aws-sdk-android icon indicating copy to clipboard operation
aws-sdk-android copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

[CognitoAuth] Facebook federation is not working

Open minbi opened this issue 6 years ago • 6 comments

@Shusshu I moved your issue, so we can track it without combining issues.

I managed to get the Google auth working with user pools but not for Facebook follow the steps here: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

  1. oauth/authorize -> we get the state back in the 302 Location redirect
  2. we can ignore the login call as we do the native SDK login with google
  3. b. oauth2/idresponse -> we send the serverAuth token from google val googleSignInOptions = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN) .requestServerAuthCode(serverClientId) .requestId() .requestEmail() .build()
  4. our server can verify this

Only works for google and not facebook .... issue with the facebook access token ... it's not the one aws needs

=-=-=-=-=-=-=-=-=-=

@minbi Could you help out with facebook?

oauth2/idresponse on AWS needs to be able to work with the access token from facebook (Firebase Auth is doing it) Maybe you can use: https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing#long-via-code

minbi avatar Feb 08 '19 19:02 minbi

Hi @Shusshu,

Can you provide some more detail on how you are getting the Facebook token and what you are passing to Amazon Cognito? Are you exchanging the code for a token before you pass the code to Cognito?

minbi avatar Feb 11 '19 03:02 minbi

Hi @minbi I'm using the Facebook Login button via their SDK 4.40 thus I receive a long-lived access token from facebook which I then pass to cognito oauth2/idresponse

I also tried to exchange the long-lived access token against a short lived access token by calling https://graph.facebook.com/oauth/client_code (see https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing#long-via-code) I was planning to migrate that part server side as the client secret shouldn't be in the app but anyway it did not work either.

Shusshu avatar Feb 11 '19 09:02 Shusshu

Hi @Shusshu ,

The oauth2/idresponse path does not accept tokens. It accepts the code that is passed back during the OAuth protocol.

minbi avatar Feb 11 '19 17:02 minbi

Since there is no way to get that code back from the Facebook SDK when will AWS support this feature? Firebase Auth is properly dealing with Facebook's access token... it can be done!

Shusshu avatar Feb 12 '19 08:02 Shusshu

I will take this request to the service team. This is currently not supported by the service.

minbi avatar Feb 12 '19 22:02 minbi

It seems the google solution I posted earlier isn't working anymore... @minbi did you guys patch something server side to block this workaround?

Shusshu avatar Apr 03 '19 11:04 Shusshu