You cannot integrate AuzreAD with Cognito using OAuth client credentials flow. Since it is OIDC, it supports only authorization code grant flow. Please like, subscribe & share this video / channel !! Thanks in advance.
@@securityinaction1018 we want to expose existing API and manage in a API management platform. Unfortunately AWS API GW is suggested 😅. So we want to protect the API endpoints ( expose them to internal application, so REST API is choice) & security compliance is to use Azure AD to maintain users, groups, app registrations for M2M use cases.. In this context I ended up in the hands of Cognito ..
Ok. If you want to use a AzureAD M2M client_credentials token for securing APIs hosted in AWS API GW, you can either use custom authorizer or JWT authorizer. JWT authorizer supports only HTTP APIs docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
I have not tried it. But looks like it is possible as per this docs learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles Please like, subscribe & share this video / channel !! Thanks in advance.
Thanks for the vid! Help me out. Got SSO working. QQ...how can I set a permissible group of users to have access from Entra ID (Azure Active Directory)? In other words, I only want a subset of my directory to have permissions to my sso enabled site.
Glad it worked! Please follow these instructions to assign the app to only certain users /groups learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment Please note that group assignment is available only for certain plans and not for free developer account. Please like, subscribe & share this video / channel !! Thanks in advance.
Great tutorial! Really Thanks! just one question please, after login using AzureAD as IDP, I'm getting an string on user name field, do know if we can change that to be a email or name.lastname?
Are you referring to Cognito profile username? Can you share an example so that it will be clear? Please subscribe and support this channel. Thanks in advance.
Thank for your video and information! Can i ask why there are four attribute in 11:50 ? i think you just use email and openid profile? and if we want to allow all microsoft user rather then pre-register account into AD, we should select all account in 8:16 ? is there more ajustment we have to consider? Really thank.
Please check around 9:45. I added openid+profile+email as the scopes. On the second question, Yes, you can select Accounts in any organization and personal microsoft accounts.
@@securityinaction1018 thanks for your reply! i have successfully connect AD to cognito and can also login . But i have some question. 1. if a user is register by conginto, and then try to use AD login, even using same email , cognitto will record as two different user . 2. if i change Oauth type in 12:34 , the AD login will failed, but i didnt find the support doc , am i missing some detail settings? 3. is host UI required? hoping can support for calling boto3 api with AD login . Really thank for your reply and answering!
1. You can link the user profiles. Refer docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html 2. Did you change the grant type to authorization code in Cognito app client? That should not affect AD login. Please try to login using a incognito window instead of using existing session. 3. Hosted UI is mandatory for external identity provider login
Angular App can redirect to Cognito which in turn will redirect to AzureAD for authentication. Angular App to Cognito will be a OpenID Connect (OIDC) integration. Please like, subscribe & share this video / channel !! Thanks in advance.
How can I prevent duplicate account creation during signing and signup. An issue I identified arises when a user registers with their email and later signs in using social identity providers like Azure AD or Facebook.
When you say duplicate accounts, I assume you are referring to two accounts with same email address but different user names. Am I correct? In this case, you need to write a custom lambda function to link the federated user from AzureAD or Facebook with the local user profile which has the same email address. You can check this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 I got this error "InvalidParameterException: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser" Here is my sample code: const AWS = require("aws-sdk"); const cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider(); exports.handler = async (event, context, callback) => { console.log("Events: ", event); console.log("Context: ", context); try { const user = event.request.userAttributes; const email = user.email; // using the user email as the identifier // filter for query user pool const params = { UserPoolId: process.env.USER_POOL_ID, Filter: `email = "${email}"`, }; // fetch the user list by email // get list of users const cognitoUserListByEmail = await new AWS.CognitoIdentityServiceProvider() .listUsers(params) .promise(); console.log("Cognito user list by email: ", cognitoUserListByEmail); const userStatus = event.request.userAttributes["cognito:user_status"]; if ( cognitoUserListByEmail.Users.length === 1 && userStatus === "EXTERNAL_PROVIDER" ) { const sourceProviderDetails = event.request.userAttributes.identities[0]; const linkParams = { DestinationUser: { ProviderName: "Cognito", ProviderAttributeValue: cognitoUserListByEmail.Users[0].Username, // The Cognito username of the existing user }, SourceUser: { ProviderName: sourceProviderDetails.providerName, ProviderAttributeName: "Cognito_Subject", ProviderAttributeValue: user.sub, // The user ID from the social identity provider }, UserPoolId: process.env.USER_POOL_ID, }; await cognitoIdentityServiceProvider.adminLinkProviderForUser( linkParams, function (err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); } ); // .promise(); // console.log(result.$response); console.log("Params: ", params); } callback(null, event); } catch (error) { console.log(error); } }; I can't seem to figure out the parameter for AdminLinkProviderForUser API
Hi, I want to make sure that all users in my Cognito user pool have been authenticated by Azure AD. So, no one should be able to sign up unless they they do it through Azure AD. Are there any additional considerations I should have in order to achieve this? I'd greatly appreciate any information on this! Thank you.
