DEVHIDE
Login Or Sign up

API to exchange Google-Id-Token to Cognito-OAuth-Bearer-Token

181 Views Asked by At

I got lost, when I was trying to exchange a google id token, for a AWS Cognito.

What I want to achieve: User logs into his/her google account on an android device, token is sent to my api* (AWS API Gateway, if necessary, I was hoping to use one of the cognito APIs to achieve this), which then exchanges the google token for a cognito token and creates the user if required.

Here my scenario:

  • Created a google cloud project
  • My Android app receives a valid token for this project
  • created a cognito user pool
  • created a cognito user pool client
  • created a user pool identity provider of type google

here my serverless yaml:

resources:
  Resources:
    ApiUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: my-user-pool
        UsernameAttributes:
          - email
        AutoVerifiedAttributes:
          - email
        Policies:
          PasswordPolicy:
            MinimumLength: 8
            RequireLowercase: false
            RequireNumbers: true
            RequireSymbols: false
            RequireUppercase: true


    CognitoUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: user-pool-client
        UserPoolId:
          Ref: ApiUserPool
        ExplicitAuthFlows:
          - ALLOW_USER_PASSWORD_AUTH # for email signin
          - ALLOW_REFRESH_TOKEN_AUTH
        GenerateSecret: false
        SupportedIdentityProviders:
          - Google
        CallbackURLs:
          - https://jwt.io # demo purposes
        LogoutURLs:
          - http://localhost/signoff # demo purposes
        AllowedOAuthFlows: # since I have a token I assume implicit would be fine too?!?
          - code
          - implicit
        AllowedOAuthScopes:
          - email
          - openid
          - profile
        AllowedOAuthFlowsUserPoolClient: true

    CognitoUserPoolIdentityProvider:
      Type: AWS::Cognito::UserPoolIdentityProvider
      Properties:
        ProviderName: Google
        AttributeMapping:
          email: email
          email_verified: email_verified
          locale: locale
          picture: picture
        ProviderDetails:
          client_id: <my-client-id>
          client_secret: <my-client-secret>
          authorize_scopes: email openid profile
        ProviderType: Google
        UserPoolId:
          Ref: ApiUserPool

Sidenotes:

  • No website!
  • No amplify!

When I search the documentation I get a lot of examples (here an example ), when I am in the web (providing google login from a website or smth else) and use some hosted UI, where the whole oauth2 flow is getting started, which I don't need, since I do have a valid google token already, just want to exchange it to a cognito token and may be create the user in the pool if not existent.

I am pretty sure I took a wrong turn somewhere. Where?

* This might be the problem already, but if so what else to do?

amazon-web-services amazon-cognito serverless federated-identity
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-COGNITO

Related Questions in SERVERLESS

Related Questions in FEDERATED-IDENTITY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.