Unauthenticated cognito support about aws-cognito-angular-quickstart HOT 16 CLOSED

Greetings Acrespillo,

I don't pretend to be an expert on this either, but my understanding of this program (albeit somewhat shallow) is that there are 2 distinct groups of pages that are viewed depending whether you are authenticated or not. All the code under the 'public' directory is for the unauthenticated user. The AWS script that creates resources also generates 2 roles, the first for the unauthenticated user and the second for the authenticated user. Two distinct sets of policies are attached to these roles. The code generating pages for the authenticated user is found under the 'secure' directory.

I probably don't understand your question fully, but I hope to learn a little more through this exchange. Thanks

from aws-cognito-angular-quickstart.

Hi @coldcam!
As you mention, cognito can implement 2 different type of roles, authenticated and unauthenticated. There's some public pages in this app, although this pages can't access to aws resources because they don't own any token to make that sort of calls.

What I'm looking for is to implement the unauthenticated role and access using a more restrictive setup to my aws resources from the public pages of this project.

from aws-cognito-angular-quickstart.

@acrespillo ,

The unauthenticated role governs the interactions between the user on the site and the AWS resources before the user logs in (authenticates). As an example, send mobile analytics data to AWS for an unauthenticated user would fall under that umbrella.
http://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
"Unauthenticated Access
Amazon Cognito has the ability to allow unauthenticated guest access in your applications. If this feature is enabled in your identity pool, users can request a new identity ID at any time via the GetId API. The application is expected to cache this identity ID to make subsequent calls to Amazon Cognito. The AWS Mobile SDKs as well as the AWS SDK for JavaScript in the Browser have credentials providers that handle this caching for you."

from aws-cognito-angular-quickstart.

Thanks guys, I'm testing this and I'll put together into a pull request.

from aws-cognito-angular-quickstart.

@acrespillo before you go through the effort of doing a PR for this, what exactly are you patching or adding?

from aws-cognito-angular-quickstart.

I plan to add functionality to allow the direct retrieval of an ID token on identity pools that have unauthenticated login enabled. Can't say you what exactly I will add at this moment because I'm looking for the best formula reusing the current code by now.

As I said at the beginning, if someone want to provide some examples for this use case all help is welcome!

from aws-cognito-angular-quickstart.

I'm not quite sure what you're trying to accomplish. What's the business goal or use case that you're trying to achieve? Either way feel free to play around with the code in any way you'd like. When it's time for the PR I can review it then and decide whether there's any value-add to merge or not.

from aws-cognito-angular-quickstart.

@acrespillo

I'm curious if I understand what you're aiming to do. I have seen some websites or apps that allow a sort of "guest" or demo account which allows some sort of preview/elevated access to the service beyond what public viewers can do, but not the complete functionality allowed to a fully authenticated user.

So is the unauthenticated user code you're looking to implement give the unauthenticated user slightly more access than the public pages, but less access than the fully authorized user?

Thanks!

from aws-cognito-angular-quickstart.

Thanks @vbudilov, @coldcam

Imagine you need to access an API (API gateway resource in this case) protected by cognito, in your app you'll allow to access PUT/POST/DEL methods as well as GET to the authenticated/registered users. But for the not registered users (unauthenticated in this case) I'll provide a "lite" access with just GET to access some data. So (maybe) you can convert them to registered/paid/wherever users in the future.

That's a simple example that makes sense at least from the business perspective. What is your opinion about this specific use case?

from aws-cognito-angular-quickstart.

This scenario might be overkill. Restricting the GET request to unauth Cognito users is almost the same as leaving it completely public, as far as I see it. One can easily get the unauth cognito id/credentials if need be, without authentication, so you're not really protecting or throttling the API in any way.

from aws-cognito-angular-quickstart.

@vbudilov I'm not trying to convince anyone about the convenience of the unauthenticated cognito features, that's part of Cognito from the very beginning and is not for me to say how it must be implemented on each case.

That said, I think this is the perfect repo to implement it because of the purpose of show the full scope of cognito and serverless in action, just that. Thanks for sharing your code, very good job indeed.

from aws-cognito-angular-quickstart.

@vbudilov @acrespillo A bit late to this issue but I'd also like to see best practice configuration for integration with unauthorised users. Use case is all users need to be able to query a dynamodb table using the aws javascript sdk whether they are logged in or not.

Default: unauthenticated Cognito session created (identity pool is configured to allow unauthenticated access and IAM role is set)

User logins in: Cognito session is updated and authenticated credentials are provided

User logs out: authenticated session ends and a new unauthenticated session begins

Thoughts?

from aws-cognito-angular-quickstart.

@brunswickB ,

You can achieve that simply by modifying the unauth cognito IAM policy, by including the same DynamoDB block that the auth policy has.

from aws-cognito-angular-quickstart.

thanks for the quick response @vbudilov. Yes I have the IAM policy working fine but what I'm looking for is how to configure the example app to return unauthorised user Cognito credentials so that a DynamoDB call can take place.

Currently as I understand it the app will only return Cognito credentials if the user logs in. What would be best practice to return credentials when the user is not authenticated/when an authenticated user logs out?

from aws-cognito-angular-quickstart.

Here's the call to get the id, even if the current user hasn't authenticated:
http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html

from aws-cognito-angular-quickstart.

Thanks again for your help here but where are you suggesting the getId call be placed within the app? It doesn't appear to save the credentials locally?

Reading a support forum post (https://forums.aws.amazon.com/thread.jspa?threadID=170870) I thought you would make a similar call to the CognitoIdentityCredentials service as you do with authenticated users but drop the logins component (as you have in the authenticate function of the UserLoginService).

// Unauthenticated access
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:1699ebc0-7900-4099-b910-2df94f52a030'
});

// Authenticated access
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:1699ebc0-7900-4099-b910-2df94f52a030',
Logins: {
'graph.facebook.com': 'FBTOKEN'
}
});

// Switching Access from unauthenticated to authenticated
function userLoggedIn(providerName, token) {
AWS.config.credentials.params.Logins = {};
AWS.config.credentials.params.Logins[providerName] = token;

// finally, expire the credentials so we refresh on the next request
AWS.config.credentials.expired = true;
}

from aws-cognito-angular-quickstart.