amazon web services - Integrating Google Sign-In with AWS Cognito User Pool Without Hosted UI for Multiple Mobile Clients (iOS &

admin管理员组

文章数量:1431435

I'm working on integrating AWS Cognito Auth & Auth in our AWS backend. We have API Gateway where I set up Cognito Authorizer to secure the endpoint using JWT tokens generated from Cognito user pools.

I have the user pool with options for email & phone_number

resource "aws_cognito_user_pool" "sim" {
   ...
   alias_attributes = ["email", "phone_number"]
   ...
   schema, etc..
}

And my cognito authorizer that I use to secure the endpoint

resource "aws_api_gateway_authorizer" "cognito-authorizer" {
  rest_api_id     = data.aws_api_gateway_rest_api.apiGateway.id
  name            = "cognito-authorizer-${terraform.workspace}"
  type            = "COGNITO_USER_POOLS"
  identity_source = "method.request.header.Authorization"
  provider_arns = [
    "${aws_cognito_user_pool.sim.arn}"
  ]

  depends_on = [
    data.aws_api_gateway_rest_api.apiGateway,
    aws_cognito_user_pool.sim
  ]
}

• The cognito provides the authorization for email + pwd, phone + pwd out of the box and it returns the tokens (id_token, access_token, refresh) which I can use to access the endpoint and works well..

Now I struggle with integrating the Google (and later Apple) identity provider.

The clients are mobile apps - both IOS and Android and each have separate client_id.. so I cannot setup the Cognito Google identity provider directly.

Should I then instead use the OpenID connect instead?

I set up the openid connect provider with all the client_ids

resource "aws_iam_openid_connect_provider" "google" {
  url             = ";
  client_id_list  = [
    data.aws_ssm_parameter.google-ios-client-id.value,
    data.aws_ssm_parameter.google-android-client-id.value,
    data.aws_ssm_parameter.google-web-client-id.value
  ]
  thumbprint_list = [data.external.google_thumbprint.result.thumbprint]
}

But I want to treat the users from Google the same way as the users registered using email + pwd . Ideally to have the basic information stored in the user pool - is that possible?

Now I am able to get session token

Sending a request to / with

{
        "IdentityId": "identity-id",
        "Logins": {
            "accounts.google": "google_id_token"
        }
      }

which responds with

{
    "Credentials": {
        "AccessKeyId": "....",
        "Expiration": 1.73194881E9,
        "SecretKey": "....",
        "SessionToken": "..."
    },
    "IdentityId": "identity"
}

But I am really confused how to get id_token and access_token for users coming from google idp which I will be able to use in the authorizer the same way..

The questions are:

• Should I use openID connect for my scenario?
• How do I get access_token and id_token for users coming from google
• I want to store other user related data in a DynamoDB (users table), is that good idea?
• Should I use federated identity for this scenario?

本文标签：