There are couple of things that you can do. 1. Disable self-registration in the user pool so that no one can register a profile 2. In the App client configuration, enable only AzureAD as the Identity provider. This will make sure that only AAD users can access this client.
@@securityinaction1018 Thank you, Cognito 's hosted UI works well with an Identity provider with OIDC. It's then getting it to work with Amplify's login I can't get right. I'm not even sure I can achieve this with Amplify at this point. Again, thank you for your great video!
You need to call token endpoint. Refer this documentation for example : docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html You can also refer my other video th-cam.com/video/lWVmJ1CXzMo/w-d-xo.html which explains the authorization code grant flow with PKCE.
I have not tried it myself. You can check this doc learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui I will try to post a video in future once I find the solution. Thanks for subscribing!!
In general, you cannot trust a email address coming from any IdP because anyone can create random email addresses. The only exception is when Google is the IdP because Google already does multiple verifications. Also, if it is a trusted customer like top banks, insurance or other organizations who manages the IdP, it is fine.
@@securityinaction1018 if I already logged in with my identity provider in my client app, just want to access AWS service (chat) via OIDC. Without popping up UI to enter the client credentials, directly can access chat sliently via OIDC?
If both the client apps i.e. the app that you are logging in first and the chat app uses the same OIDC provider, it should perform a single sign-on i.e. user don't have to enter the credentials again. Can you confirm if both these apps are integrated with same IdP? Also, are you using Cognito or AzureAD for both the client app and chat app.
I'm trying to authenticate my mobile app user to Amazon connect chat. How do I basically authenticate? Via oidc or SSO. I thought SSO would work only for web apps. Right now I am not using any AWS service and IDP is 10x. I appreciate your inputs
Even a mobile app can open an inline browser to initiate the OIDC flow. I have not tried that myself. But, you should be able to find some samples in google.
This error means family_name and email is not set for this user profile. This can be due to AzureAD not properly configured to send these claims back to Cognito. You need to verify the AzureAD settings. Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 indeed, the account I was trying to login, did not had email addreess, neither first and last name, but how come? when I create a new user in AzureAD, I would expect to automatically generate these for me, but it doesn't. I need to manually fill in those fields, as you did What if the admin does not want to add those fields? maybe AD provides some custom attribute mapping wich evaluates to those fields?
It is entirely up to the Admin to decide whether to collect those details from the user. I don't know how AzureAD handles required fields. I guess there should be some way to make these fields mandatory or optional. In Cognito, you can set these fields as mandatory or optional
Please subscribe to this channel for regular updates th-cam.com/channels/EEayyyCrJO94FYlzF0NLTg.html
Thank You for the support.
"Absolutely brilliant! Your explanation is not only clear but also highly impressive. Great work!"😍
Thank you !!
Please like, subscribe & share this video / channel !! Thanks in advance.
Do oyu have a video explaining use Azure AD as OIDC provider in Cognito for OAuth client-crendtials flow ?
You cannot integrate AuzreAD with Cognito using OAuth client credentials flow. Since it is OIDC, it supports only authorization code grant flow.
Please like, subscribe & share this video / channel !! Thanks in advance.
@@securityinaction1018 I thought so too.. thank you for the confirmation.
Thanks to AWS marketing buzz where in devil lies underneath :-D
:) Welcome. If you can explain your use case, I can try my best to help.
@@securityinaction1018 we want to expose existing API and manage in a API management platform. Unfortunately AWS API GW is suggested 😅. So we want to protect the API endpoints ( expose them to internal application, so REST API is choice) & security compliance is to use Azure AD to maintain users, groups, app registrations for M2M use cases..
In this context I ended up in the hands of Cognito ..
Ok. If you want to use a AzureAD M2M client_credentials token for securing APIs hosted in AWS API GW, you can either use custom authorizer or JWT authorizer. JWT authorizer supports only HTTP APIs docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html
Thank you for the wonderful video.
