AWS Cognito - invite user from browser application (adminCreateUser) - javascript

In AWS cognito there is an option in admin panel to create a new user by sending him an invitation with temporary password. It works good, but I need to implement exactly the same feature inside my application (react spa).
I am using aws-amplify-js but I can't see there any method which do that. In aws-sdk documentation I see adminCreateUser what is a function I need, but it requires developer credentials so I suppose I shouldn't use it in browser.
Any ideas how to implement this feature in proper way?

You can create a lambda and API endpoint to send the invitation. Of course, you should protect the API endpoint access using custom authorization to prevent non-authorized users to call this endpoint.
Visit the following for more info about the SDK:
https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#adminCreateUser-property

Related

How to authenticate as Google service account without a client library but only with HTTP Post?

I want to trigger my Cloud Function via HTTP but also authenticated with IAM and a service account auth0-hook I created therefore.
I generated a private key like this:
gcloud iam service-accounts keys create ~/.gcp-keys/auth0-hook-sa.key.json --iam-account=auth0-hooks#my-platform.iam.gserviceaccount.com
and applied this service-account to my cloud function.
On the outside - in the Auth0 Hook code - I know need to fetch the credentials first and send the fetched token with the POST request to the Cloud Function endpoint.
My problem here is that I can not use any of the Google Auth client libraries (Node.js in this case) because Auth0 Hooks can not import any fancy libraries as it seems.
I am hereby stuck with only using var request = require('request#2.56.0'); to make this all work.
I'd like to ask how I can manage this? There is some authentication service I can call right? But what is the API for that one? In the docs I could not find the manual way but only the client library documentations.
I am hereby stuck with only using var request =
require('request#2.56.0'); to make this all work. I'd like to ask how
I can manage this? There is some authentication service I can call
right?
Google does not provide a simple HTTP endpoint that you can call. If you think thru the process, you need the authorization to call an endpoint that generates authorization credentials. Chicken and Egg situation.
Google does not yet accept Auth0 credentials at an endpoint to exchange for Google credentials. However, keep reading for more information about Workload Identity Federation, which can/might provide that ability eventually.
There is no simple answer for your goal of creating an Auth0 hook that can generate a Google Access or Identity Token. Below are details to help understand what is possible.
To go from a Google Cloud service account JSON key file to an Access Token requires libraries also. The process is to create a JWT, sign the JWT, exchange the JWT for an access token. I wrote an article that shows how to do this in Python. The process for Node.js is similar. Your issue is that the process is too complicated for an Auth0 hook.
Google Cloud – Creating OAuth Access Tokens for REST API Calls
Google has recently introduced Google Workload Identity Federation which supports exchanging OIDC tokens for a Google OAuth access token via federation and service account impersonation. The process is just a series of HTTP method calls. I am authoring several articles on how to do this, but I am not finished at this time.
Accessing resources from an OIDC identity provider
One possibility is to create another Cloud Function or Cloud Run service that you can call in a single HTTP GET that creates the tokens for you. That way you can use Google Client libraries. Your Function/Run code would receive an HTTP GET request, interface with the client libraries to create the access token and return the token as the HTTP GET response.
However, that creates the Chicken and Egg situation. You need to authorize the request to the Function/Run code to get an access token.
You may want to change strategies and instead disable Cloud Functions authorization and verify the Auth0 Identity Token within your code and skip Google-based authorization.
Auth0: Validate ID Tokens
Auth0: Validate JSON Web Tokens
Pay attention to whatever process you choose as getting authorization correct and secure is not easy.
Note: Your question states "I want to trigger my Cloud Function via HTTP". I am not sure what method you plan to use. If you are using Cloud Functions Authorization, that requires an OAuth Identity Token. That adds more steps to the process. I have not figured out how to do that with Workload Identity Federation, but the Functions/Run code can easily handle that for you.
In summary, Cloud Functions are intended for small, light-weight code in a serverless framework. Once you add authorization, complexity grows. Provided you stick with Google Cloud authorization, everything is easy. Once you try to go from one identity system (Auth0) to another (Google Cloud IAM) the complexity jumps dramatically.

