Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string", then an access token granted using aws.cognito.signin.user.admin will be able to call it.
What is AWS Cognito
After the first round of planning, you have a good idea of the architecture of the application, including what languages and frameworks will be used. Now you need to decide how you're going to integrate Cognito with your app. There's not one or two ways to do it, there are 3 official code libraries that you can use:
When to use amazon-cognito-identity-js: when you do not need any of the extra features provided by Amplify and you only need to integrate Cognito within your app's custom UI. As a bonus you will probably get a much smaller bundle. You can also use it in the backend but you'd be limited to public Cognito APIs only.
Remember that user pools are simply a collection of users. But what if we want to leverage this pool of users for a multitude of different applications? This is where User Pool Application Clients come into the picture. We discuss them in the next section.
You can learn more about what triggers are and how to use them here. They are kind of a more advanced feature but for complicated use cases requiring custom business logic, they may be just what you need.
This is the basic flow of Cognito Identity Pools. Lets dive in now to what it looks like to create an Identity Pool, and the types of customization you can apply to them. Lets start with Creating an Identity Pool.
What did work though is if I've set the AWS Cognito User pool to use email instead of username for the user login. It seems like Salesforce isn't accepting the whatever AWS Cognito is returning back on the OpenID response when username is used for authentication. Also, email is not an option for us given that the users are already using usernames to login to other platforms and applications.
So from what I can tell, based on my browser network console, I'm able to get the Authorization Code which is required for the token request and then when I get redirected back to Salesforce, I encounter that error.
Allowed OAuth Scopes. The authorization gives access to the different scopes in your App Client. For example aws.cognito.signin.user.admin scope grants access to Cognito User Pool API operations, phone gives access to the phone number and same for the email. This setting is not applicable to Client credentials flow.
Create an AD Connector to connect to your on-premise Microsoft Active Directory domain using AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail using their corporate credentials. -us/azure/active-directory/hybrid/whatis-azure-ad-connect
The really bad: So the way they decided to handle the case where I send 21,000 UTF-8 characters is to ignore my custom message and send their default message, without giving any indication as to what the cause was.
I will now tell you about the darkest parts of AWS Cognito. Things so bad, you will reconsider using AWS Cognito. You will need to know about this, otherwise, you may end up in a very dark place. I still recommend using AWS Cognito, but you need to know what you are getting yourself into.
So the way they decided to handle the case where I send 21,000 UTF-8characters is to ignore my custom message and send their defaultmessage, without giving me any indication as to what the cause was.
When you want to store a property on a user that's not included in thedefault provided cognito ones, you have to use a custom attribute, i.e.add a boolean isAdmin to your user.
In my opinion, if the user has access to a google/facebook account with theemail john-smith@gmail.com, then both accounts - the cognito native andfacebook/google should be with email_verified set to true.
So how do you think cognito handles this by default, I mean surely youwouldn't want to have 2 users in your user pool with the same email. Thatwould be very confusing for the user, they log with their email and add anitem to their cart, then they log on their phone with google with the sameemail, and the item is not in the cart.
As you might have guessed cognito doesn't handle this at all, and thedefault behavior is you just have users with the same email that are notrelated to one another.
In cognito your email account might have attributes X,Y,Z and Google, orFacebook might not have those attributes on the user object. How would youhandle that behavior for your users with 2 separate accounts with the same emailin your application.
The only good reason I can think of to not have your accounts with the sameemail linked by default is if you don't trust the identity provider requiresemail validation, that's their excuse - security. If the Identity Providerdoesn't require email validation, then I could register with an email I don'town - i.e. bob@gmail.com , I would come register in your application andsteal bob's account because I got linked to it automatically. Well fortunatelyfor us, both Google and Facebook require email validation, so I'm leaningmore towards the cognito team just couldn't bother.
These are the errors you get and you can't reason about because they make nosense whatsoever, you look at the clock, 5 hours have passed, you've made 0progress, you're sweating profusely and have had too much coffee, now you won'tbe able to sleep and you'll have to think about cognito and amplify the wholenight.
In a previous article, we have discussed in detail about what AWS Cognito is and how it helps applications delegate their Authentication module to AWS Cloud and let AWS do the heavy lifting for them, providing a secure and scalable solution for modern day application needs.We have also looked at the UserPools and how to create a UserPool with an AppClient which takes care of the User Management and provides validation via Tokens. 2ff7e9595c