amazon-cognito-auth-js
amazon-cognito-auth-js copied to clipboard
amazon-archives
Allow/deny access for Google accounts based on hosted domain
Hi. I'm trying to Registering an auth with the application where only users of specific Google hosted domain are allowed. Others are supposed to be denied.
So when auth.getSession(); It going to the https://xxxx.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=xxxxxxxxxxx&redirect_uri=localhost:4200 will list all your google email account, is there any config or any way to only allow specific [email protected] google email to auth and deny the [email protected] google email?
Thanks
The Google OAuth flow accepts an extra "hd" (hosted domain) parameter to state which domain is allowed to login. Only accounts from that domain will show up on the account selector, and in the event that no account from that domain is available, the UI will hint which accounts are allowed and will forbid logins from any other domain.
Google Auth: Can you guys add "hd" parameter in the request @yuntuowang ?
Thanks!!!!!!
Hi @lucasgao, based on your use case, I suggest you to use ourAWS Lambda Triggers to customize User Pool Workflows. You can use Pre sign-up trigger to block sign up of certain gmail accounts; You can use Pre authentication trigger to block sign in of certain gmail accounts;
Depends on your use case, you have many options, details here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
Don't know if applies but google always checks a header named "X-GoogApps-Allowed-Domains" which you can insert with your allow domain.
Like in this mcafee kb;
https://kc.mcafee.com/corporate/index?page=content&id=KB72538
@yuntuowang care to share some more details on how to "block" users from registering to the user pool. I have read the documentation link you have provided multiple times and there is no mention or clear instructions on how to deny. I have also tested the Pre Signup lambda for Federated as well as pool users but there is no clear cut way to deny registration. Also mix that with Amplify and there is simply no way. My use case is simple, I have User Pool SAML App with onelogin, i maintain a list of authorized users in DynamoDB, if the user is there in DD they can access the app otherwise they should be denied registration. This is my Pre SIgnup Lambda
exports.handler = async (event) => {
console.log("Event is = ", event);
if(event.triggerSource === 'PreSignUp_ExternalProvider'){
// ......code to Check if user is in DynamoDB and initialize valid = true | false
if(valid){
var error = new Error("You do not have permission to access this app.");
return error;
}else{
return event;
}
}
return event;
};
This kind of works somewhat since the user is actually blocked from registering atleast on the User pool side but I am not sure if return error is good idea neither is return {}, returning an error or {} throws the Amplify Auth.configure() method into a tailspin on the client side and gives me an error Invalid version. Version should be 1.
I have the same problem, when I throw the error, I get back to my client
[ERROR] 05:48.627 OAuth - Error handling auth response. Error: PreSignUp+failed+with+error+%5Bobject+Object%5D and I have no idea how to handle this error.
@arekko
are you using promises via async function modifier? if so, you would throw the error. If not, use the callback approach.
@valeeum I am using this kind of callback inside my lamda function with pre signup trigger
const error = new Error(ERROR_MESSAGE);
callback(error, event)
It correctly validate registration when I am trying to register with email and password, I get back the object with error message, with cognito google federated it prevents the user creation but I get the error exception.