We have used com.amazonaws:aws-android-sdk-cognitoidentityprovider:2.6.8 SDK for username and password based login and register flow. Following the approach mentioned here https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-integrating-user-pools-android.html. Sign up and Login Process is working as required.
For Facebook and Google authenticate through federation, We do not want to use the hosted UI for this purpose and are not using federated identities. We had followed this link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html.
We have setup user pool with an application client and a user pool
domain.
Setup Facebook as a social identity provider.
Added android call back URL to mobile.
First Approach
We look into CognitoSyncDemo Sample application, It was using federated identity so we had to discard it. We are just using federation in userpool.
Second Approach
We have used the webview and load the below URL. The URL takes me directly to Facebook, after authentication, it returns me back to redirect URL with access_token, auth_type, expires in and id_token. But no refresh token.
URL https://yourdomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=redirect_app_path&response_type=code&client_id="client_id"&identity_provider=Facebook
But there is a problem using this approach. I couldn't find a way to push the access token to cognitoUserSession in SDK which is managing a user session. So every time I sign up with Facebook (using webview), there is no session maintain in SDK. Hence I am redirected to login view again. How to ensure the Facebook user is authenticated and signed in by cognitoidentityprovider? How to create user session in SDK when getting access_token and id_token?
Third Approach
We tried to use the Cognito Auth Demo https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo. For this, we have to add another library com.amazonaws:aws-android-sdk-cognitoauth. After clicking on sign in, it used to take us to hosted-ui. After looking into similar IOS project, we made tweaks in android library project (com.amazonaws:aws-android-sdk-cognitoauth for android). We added identity_provider in URI for sign in. It then takes us directly to Facebook on chrome tab. After authentication, it set the session in our application. But it has own authentication object which is AuthSession but previously we were using CogintoUserSession for normal sign up. AuthSession is do not have User Attributes and nor offer any get user details or authentication handlers. If we use this approach, then how to link AuthSession with CognitoUserSession and manage user session in the application?
Summary
In short, We had tired AWS samples, it is taking us to web-based hosted UI. We need to authenticate a user via Facebook to userpool using only federation identity provider. We need to maintain session in Cognito SDK without affecting our username and password based login flow. We want to open Facebook directly or on webview in our application on button click, authenticate the user and maintain session in the application using only Cognito SDK.
To connect to user pool i had included aws-android-sdk-cognitoidentityprovider. But if you need to add social sign up, you need to add cognitoauth as well.
Ensure cognito sdk version are same otherwise you might run into complication error.
As per the need of project, i need identity provider to pass into sdk so it could directly navigate directly to my social identity provider page. But current sdk version '2.6.24' didn't provided me with this provision. I had downloaded the android-sdk-cognitoauth sdk from awslab github and included in my project. I alter Auth.java class added identity provider variable in it.
Next step, i alter AuthClient.java method launchCognitoAuth. I place additional condition to check if identity provider present or not. Then i set it in sign in uri.
if (pool.getIdentityProvider() != null) {
builder.appendQueryParameter(ClientConstants.DOMAIN_QUERY_PARAM_IDENTITY_PROVIDER, pool.getIdentityProvider().toString());
}
After making above alteration, i can configure identity provider through my app in auth.builder(). The hack worked, i directly navigated to my provider page. After authentication, sdk set session it self.
To sum up, I found difference between android and ios project implementation. In iOS project, aws has given provision to add identity provider directly. I followed the flow of ios project and made tweak to android congitio-auth project. The difference has been reported as well to aws-sdk-android-sample issues.
Related
Having trouble understanding the authorization flow of FB users and AWS Cognito User Pools. I have followed this guid.
facebook login app has my redirect uri https://<cognitoname>.auth.us-east-1.amazoncognito.com/oauth2/idpresponse
aws cognito has my facebook appid and secret
Two issues:
1) I'm expecting when my android app authenticates with fb (via login button), the fb server sends something to my userpool adding that user. that is not happening. I dont see a method in the CognitoUser object to do this on my end with the loginResult from fb. No user is getting created in the userpool upon fb auth.
2) Assuming a fb user were to be created in my pool, how would I call getSessionInBackground without the password? It does not look like the android Congito Classes have a way to handle this.
Also, i am able to log in a fb user to a federated identity but i dont think that is what i want unless its part of the user pool process.
Based on your description of use case, you may first use Cognito Android Auth SDK to get authenticated and store the tokens. Then you may use Cognito Android CUP SDK to call getSessionInBackground.
Also a quick tip:
CUP Android SDK: The Adv Security, Adaptive Auth, and new MFA support is available from version 2.6.9
Cognito Auth Android SDK: The Adv Security support is available from version 2.6.9. The Adaptive Auth and new MFA support will be available through Springboard on the supported regions.
I'm lost on this one. The problem is simple: what is the correct, recommended way in Android of logging in a Google user, as a page that they own (e.g. they first login and they are presented with what page they wish to authenticate as, to the app)?
The web solution is straightforward - Google's /oauth endpoint automatically redirects to a delegation page into which you choose your main account or the page you wish to continue as. The next page will have a pageId=... extra argument in the URL. As such, your authorization is linked to that specific page, not to the main account.
