ykethan
commented
1 year ago Hey @MigeBill, to better understand the feature, could you provide us your use case?
Open MigeBill opened 1 year ago
ykethan
commented
1 year ago Hey @MigeBill, to better understand the feature, could you provide us your use case?
MigeBill
commented
1 year ago @ykethan, sure.....
Amplify website is stage 1 in customer journey Stage 2 is managed on an external providers site unrelated to AWS.
Stage 2 system allows social sign in or its own username and password
When a user completes stage 1 in our amplify solution with a social account, we can then automatically grant that social account access to stage 2.
When they choose to set up a cognito username and password at stage 1 we cannot do this.
Therefore we want to be able to configure the Auth component for federated sign on without the username and password option so that all users will get seamless access to stage 2 upon completion
Does that make sense? Cheers
cwbuecheler
commented
1 year ago @ykethan - I'd like to add an additional use case: I'm building an application where the only option for sign-in is Google auth. That's it. No username/password, Apple, Github, or other OAuth2 solution. If you aren't a part of my employer's Google org, you can't get in. I don't need or want to create IAM roles, cognito users, etc.
Presently, I'm using an authenticator lambda function on all of my endpoints that need authentication (so ... all of them except the ones that actually reach out to Google to get the tokens in the first place). It's a very simple function that takes the google token, validates it, and then lets the REST API endpoint proceed to contact the main lambda function with which it's associated. Works great! Right up until I change anything about my API using the CLI, and then do amplify push, at which point all of my authenticators on every single route get blown away, and I have to go set them again. It even deletes the actual authenticator, so I have to set that back up and point it to the lambda function.
It's a pretty small API that's not going to change much once it's established, so it's not a huge deal, just a minor annoyance. Nonetheless, it'd be really excellent if we could create and configure lambda authenticators that stick around between API pushes.
Thanks!
ykethan
commented
1 year ago hey @cwbuecheler, thank you for adding your use case. wanted to add some information on this, Amplify provides an override functionality for REST API which should enable you to add an authorizer to your API. unfortunately, I do not have an example for the Lambda authorizer but our documentation does provide an example for Cognito authorizer, refer to https://docs.amplify.aws/cli/restapi/override/#add-a-cognito-user-pool-authorizer-to-your-rest-api
cwbuecheler
commented
1 year ago Oh, fantastic, thanks - I'll absolutely see if I can adapt that to my needs. I wasn't aware overrides could be used in that manney.
Is this feature request related to a new or existing Amplify category?
No response
Is this related to another service?
No response
Describe the feature you'd like to request
It should be possible to configure authentication so that one or more social providers can be used without setting up options for native cognito users.
It does not always make sense for an application to want to manage its own user accounts
Describe the solution you'd like
A new option when adding auth
Do you want to use the default authentication and security configuration? (Use arrow keys)
Describe alternatives you've considered
Option 1 Using Manual configuration option but this insists on setting up cognito users
Option 2 Configuring cognito users but only displaying custom dedicated social signin buttons and not using the authenticator UI at all. Unfortunately that is not full proof as in some cases the UI falls back to rendering the authenticator view including cognito username and password
Additional context
No response
Is this something that you'd be interested in working on?
Would this feature include a breaking change?