使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Why does the Userpool-Client have to be set up as an OAuth-Client itself for Google Login?

0

Hello,

this isnt a blocking problem. But out of curiosity I wanted to ask, if s.o. knows why the Userpool Client has to be set up as an OAuth-Client itself for Google-Login.

Afaik after signing up into Google using the Userpool-Client, the Userpool & Userpool-Client will create its own Cognito-user with the User Info from Google via OAuth protocol.

But why does a Userpool-Client has to specify any OAuth settings at all (such as Callback-Urls & Logout-Urls & Scopes) and by doing so becoming an OAuth-Client of the Userpool itself? Wouldnt it be easier, if one could omit all the OAuth-settings on the Userpool-Client-side because it hasnt anything to do imho with the OAuth process to Google. (For the OAuth process to Google just a Userpool-Domain should be sufficient imo. With this Userpool-Domain Google can redirect back to the Userpool-Domain to send the code. But OAuth-Settings in the Userpool-Client shouldnt be needed here at all)

主題
安全性、身分識別與合規
標籤
Amazon Cognito Federated Identities
語言
English
mampf
已提問 5 個月前檢視次數 523 次
1 個回答
0

You are right that the OAuth settings for the UserPool-client does not have much to do with the OAuth process with Google.

As we discussed in your earlier question, Cognito interacts with Google as needed. Actually whether it is Google (or other social Id providers) or SAML or general OAuth/OIDC providers, Cognito handles that for you so your application has one interface (Cognito) to work with, independent from the different IdPs.

Towards your application, Cognito uses OAuth/OIDC flow to interact with your app when hosted UI is used to authenticate the user (again, independent from whether/which type external IdP . That's why you are defining the corresponding parameters like call back url under "Hosted UI" section of an "App Client" configuration.

AWS
Xuejun Li
已回答 5 個月前
profile picture
專家
Giovanni Lauria
已審閱 1 個月前
  • mampf
    5 個月前

    Thanks for clarifying that those are 2 different things in Cognito:

    • OAuth to Userpool via Hosted UI
    • OAuth to external Identity Providers

    Even though a userpool domain should be good enough for Google-Login, it seems that a Hosted UI is required on top for Google-Login (for whatever reason). Getting this error in the Browser otherwise:

    OAuthNotConfigureException: oauth param not configured.

    (Im just guessing: Maybe Cognito needs the callback url of the Hosted UI. when it has finished fetching user data from Google. Otherwise Cognito maybe could not inform my web app that it has finished with the Google-Login?)

    import { signInWithRedirect } from "@aws-amplify/auth";

const handleLoginWithGoogle = async () => {
    // https://docs.amplify.aws/javascript/build-a-backend/auth/add-social-provider/
    await signInWithRedirect({
      provider: "Google",
      options: {
        preferPrivateSession: true,
      },
    });
  };
  • Xuejun Li
    4 個月前

    The callback url is needed because after Cognito successfully interact with the external IdP, it will deliver the authorization code or tokens (depending on grant type(s) configured and used) to your app by redirecting user to this url. That callback url is part of your app, though configured under "Hosted UI". You can skip the "UI" (login page) itself by telling Cognito to send user directly to IdP, but at the end Cognito needs to deliver the authorization code or tokens to your app.

    Check this video for a sequence diagram of the flow and explanation: (diagram in the video is more elaborated than the one in user doc https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html)

    https://www.youtube.com/watch?v=WgvVxKf2CFc (sequence flow explanation starts at 12:20. The flow is describing the authorization code grant flow).

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容