AWS Cognito Health Check

I have an NodeJs application that uses Cognito to manage the users and auth operations (design choice).
I am using 'amazon-cognito-identity-js' to communicate with Cognito but i'm having some trouble in making a simple health check api.
Since Cognito doesn't provide any API for that i thought of making a test user, pass the credentials to my app via env vars and try to login. If the result was a success it means that cognito is up and running.
Before i implement my solution i wanted to ask if there may be a better alternative to check if cognito is working.
You can subscribe to events from the Health Service in CloudWatch Event Rules. You can then either send an email, SMS or even trigger lambda to perform an action if Cognito service is down.
The solution to this was quite simple. I just needed to check if i can reach Cognito's GET /login endpoint.
You can find the documentation about the endpoint here

Gmail JS API - OAuth2 Error invalid_scope

I am new to GMail JS API and I was trying to read gmail emails using Javascript according to the quickstart tutorial given explained on below link
https://developers.google.com/gmail/api/quickstart/js
I have followed all the instructions given on the page but I am getting below
error
did I miss something???
Please help me resolve this error
Thanks in advance!!!
You may refer with this thread. Make sure that you are authenticated to the API properly.
To do this, there are two ways:
use OAuth - the Server redirects the user to google's servers, where they can login, grant permission to your app, and pass a token back to
you
Service Accounts. These are a little bit more complicated:
First, you'll have to setup an app (done)
second, you'll have to setup a service account. This is how your app authenticates to google. you've done that, and the certificate
you've got contains the private key to authenticate
third, the user needs to grant your application access to act on behalf of them. This is the point you haven't done yet.
Also, as stated here, certain scopes simply aren't supported for the oauth2 for devices flow.
Additional references:
Invalid scope error when trying to access gmail api
You may refer with this thread.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
This blog about how to fix this error might be also helpful.
OAuth invalid scope

How to authenticate SharePoint Online(Office 365) from desktop

I am creating a JavaScript app which runs in browser of the desktop user, I need to display some data from SharePoint Online site, how do I authenticate and get display data in the App?
What kind of data did you want to display? As far as I know, we can query the data from SharePoint online using Microsoft Graph API. To use this API, we need to register the app first and in this scenario, we can register a client app(refer to here).
Then we can use the ADAL.JS to authenticate the application. For a sample demonstrating basic usage of ADAL JS please refer to this repo.
And if you were developing an SPA app, we can use the OAuth 2.0 Implicit Grant protocol to obtain an ID token (id_token) from Azure AD. The token is cached and the client attaches it to the request as the bearer token when making calls to its web API back end.
No you can't do this using JavaScript. You should use the Client Object Model (CSOM) to achieve the same.
If you want to achieve the same please refer the url
https://github.com/nickvdheuvel/O365-ADALJS-examples/blob/master/Authenticate-an-Office-365-user-with-ADAL-JS/Authenticate-an-Office-365-user-with-ADAL-JS.html
Hope this information helps you.

OAuth 2.0 Implicit Grant Type with AngularJS frontend

I'm currently building a frontend client for my own Apigility API.
The API uses OAuth 2.0 Authentication which is working fine.
I want to create an AngularJS Landingpage to let the users authenticate by entering their credentials. Because the Client is created with JavaScript,
I shouldn't save the client_secret in the Client, correct?
I have read a lot of posts, but still haven't the right solution.
Is it correct to use the implicit grant type for this scenario?
This procedure is working, I'm being redirected to the authentication server,
after the client authorization and entering credentials, I get back to the client (authenticated).
But I don't want to get redirected to another authentication page.
Is it also possible to authenticate directly and secure on the angularJS frontend?
Thanks,
Simon
You should take a look at this post i made:
https://stackoverflow.com/a/42443878/2963703
It details how to do this using the Spotify API. Your page won't get redirected, instead a popup window will open in which the user authorizes themselves. Once they're authorized the window will close itself and in your main page you will have the access token you need.

Categories

Resources