify.github.io/docs/js/authentication

Another thing, you can link federated identity to a user pool account. https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminLinkProviderForUser-property

Answer 4

Looks like they only allow User Pool Federation with their own UI/SDK. What I ended up doing for react-native was

• get facebook token

• sign up the user into the user pool with a custom attribute to track facebook Id and generic password

• use the temporary credentials (need to setup IAM for cognito user pool - adminMovetoGroup to move the user into the auto created user pool federated group.

• create lambda function to auto-confirm the end user.

This way the user can log in and get credentials using federated identities, but then they also have an account in the event they stop using facebook. They would also need to reset their password.