Problem Statement:
I want to download S3 contents through mobile app from multiple mobile devices.
Solution that I came across.
Solution 1
Create an IAM user in AWS. Create a policy to download S3 contents only for particular bucket and assign that policy to IAM user.
Whenever mobile application wants to download contents from S3, mobile application will call my server API which will return the credentials of IAM user.
Then mobile application will use these credentials to download the S3 contents.
Solution 2
Use AWS Cognito service.
However the problem with first approach is that I will have to manage credentials server side. Also someone can easily back track it and use those credentials outside application to download contents.
The second approach I am not aware of completely. However in the FAQ of AWS COGNITO service I did not found any solution to my requirement although it allows you to read, delete and put the content to any AWS service.
I need a suggestion regarding securely download S3 contents from mobile applications.
Amazon Cognito and the AWS Mobile SDK are designed especially for the use case of downloading content stored in S3 from a mobile app. You can use Cognito to provide temporary, limited-privilege AWS credentials to each user of your app. You can enable your users to start using your app as unauthenticated guests and/or authenticate with social logins or your own registration/login service.
To set up Cognito, use the Cognito console to create an Identity Pool, which is a store of user identity data specific to your AWS account. IAM roles define the permissions for your users to access AWS resources, like S3. Users of your application will assume the roles you create. You can specify different roles for authenticated and unauthenticated users. To learn more about IAM roles in Cognito, see IAM Roles.
When you visit the Cognito Console, a wizard will guide you through creating the Identity Pool and the necessary IAM roles. The integration between Cognito (which issues AWS Credentials to the mobile app user) and the other AWS Services is in the initialization of the SDK. Example code for initializing the SDK with Cognito on iOS, Android, Unity, and JavaScript are in the Getting Credentials topic of the Amazon Cognito Developer Guide].
Updates in October 2020:
AWS has shifted their "Mobile SDK" to AWS Amplify. Amplify still uses Cognito for authentication (login) and authorization (credentials/permissions) so the above is still accurate. You can get specific guidance on using Cognito with Amplify to set up Authentication here. Once you set up auth in Amplify, a specific example of using S3 is here.
Note that Cognito's docs focus on User Pools these days which allow you to implement your own full-fledged directory for storing and logging in users (for a cost). However, you don't have to use Cognito's user directory to store your users. Cognito Identity Pools (which still have no cost AFAICT) allow you to get AWS Credentials for users who are not logged into your app (so-called "Unauthenticated Identities") and/or allow users to login with other user directories (such as social logins or a user directory that you own and manage).
If you want ultimately flexibility, you can also use AWS STS to get credentials for accessing AWS Resources including S3. However, with STS's flexibility comes the need for more understanding of IAM/AWS and arguably more complex setup.
Please comment if there is anything I can do to make this more clear!
Related
For my current ASP.NET Core MVC application I authenticate directly with a web app registered in Azure AD Portal. This provides me with an access token so on the backend of my web application I can use MS Graph with my users specific account (ie add files to their onedrive , email, etc). However, my organization also has Okta which a lot of applications authenticate against. So I was trying to determine to authenticate through Okta (which has a much cleaner sign in process IMO) as well as authenticate against Azure AD and get an access token. Through my research I found something in my web application registration in Azure AD called Workload Identity Federation. This led me to this useful video
https://www.youtube.com/watch?v=wZ0gCJYMUKI
and also microsofts info site:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation
This seems to answer what I want which is to use Okta but allow me to still use MS Graph for my users since it will authenticate against Azure AD (correct me if I am wrong and this is for something else). My issue is none of these resources really go into depth regarding how the access token is passed to my application so I can use MS Graph. My research this is called client credential flow since my application only has delegated permissions so it requires the users to log in and it basically allows my web app to act on their behalf when using MS Graph. So I am trying to understand and fill this void of information regarding how client credential flow fits into Workload Identity Federation and is this the solution to my problem.
I have implemented user authentication with cognito and Azure AD (SAML) for static app running on EC2 instance in apache server.
I want to authorize user from AD group to access specific url from static web app.
For example : for users in admin group can only access pages with path /admin/*
For authentication I used ELB authenticate action which is working fine
Now I want to provide group based access to pages for static app running in apache running in ec2 instance.
Is there any with which I can authorize users without making any changes on application side. ?
Thanks in advance !
• I would suggest you create user pools supported by Amazon Cognito and authenticate them using corporate identities of Microsoft Azure AD. Thus, for this purpose, you will have to create user pools first in Amazon Cognito which are in fact nothing but groups containing user identities. For this purpose, kindly refer to the link below for more details on its configuration: -
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-cognito-user-pools.html
• Once you are done with the above, you can configure authentication for users using an application load balancer or elastic load balancing as you have done in case of users from Azure AD using Amazon Cognito. For configuring the user pool authentication in Amazon cognito, you will have to prepare to use an OIDC-compliant IdP, prepare to use for Amazon CloudFront and other things like user claims encoding and signature verification like that for user authentication. For this purpose, to configure the same, kindly refer to the below AWS documentation link given: -
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
We are migrating part of our web app to a native mobile app (iOS and Android). We store all user info in our own database, including authentication info (username & pwd). We have a REST API for use by mobile apps and are trying to implement that in Google Cloud Endpoints.
We use an API key for identifying the app.
We want to also authenticate each user. The app will request the username and pwd and then pass that through the REST API. Our backend will confirm (by looking up the username/pwd in the db) if the user is valid. Ideally, at this point we would return a JWT.
Can this be done? The GCE documentation talks about authenticating Google users, and Facebook users. We don't want that. We don't want to use Firebase (unless a custom mechanism can be set up to authenticate). We will manage accounts. We will check if the username and pwd provided (through the app) identifies a valid user.
In trying to use a backend based on Google App Engine Standard and ESPv2, the documentation states that IAP must be enabled. IAP appears to authenticate users in a way we don't want. We want to authenticate users based on the username and pwd they provide and that we manage. Can this be done?
Any pointers would be greatly appreciated.
Thank you.
I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application.
I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:
Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?
Thanks
In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.
Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.