ios - AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity? -


i working on app use 2 authentication providers:

  • facebook
  • cognito user pool

with former, have no issues, works intended. however, while setting authentication cognito user pools, hitting 1 wall after other. using aws sdk 2.4.9, xcode 8 , swift 3.

i aware there lot of questions have been asked, , lot of "guides" out there. however, lot of them answered/made outdated docs , sdk. official aws documentation out of date.

the authentication steps going through follows:

1. configure initial cognito pool

///  set default service configuration let serviceconfiguration = awsserviceconfiguration(region: awsregiontype.useast1, credentialsprovider: nil) awsservicemanager.default().defaultserviceconfiguration = serviceconfiguration  /// create pool configuration , register specific key use later let poolconfiguration = awscognitoidentityuserpoolconfiguration(clientid: appclientid, clientsecret: appclientsecret, poolid: poolid)   awscognitoidentityuserpool.registercognitoidentityuserpool(with: poolconfiguration, forkey: poolkey)  /// create pool specific predefined key pool = awscognitoidentityuserpool(forkey: poolkey)

2. authenticate user against cognito user pool

  user.getsession(username, password: password, validationdata: nil).continue({ (task) -> anyobject? in          if let error = task.error as? nserror {             completionhandler(error)             return nil         }          let session = task.result! awscognitoidentityusersession         let token = session.idtoken!.tokenstring          let tokens : [nsstring:nsstring] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolid!)" nsstring : token nsstring]         let identityprovider = cognitopoolidentityprovider(tokens: tokens)          let credentialsprovider = awscognitocredentialsprovider(regiontype: .useast1, identitypoolid: self.identitypoolid, identityprovidermanager: identityprovider)          ///  set default service configuration         let serviceconfiguration = awsserviceconfiguration(region: awsregiontype.useast1, credentialsprovider: credentialsprovider)         awsservicemanager.default().defaultserviceconfiguration = serviceconfiguration          credentialsprovider.getidentityid().continue({ (task) -> anyobject? in             completionhandler(task.error nserror?)             return nil         })          return nil     })

3. cognitopoolidentityprovider class

    class cognitopoolidentityprovider : nsobject, awsidentityprovidermanager {        var tokens : nsdictionary = [:]        init(tokens: [nsstring : nsstring]) {            self.tokens = tokens nsdictionary       }        @objc func logins() -> awstask<nsdictionary> {            return awstask(result: tokens)       }      }

4. storing data cognito federated identity

all passes without errors. however, want store data have pulled cognito pool specific cognito federated identity dataset, calling: userprofile.synchronize().continue , getting following results:

getcredentialswithcognito:authenticated:customrolearn:]_block_invoke | getcredentialsforidentity failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' forbidden.}]

2016-11-10 10:27:16.947365 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error] awsidentityprovider.m line:304 | __52-[awscognitocredentialsproviderhelper getidentityid]_block_invoke.255 | getid failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.}] 2016-11-10 10:27:16.947726 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error]

awscredentialsprovider.m line:577 | __44-[awscognitocredentialsprovider credentials]_block_invoke.352 | unable refresh. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.}] 2016-11-10 10:27:16.948452 xxxxxxxx[19867:5614838] awsiossdk v2.4.11 [error]

awscognitodataset.m line:352 | __30-[awscognitodataset syncpull:]_block_invoke | unable list records: error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "(null)" userinfo={__type=notauthorizedexception, message=unauthenticated access not supported identity pool.} [10:27:16]: savesettings aws task error: operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)

after changing log level, can see following:

//request

2016-11-10 10:33:08.095735 xxxxxxxx[19874:5616142] awsiossdk v2.4.11 [debug] awsurlsessionmanager.m line:543 | -[awsurlsessionmanager printhttpheadersandbodyforrequest:] | request body: {"identityid":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

//response

2016-11-10 10:33:08.714268 xxxxxxxx[19874:5616154] awsiossdk v2.4.11 [debug] awsurlsessionmanager.m line:553 | -[awsurlsessionmanager printhttpheadersforresponse:] | response headers: { connection = "keep-alive"; "content-length" = 129; "content-type" = "application/x-amz-json-1.1"; date = "thu, 10 nov 2016 09:33:08 gmt"; "x-amzn-errormessage" = "access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden."; "x-amzn-errortype" = "notauthorizedexception:"; "x-amzn-requestid" = "b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }

the above request getid api call. clearly, not match request format aws docs: http://docs.aws.amazon.com/cognitoidentity/latest/apireference/api_getid.html.

according awsservicemanager class have this:

/**  default service configuration object. property can set once, , subsequent setters ignored.  */ @property (nonatomic, copy) awsserviceconfiguration *defaultserviceconfiguration;

this means setting new service configuration pointless, see no other way refresh credentials have obtained through cognito user pool authentication.

that's pretty it. ideas?

thanks

it seems error getting 

  access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' forbidden

that credentials obtained in first part cannot access identity have made synchronize call identity changed.


Comments

Post a Comment

Popular posts from this blog

asynchronous - C# WinSCP .NET assembly: How to upload multiple files asynchronously -

i using winscp .net assembly uploading files. want upload multiple files asynchronous way. have created method works single upload. public class uploadingdata { private sessionoptions _sessionoptions; private session _session; //connection etc private void onconnected() { foreach (var fileinfo in localfileslist) { var task = task.factory.startnew(() => uploadfilesasync(fileinfo)); } } private async task uploadfilesasync(string file) { string remotefilepath = _session.translatelocalpathtoremote(file, @"/", "/test_data_upload"); var uploading = _session.putfiles(file, remotefilepath, false); //when done await task.run(() => thread.sleep(1000)); } } please suggest me correct way. thanks you can use backgroundworker class this: string[] images = new string[50]; foreach (var path in images) { backgroundworker
Read more

aws api gateway - SerializationException in posting new Records via Dynamodb Proxy Service in API -

i getting "__type": "com.amazon.coral.service#serializationexception" as reply in postman & in test console in api gateway trying post record directly dynamodb using api proxy services.. referring aws article - https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/ here's mapping { "tablename": "tablenamegoeshere", "item": { "id" : "$context.requestid" "eventname" : "$input.path('$.eventname')", "timestamp" : $input.path('$.timestamp'), "answers": "$util.parsejson($input.path('$.answers'))" } } update: did asked ... , worked if try add array of json objects gives me above same error - here's trying now. please - couldnt find on google well #set($inputroot = $input.path('$')) { "tablename": "answer", "item": {
Read more

asp.net - Problems sending emails from forum -

i have been redesigning site has message board, has been written guy looked after site. it has few problems , written in .asp , uses .mdb files database. you can see whole thing here . feel free post if helps, test thing have set using original files , new database. the basic problem when posts message, supposed email sent them, have posted it. when replies, originator supposed message, replier has been posted. i’d have thought @ point in process there should script/file in postmessage.asp? the postmessage.asp page below. <% option explicit %> <!-- #include virtual="common/adovbs.inc" --> <html> <head> <meta http-equiv="content-type" content="text/html; charset=windows-1252"> <meta name="generator" content="microsoft frontpage 4.0"> <meta name="progid" content="frontpage.editor.document"> <title>new page 2</title> <base target="_self"
Read more