I would only like my "Supervisor" user to be able to create "Employee" users (unable to create their own) through a custom React App rather than go through the Cognito Console. The AWS Cognito Identity SDK's AdminCreateUser action is offered through AWS.CognitoIdentityServiceProvider, which seems more than available through a Node back-end and the AWS Management Console interface. And there is (teasingly) plenty of documentation on authenticating users that have already been created through the AdminCreateUser API. But, try to
import { CognitoIdentityServiceProvider } from 'amazon-cognito-identity-js';
And AFAIK (as far as I know), the action is not provided in React.
I'm considering using a hacky approach of defining 2 particular Cognito User Pool - User Groups Supervisor and Employee. Only users that belong to the Supervisor group will be able to access a registration screen (using protective React Routing) where the I can use the well-documented CognitoUserPool sub-SDK to create Employee users.
Related
We just had a customer, Acme, request that they be able to create their own app registration to represent our SaaS app. So far we've managed the app registration ourselves and had one definition that's then shared with all customers.
They requested this for a couple for reasons:
They want to give the app another name, to match their internal naming conventions.
They want to change the URL of the app from app.product.com to acme.product.com so they can click on the app in the App gallery and be taken to directly to their instance, instead of manually browsing to acme.product.com.
These are reasonable requests, and I get it, but if every customer has their own app registration then our support overhead goes way up, because we have to hold their hand as they set it up and then make sure it's updated whenever we have to make changes (quite rarely, mind you).
Is this a common pattern and we just have to deal with it, or is this all better solved in some other way?
If you want to sync the configurations between your Azure AD app and the customer's, the best way is using multi-tenant app.
Unfortunately customer cannot modify the app name and reply url in this case.
Publish your app to the Azure AD app gallery and customer can install it from their tenant would allow them to modify the name and reply url.
I'm trying to create an admin portal for an already created application. Only owners should be able to authenticate through that particular page. The rest of the accounts in the firebase authentication shouldn't be redirected. I'm using React and Firebase. What are the potential solutions to that?
Firebase Authentication makes no distinction between where the user signs in from. No matter what place they use to sign in, they end up in the same state: as an identified user.
Your application code however can make a distinction based on its knowledge of the user. For example, if you have a list of application administrators somewhere, or have added a custom claim to the profile of application administrators, you can use that information in a so-called auth guard in your application's routing logic.
See some of these search results for more information about this, and questions like this one: How to restrict access to pages in next.js using firebase auth?.
I'm busy building a meal delivery service using firebase. Now the service has multiple apps (customer app, driver app, restaurant app etc). Now I don't want customers to be able to log in to the restaurant panel, or to the driver app. How can I prevent this from happening?
Currently I have a collection in firebase for each type of user. What I tried to do first was allow the user to log in but it will only redirect to the restaurant admin panel if the email used is associated with a restaurant found in the restaurant collection. Otherwise they will be logged back out. But this solution doesn't seem to be working.
The way to do this is to implement role-based user authorization and security rules by adding custom claims to the Firebase Auth ID token.
Here are some resources to get you started:
https://www.youtube.com/watch?v=3hj_r_N0qMs
https://www.youtube.com/watch?v=1PEdd2rtG30
I am trying to create a React app where a user with "admin" role can create a new user in firebase.
The workflow would look like that:
normal login -> check userRole -> if admin: show createUserForm.
As far as I have read from the documentation, I would need an Admin SDK, but the problem is - how to implement it on client-side app? Has anyone gone through this process?
The Firebase Admin SDK should only be used in a trusted environment, i.e. a server you control or Cloud Functions. It should not (and cannot) be used in a client-side React app.
If you want to allow certain users of your React app to create accounts for other users, you'll want to move that part of the flow to a trusted environment where you can use the Admin SDK.
So the flow becomes:
Detect in the client-code whether the user is an admin (likely using a custom claim) and only show the form if they are.
Call a Cloud Function from your client with the input from the form.
Ensure the user calling Cloud Functions is authorized.
Create the user account in the Cloud Function using the Admin SDK.
As you can see this is quite involved. I highly recommend considering alternative use-cases, such as what it actually is that you want the admin to control. Once you enable a provider in Firebase Authentication, any user can create an account with that provider. Trying to control that from within your application code is just a recipe for problems. Often what you're actually trying to control is what a specific user account can do: e.g. only approved users can access certain data. Depending on where you store this data, that is much easier to control. For example: if you store the data in the Firebase Database, is is common to create a whitelist of approved users in such a case (or the inverse: a blacklist of banned users).
I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.