AWS Cognito Facebook Identity and User Pools

Question

I am trying to use Cognito federated identities to authenticate with Facebook and create a user in a cognito user pool and map user attributes.

The AWS Congnito service configuration, I believe is correct as I have it working perfectly with a web app. However when trying the same with iOS app despite all working in the code and authenticating with Facebook and assuming an authenticated role, no user is created in the pool.

I am using the following code flow detail below as per the Cognito "Basic (Classic) Authflow" Is this correct approach, to have a user created in the user pool?

getId, getOpenIdToken, assumeRoleWithWebIdentity.

AWSCognitoIdentityGetIdInput *input = [[AWSCognitoIdentityGetIdInput alloc] init];
[input setIdentityPoolId:poolId];
[input setAccountId:@"XXXXXXXXXXXX"];
NSDictionary *logons = @{@"graph.facebook.com":tknStr};
[input setLogins:logons];

AWSCognitoIdentity *id = [AWSCognitoIdentity defaultCognitoIdentity];

[id getId:input completionHandler:^(AWSCognitoIdentityGetIdResponse * _Nullable response, NSError * _Nullable error) {
    if (error)
    {
        //handle the error        
    }
    else
    {
        AWSCognitoIdentityGetCredentialsForIdentityInput *getCredsInput = [AWSCognitoIdentityGetCredentialsForIdentityInput new];
        [getCredsInput setCustomRoleArn:@"arn:aws:iam::XXXXXXXXX:role/XXXXXXXXXXXXXXX”];
        [getCredsInput setIdentityId:[response identityId]];
        [getCredsInput setLogins:logons];
        AWSCognitoIdentityGetOpenIdTokenInput *openID = [AWSCognitoIdentityGetOpenIdTokenInput new];
        [openID setIdentityId:[response identityId]];
        [openID setLogins:logons];
        [id getOpenIdToken:openID completionHandler:^(AWSCognitoIdentityGetOpenIdTokenResponse * _Nullable response, NSError * _Nullable error) {
            if (error)
                NSLog(@"task.error - %@",error);
            else
            {
                AWSSTS *sts = [AWSSTS defaultSTS];
                AWSSTSAssumeRoleWithWebIdentityRequest *request = [[AWSSTSAssumeRoleWithWebIdentityRequest alloc] init];
                [request setRoleArn:@"arn:aws:iam::XXXXXXXXX:role/XXXXXXXXXXXXXXX”];
                [request setRoleSessionName:@"ginger55"];
                [request setWebIdentityToken:[response token]];
                [sts assumeRoleWithWebIdentity:request completionHandler:^(AWSSTSAssumeRoleWithWebIdentityResponse * _Nullable response, NSError * _Nullable error) {
                    if (error)
                    {
                        NSLog(@"task.error - %@",error);
                    }
                    else
                    {
                        NSLog(@“response = %@",response);
                    }
                }];
            }
        }];
    }
}];

Any help appreciated.

Seems like you are using an Identity Pool, which does not have any users, just IdentityIds. When you no users are created in the pool, do you mean no new IdentityId? — agent420, Nov 10 '17 at 13:34
I get the new identity but no new user in the user pool, the user pool is configured for Facebook authentication. Your comment does make me think the calls somehow need to be against the user pool rather than the identity pool, thank you. — surfnow, Nov 10 '17 at 20:47
yes, even if u have Facebook set up in the Userpool, users won't be created unless you sign in using the built-in Cognito UI. Use that, select login with Facebook option and only then users will be created. — agent420, Nov 10 '17 at 21:12
And if you want to use ur own UI, then on clicking the Facebook option redirect to Cognito Authorization endpoint with Idp parameter as Facebook — agent420, Nov 10 '17 at 21:14
Thanks agent420, I assume by built in Cognito UI, that’s the web page login page. Was hoping to use my own app ui and the Facebook login button but guess that’s not there with Cognito yet. Guess I could read the graph and add a user pool after the Facebook login. — surfnow, Nov 11 '17 at 06:20
U can build ur own UI, I think. Check out my answer here https://stackoverflow.com/questions/47019504/cognito-user-pools-is-it-possible-to-create-a-custom-sign-up-in-form-for-faceb/47035466#47035466 — agent420, Nov 11 '17 at 07:05
After testing the built in UI (web) thanks to help above from agent420, while that process works, I found the UX to be complicated with switching to safari and then prompted on the redirect "Do you want to open in XXX", this leaves lots of opportunity for a user to abandon the process. I tried wrapping the login endpoint into a WKWebView but intercepting and processing redirect URL's is fragile. Then I found the AWSCognitoAuth Class this is the best option I can find for handling the Cognito Web UI, its not a s good has a complete native UI but close. — surfnow, Nov 23 '17 at 02:13

AWS Cognito Facebook Identity and User Pools

0 Answers0