Is it possible to include the group name to which the user on the
Azure side belongs in the jwt token?
I have not tried it. But looks like it is possible as per this docs learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles
Please like, subscribe & share this video / channel !! Thanks in advance.
Thanks for the vid! Help me out. Got SSO working. QQ...how can I set a permissible group of users to have access from Entra ID (Azure Active Directory)? In other words, I only want a subset of my directory to have permissions to my sso enabled site.
Glad it worked! Please follow these instructions to assign the app to only certain users /groups learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment
Please note that group assignment is available only for certain plans and not for free developer account.
Please like, subscribe & share this video / channel !! Thanks in advance.
Thank you so much. This is very well explained
Glad it was helpful!
Please like, subscribe & share!! Thanks in advance.
Great tutorial! Really Thanks! just one question please, after login using AzureAD as IDP, I'm getting an string on user name field, do know if we can change that to be a email or name.lastname?
Are you referring to Cognito profile username? Can you share an example so that it will be clear?
Please subscribe and support this channel. Thanks in advance.
Is there any video for ADD AWS Cognito as a OIDC Identity Provider in Microsoft Azure AD?
Not yet. I will look into this.
Please subscribe and support this channel. Thanks in advance.
Thank for your video and information! Can i ask why there are four attribute in 11:50 ? i think you just use email and openid profile?
and if we want to allow all microsoft user rather then pre-register account into AD, we should select all account in 8:16 ? is there more ajustment we have to consider?
Really thank.
Please check around 9:45. I added openid+profile+email as the scopes.
On the second question, Yes, you can select Accounts in any organization and personal microsoft accounts.
@@securityinaction1018 thanks for your reply! i have successfully connect AD to cognito and can also login . But i have some question. 1. if a user is register by conginto, and then try to use AD login, even using same email , cognitto will record as two different user . 2. if i change Oauth type in 12:34 , the AD login will failed, but i didnt find the support doc , am i missing some detail settings? 3. is host UI required? hoping can support for calling boto3 api with AD login . Really thank for your reply and answering!
1. You can link the user profiles. Refer docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
2. Did you change the grant type to authorization code in Cognito app client? That should not affect AD login. Please try to login using a incognito window instead of using existing session.
3. Hosted UI is mandatory for external identity provider login
And how can i integrate this login into an angular app ? I was thinking on making an a oauth2-oidc integration but it sounds like too much trouble
Angular App can redirect to Cognito which in turn will redirect to AzureAD for authentication. Angular App to Cognito will be a OpenID Connect (OIDC) integration.
Please like, subscribe & share this video / channel !! Thanks in advance.
Thanks for the video. Can i use hotmail or other Auzre tenant account for authentication?
I have not tried that. I think if you enable the option to allow other organization users, it might work.
what if we are not using hosted UI? how will we get domain name?
Domain cannot be configured without enabling Hosted UI.
How can I prevent duplicate account creation during signing and signup. An issue I identified arises when a user registers with their email and later signs in using social identity providers like Azure AD or Facebook.
When you say duplicate accounts, I assume you are referring to two accounts with same email address but different user names. Am I correct? In this case, you need to write a custom lambda function to link the federated user from AzureAD or Facebook with the local user profile which has the same email address. You can check this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 I got this error "InvalidParameterException: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser"
Here is my sample code:
const AWS = require("aws-sdk");
const cognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider();
exports.handler = async (event, context, callback) => {
console.log("Events: ", event);
console.log("Context: ", context);
try {
const user = event.request.userAttributes;
const email = user.email; // using the user email as the identifier
// filter for query user pool
const params = {
UserPoolId: process.env.USER_POOL_ID,
Filter: `email = "${email}"`,
};
// fetch the user list by email
// get list of users
const cognitoUserListByEmail =
await new AWS.CognitoIdentityServiceProvider()
.listUsers(params)
.promise();
console.log("Cognito user list by email: ", cognitoUserListByEmail);
const userStatus = event.request.userAttributes["cognito:user_status"];
if (
cognitoUserListByEmail.Users.length === 1 &&
userStatus === "EXTERNAL_PROVIDER"
) {
const sourceProviderDetails = event.request.userAttributes.identities[0];
const linkParams = {
DestinationUser: {
ProviderName: "Cognito",
ProviderAttributeValue: cognitoUserListByEmail.Users[0].Username, // The Cognito username of the existing user
},
SourceUser: {
ProviderName: sourceProviderDetails.providerName,
ProviderAttributeName: "Cognito_Subject",
ProviderAttributeValue: user.sub, // The user ID from the social identity provider
},
UserPoolId: process.env.USER_POOL_ID,
};
await cognitoIdentityServiceProvider.adminLinkProviderForUser(
linkParams,
function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data);
}
);
// .promise();
// console.log(result.$response);
console.log("Params: ", params);
}
callback(null, event);
} catch (error) {
console.log(error);
}
};
I can't seem to figure out the parameter for AdminLinkProviderForUser API
Hi, I want to make sure that all users in my Cognito user pool have been authenticated by Azure AD. So, no one should be able to sign up unless they they do it through Azure AD. Are there any additional considerations I should have in order to achieve this?
