ios - AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity? -


i working on app use 2 authentication providers:

  • facebook
  • cognito user pool

with former, have no issues, works intended. however, while setting authentication cognito user pools, hitting 1 wall after other. using aws sdk 2.4.9, xcode 8 , swift 3.

i aware there lot of questions have been asked, , lot of "guides" out there. however, lot of them answered/made outdated docs , sdk. official aws documentation out of date.

the authentication steps going through follows:

1. configure initial cognito pool

///  set default service configuration let serviceconfiguration = awsserviceconfiguration(region: awsregiontype.useast1, credentialsprovider: nil) awsservicemanager.default().defaultserviceconfiguration = serviceconfiguration  /// create pool configuration , register specific key use later let poolconfiguration = awscognitoidentityuserpoolconfiguration(clientid: appclientid, clientsecret: appclientsecret, poolid: poolid)   awscognitoidentityuserpool.registercognitoidentityuserpool(with: poolconfiguration, forkey: poolkey)  /// create pool specific predefined key pool = awscognitoidentityuserpool(forkey: poolkey) 

2. authenticate user against cognito user pool

  user.getsession(username, password: password, validationdata: nil).continue({ (task) -> anyobject? in          if let error = task.error as? nserror {             completionhandler(error)             return nil         }          let session = task.result! awscognitoidentityusersession         let token = session.idtoken!.tokenstring          let tokens : [nsstring:nsstring] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolid!)" nsstring : token nsstring]         let identityprovider = cognitopoolidentityprovider(tokens: tokens)          let credentialsprovider = awscognitocredentialsprovider(regiontype: .useast1, identitypoolid: self.identitypoolid, identityprovidermanager: identityprovider)          ///  set default service configuration         let serviceconfiguration = awsserviceconfiguration(region: awsregiontype.useast1, credentialsprovider: credentialsprovider)         awsservicemanager.default().defaultserviceconfiguration = serviceconfiguration          credentialsprovider.getidentityid().continue({ (task) -> anyobject? in             completionhandler(task.error nserror?)             return nil         })          return nil     }) 

3. cognitopoolidentityprovider class

    class cognitopoolidentityprovider : nsobject, awsidentityprovidermanager {        var tokens : nsdictionary = [:]        init(tokens: [nsstring : nsstring]) {            self.tokens = tokens nsdictionary       }        @objc func logins() -> awstask<nsdictionary> {            return awstask(result: tokens)       }      } 

4. storing data cognito federated identity

all passes without errors. however, want store data have pulled cognito pool specific cognito federated identity dataset, calling: userprofile.synchronize().continue , getting following results:

getcredentialswithcognito:authenticated:customrolearn:]_block_invoke | getcredentialsforidentity failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' forbidden.}]

2016-11-10 10:27:16.947365 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error] awsidentityprovider.m line:304 | __52-[awscognitocredentialsproviderhelper getidentityid]_block_invoke.255 | getid failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.}] 2016-11-10 10:27:16.947726 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error]

awscredentialsprovider.m line:577 | __44-[awscognitocredentialsprovider credentials]_block_invoke.352 | unable refresh. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.}] 2016-11-10 10:27:16.948452 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error]

awscognitodataset.m line:352 | __30-[awscognitodataset syncpull:]_block_invoke | unable list records: error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.} [10:27:16]: savesettings aws task error: operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)

after changing log level, can see following:

//request

2016-11-10 10:33:08.095735 xxxxxxxx[19874:5616142] awsiossdk v2.4.11 [debug] awsurlsessionmanager.m line:543 | -[awsurlsessionmanager printhttpheadersandbodyforrequest:] | request body: {"identityid":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

//response

2016-11-10 10:33:08.714268 xxxxxxxx[19874:5616154] awsiossdk v2.4.11 [debug] awsurlsessionmanager.m line:553 | -[awsurlsessionmanager printhttpheadersforresponse:] | response headers: { connection = "keep-alive"; "content-length" = 129; "content-type" = "application/x-amz-json-1.1"; date = "thu, 10 nov 2016 09:33:08 gmt"; "x-amzn-errormessage" = "access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden."; "x-amzn-errortype" = "notauthorizedexception:"; "x-amzn-requestid" = "b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }

the above request getid api call. clearly, not match request format aws docs: http://docs.aws.amazon.com/cognitoidentity/latest/apireference/api_getid.html.

according awsservicemanager class have this:

/**  default service configuration object. property can set once, , subsequent setters ignored.  */ @property (nonatomic, copy) awsserviceconfiguration *defaultserviceconfiguration; 

this means setting new service configuration pointless, see no other way refresh credentials have obtained through cognito user pool authentication.

that's pretty it. ideas?

thanks

it seems error getting

  access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' forbidden 

that credentials obtained in first part cannot access identity have made synchronize call identity changed.


Comments

Popular posts from this blog

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

asp.net - Problems sending emails from forum -