With Android, I'm completely lost. Every possible official guide out there is either deprecated, un-recommended, or just simply, blantly ignores this simple use-case and only works with getting an OAuth token for the main account, without even a word given to help for the case of users that own pages which can be used as their own identity under the user's account.
What I'm doing now (at the high level), using Google Play Services:
Start an activity intent via AccountPicker.newChooseAccountIntent
User selects an account on device.
Calling GoogleAuthUtil.getToken to get an OAuth token - this triggers the basic OAuth flow which asks the user to authorize the app - NO ACCOUNT SELECTION at this step, like the web flow does!
What I looked at:
Google HTTP Api Client - this one recommends to use Android's AccountManager and never use a "custom" solution to save any refresh tokens, etc. Completely useless for the use-case.
Google Sign-In - this one seems to require a server end-point (wtf?). I tried using it and adding in the OAuth scopes I'm interested in, it didn't even work. I'm not interested in the user's email, and this API seems to be oriented for signing users up rather than authenticating as a Google one.
Other apps I looked at seem to just open a WebView and force the user to login in that, which triggers the normal web flow, with account/page selection after login. I really don't like this since it requires a separate login.
Is there an official stand on this issue and I'm not seeing it?
My android app is designed to fetch calendars and events from Google. I downloaded Google API v3 and followed the example from official tutorial. In the tutorial, it uses Account Manager to do authorisation for android, which means user can directly pickup an account already set on android device to get authorisation done.
startActivityForResult(CalendarHelper.getInstance().credential.newChooseAccountIntent(), REQUEST_ACCOUNT_PICKER);
The code runs good, but I don't want authorisation this way. I prefer the way that start a webview and open an url which lead user to a login page, after he login and accept the permissions, the taken will be returned to access calendar data, just like the Google API in iOS.
I understand the workflow of OAuth 2.0, but I can't find any sample code on android to do authorisation the way I described above.
Can any one help?
You could try adding approval_prompt=force in your HTTP request that you make while looking for access tokens. This parameter ensures that the user has to log in/provide credentials every time the app is run.
Quoting from Google's documentation.
"If the value is force, then the user sees a consent page even if they
have previously given consent to your application for a given set of
scopes."
Hello I am using the facebook sdk for android on my android phone and using single sign on. It works fine when I logged into the facebook application, my application also signed in.
For logout I encountered a confusion.
The way I implemented was restore the access token and expired date from the user preferences of the application and check the validity of the session. If expired the application calls the facebook.authorized function and once authorized the access token and expired date will update again.
There are few things I find a bit confusion when dealing with the logout.
1) When I logged out from facebook application, my application still can get through and request the user details. Although, my saved access token on my application has no relationship with the facebook application, I thought it will at least giving me an error when requesting the data. But it hasn't given me the error.
Does it suppose to be actting like that. Signing out from facebook apps will not affect the access token I have stored on my application.
2) When I logged out from my application and not the facebook application, the facebook application won't automatically logout.
The Facebook access token and your app access token are separate and distinct, so it is entirely possible that one can be valid and allow access while the other is not valid and will require re-authorisation.
If the Facebook app is logged in but your app is not, then the Facebook SDK will use the existing Facebook app login to obtain a new access token for your app without authenticating, but this is still not linked to the Facebook app login token in any way.
If the Facebook app is not installed, or not logged in, then the Facebook SDK will take you to the Facebook website to do the initial authentication, but this does not log the Facebook app in because there is no connection between your access token and the Facebook access token.
So, in summary - your understanding is correct. There's no interaction between the two apps except for when your app tries to authenticate a user, then the Facebook app will act as a proxy, allowing you to gain access without authenticating so long as Facebook is logged in. After that, there is no further interaction and what you've observed is expected and intended behaviour.
I have the same problem. I'm thinking about creating a "isLogged" var and store it so that when someone logout and restart the app it will not even verify if the user is logged bypassing facebook's session verify.
I need help using the facebook test users from android.I am using the facebook android sdk and i need to be able to login as a test user and do actions like publish to the stream. I do not want to use the developer account associated with this application since it is my personal account. I realize that test users can only be created using api calls and such a call returns the login url, i understand how to use this in a browser but how can i use it in my android application. Can i create a dummy account and work with that account or is this against facebook policy.
Test users can also be created with GUI - not only by API calls. GUI is useful if You need to handle just few users. If there is a plenty of them - it is easier to use API and perform it programatically.
How to handle test users by FB GUI:
Go to FB developer site, where You created FB Application
on application tab, click Edit Roles
At the bottom of the page there is 'Test users' section where all test users are listed. This is where test users can be created and edited. Each user has option to log in as this user, change his name and set password next to his profile photo.
You have to set user's password to be able to login as him
Use his profile email address and password to login - it is also possible from Your app
You can create a dummy account but this is against FB policy and FB really does everything to make it harder to You :) This is not an option. Use test users.
If more info is needed on the topic - see my article, regarding test users strategy.
All the detail see on the official FB page
See an open bug in facebook. You can't login as test user with native Android app, but login with m.facebook.com should work
https://graph.facebook.com/me?access_token=ACCESS_TOKEN
where the access_token is the token from when the user approved your app. Found it here.