I'd greatly appreciate any information on this! Thank you.
There are couple of things that you can do.
1. Disable self-registration in the user pool so that no one can register a profile
2. In the App client configuration, enable only AzureAD as the Identity provider. This will make sure that only AAD users can access this client.
@@securityinaction1018 Thank you, Cognito 's hosted UI works well with an Identity provider with OIDC. It's then getting it to work with Amplify's login I can't get right. I'm not even sure I can achieve this with Amplify at this point.
Again, thank you for your great video!
Amplify is not required if you are using Hosted UI. Amplify is mandatory only if you want to build a custom UI with custom authentication.
In 17:26 when i login my jwt site doesnt open with the access token, this is because of the implicit grant ?
If it was implicit grant, you should see the access token in URL. If it is authorization code grant, you will see a code value in the jwt.io URL.
@@securityinaction1018 It is code grant, but how can i get the real token with this code value ?
You need to call token endpoint. Refer this documentation for example : docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
You can also refer my other video th-cam.com/video/lWVmJ1CXzMo/w-d-xo.html which explains the authorization code grant flow with PKCE.
How to set custom claims?
I have not tried it myself. You can check this doc learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui
I will try to post a video in future once I find the solution.
Thanks for subscribing!!
But email_verified is false, then you can actually trust this email address. Am I missing something
In general, you cannot trust a email address coming from any IdP because anyone can create random email addresses. The only exception is when Google is the IdP because Google already does multiple verifications. Also, if it is a trusted customer like top banks, insurance or other organizations who manages the IdP, it is fine.
Is it possible sliently login via oidc
Please share more details on what silent login refers to.
@@securityinaction1018 if I already logged in with my identity provider in my client app, just want to access AWS service (chat) via OIDC. Without popping up UI to enter the client credentials, directly can access chat sliently via OIDC?
If both the client apps i.e. the app that you are logging in first and the chat app uses the same OIDC provider, it should perform a single sign-on i.e. user don't have to enter the credentials again. Can you confirm if both these apps are integrated with same IdP? Also, are you using Cognito or AzureAD for both the client app and chat app.
I'm trying to authenticate my mobile app user to Amazon connect chat. How do I basically authenticate? Via oidc or SSO. I thought SSO would work only for web apps. Right now I am not using any AWS service and IDP is 10x. I appreciate your inputs
Even a mobile app can open an inline browser to initiate the OIDC flow. I have not tried that myself. But, you should be able to find some samples in google.
Very helpful.. But please use another mouse... The "click" of the mouse is annoying ....
Agree. Couldn't find an option to mute that. I will surely keep checking,
@@securityinaction1018 Thanks ! Your video was really helpful and resolved my problem. Thank YOU!
Glad it was helpful!!
I get ?error_description=attributes+required%3A+%5Bfamily_name%2C+email%5D&state=KYTO9Q3NgMaYfcDhpIJelhko4AHUAzRn&error=invalid_request
This error means family_name and email is not set for this user profile. This can be due to AzureAD not properly configured to send these claims back to Cognito. You need to verify the AzureAD settings.
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 indeed, the account I was trying to login, did not had email addreess, neither first and last name, but how come? when I create a new user in AzureAD, I would expect to automatically generate these for me, but it doesn't. I need to manually fill in those fields, as you did
What if the admin does not want to add those fields? maybe AD provides some custom attribute mapping wich evaluates to those fields?
It is entirely up to the Admin to decide whether to collect those details from the user. I don't know how AzureAD handles required fields. I guess there should be some way to make these fields mandatory or optional. In Cognito, you can set these fields as mandatory or optional