aws-samples / aws-cognito-apigw-angular-auth Goto Github PK

Thanks for sharing the example. Very helpful. My google authentication succeeds and I was able to retrieve the user info. However when I try to test google resource it fails with following error. I tried to set CORS on API Gateway for this resource but still fails with the following error. Any thoughts on how to resolve it?

XMLHttpRequest cannot load https://xxxxxx.execute-api.ap-south-1.amazonaws.com/demo/google. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 403.

Thanks

Overall the code works great on Node 10. Thanks! After some troubleshooting 401 errors with authenticating the users, I discovered the lambda functions were responding with a timeout error because 'dynamodb-doc' was not installed as a dependency. Creating a package.json file, running npm install, and swapping out the lambda.zip file fixed it.

How to deploy Angular project in production mode to an EC2 Instance, perhaps with PM2, Nginx ?

When I executed the second step
aws cloudformation deploy

I have got this error

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [CognitoDemoApi] is invalid. Specify either 'DefinitionUri' or 'DefinitionBody' property and not both

I'm guessing the Cognito UI has been updated (likely multiple times?) since this project was published - and mostly, I'm able to keep up with the transition / translation. For example, in step 6 of the README there is (not currently) a section called AUTHENTICATION PROVIDERS - but Identity Providers is certainly close enough, and indeed, I found the referenced objects in that section.

But in Step 7 - try as I might - I can not find a "Cognito Tab" - nor, poring over every panel/tab/pane of the UI within the Identity Pool, can I find any reference to "AUTHENTICATED ROLE SELECTION" or the option to "CHOOSE ROLE FROM TOKEN".

I so desperately want this to work, as it alleges to demonstrate exactly what I've been struggling with for days now, and have failed with every previous AWS-documented, AWSlabs git repo that has anything to do with integrating Google (now G Suite) authentication with Cognito.

In the meantime, I'm back to plain ol' OAuth and OpenID Connect, in a 'roll-your-own' fashion - but I know that Cognito has value for our effort, and will save us much heavy lifting.

Any advice on what I'm doing wrong - or where this configuration may have migrated in the UI? I'd gladly do it via the CLI / API if I had any confident in what I was supposed to be setting, etc.

Thanks in advance,

The aws cloudformation deploy command does not indicate that it needs --capabilities CAPABILITY_IAM and as such, errors with the following message during execution:

An error occurred (InsufficientCapabilitiesException) when calling the ExecuteChangeSet operation: Requires capabilities : [CAPABILITY_IAM]

I understand that it may not be ideal to include this option by default, so that users are aware of the security repercussions, but I think it should be covered in the documentation, at minimum.

Overall, thanks for this example. It is exactly what I was looking for!

Sometimes the async call to get the temporary credentials from Cognito after the Google authentication does not return the credentials and it requires to authenticate a second time. Working on a better callback strategy.

Hi,

IMHO, sending email,name,surname and ... in the body of the POST is not the best approach.
How can I get these attributes in my lmbda function only by having "cognitoIdentityId"?

I imagine that if I call some service I can get these attributes, because I don't trust the client to send these informations...

Thanks,

Step 2
MIssing parameters for the deploy command:

aws cloudformation deploy --templ ate-file /mnt/c/1REPOS/aws-cognito-apigw-angular-auth/sam/sam-output.yaml --stack-name "awscognitoapigwangularauth" --capabilities CAPABILITY_IAM

First thanks for making this, it is impossible to get anything working on AWS without an example the documentation is horrendous...

So I tried following your steps in the readme but gut stuck on step 11.
In the last part of step 10 you say unzip the downloaded apigwsdk.zip
Now I have done this but there is no /src folder or package.json file in there for me to copy.

I tried downloading this repo and installing it but that didn't work
I also tried to copy the /src and package.json from this repo to the CLI generated directory but that didn't work either.

So what do you actually mean by step 11, where are these items coming from?

sam.yaml cannot be deployed anymore, the referenced nodejs version is too old,Lambda suggests nodejs8.10 instead of nodejs4.3

The runtime parameter of nodejs4.3 is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs8.10) while creating or updating functions.

I execute aws cloudformation package .... OK

I execute aws cloudformation deploy .... KO with this message: "You must specify a region. You can also configure your region by running "aws configure".

Can you add "how to find AWS Access Key ID, AWS Secret Access Key, ... ?" and "how to create a good IAM account?"

The client seems not to send the authentication header.
Both users can login and display user details but can only access /cup
In the browser console I don't see any authentication information being sent.

https://github.com/aws-samples/aws-cognito-apigw-angular-auth/blob/master/sam/sam.yaml#L516

The role CUPGroupRole, used in CognitoCIPGroup includes a policy name CognitoAPIGWAngularCIP, allowing "*/GET/cip"]

 CUPGroupRole: 
    Type: "AWS::IAM::Role"
    Properties: 
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"

Shouldn't this role named CIPGroupRole instead of CUPGroupRole ?

Following the instructions in the readme failed at the instruction to run npm start. This calls ng serve, which fails with this error:

Cannot read property 'config' of null
TypeError: Cannot read property 'config' of null
    at Class.run (aws-cognito-apigw-angular\node_modules\@angular\cli\tasks\serve.js:22:63)
    at check_port_1.checkPort.then.port (aws-cognito-apigw-angular\node_modules\@angular\cli\commands\serve.js:103:26)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:160:7)

It's not clear if this is a bug in angular-cli or something with this project. I noticed that the package.json refers to angular-cli 1.0.0 but using that version causes other problems (can't use the new command for one thing).

(I am on windows if that's relevant)

I get the error "Cannot read property 'config' of null" on npm start.

This is not the same as #14. I am in a different directory. I ended up creating the .angular-cli.json file manually and worked after that.

Here is the output go ng --version

Your global Angular CLI version (6.0.7) is greater than your local
version (1.0.0). The local Angular CLI version is used.

To disable this warning use "ng config -g cli.warnings.versionMismatch false".
    _                      _                 ____ _     ___
   / \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|
  / △ \ | '_ \ / _` | | | | |/ _` | '__|   | |   | |    | |
 / ___ \| | | | (_| | |_| | | (_| | |      | |___| |___ | |
/_/   \_\_| |_|\__, |\__,_|_|\__,_|_|       \____|_____|___|
               |___/
@angular/cli: 1.0.0
node: 10.3.0
os: darwin x64
@angular/animations: 4.4.7
@angular/cdk: 2.0.0-beta.12
@angular/common: 4.4.7
@angular/compiler: 4.4.7
@angular/core: 4.4.7
@angular/forms: 4.4.7
@angular/http: 4.4.7
@angular/material: 2.0.0-beta.3
@angular/platform-browser: 4.4.7
@angular/platform-browser-dynamic: 4.4.7
@angular/router: 4.4.7
@angular/cli: 1.0.0
@angular/compiler-cli: 4.4.7

Could you please add Facebook login?

Hi, thanks for sharing this.
Is there such example using React and Graphql-server and demonstrating some best practices (up to the moment) for separate roles and permissions (regular users can modify own content, admins can modify all)?

I had deployed this solution successfully and it works for Google authentication but when i try the other 2 options such "Cognito User Pools Standalone (JWT)" and "Cognito User Pools With Identity (IAM") nothing happens in the UI. It is authenticating successfully but API resources are grayed out.