search

aws-amplify / aws-sdk-android

AWS SDK for Android. For more information, see our web site:
https://docs.amplify.aws
Other
1.03k stars 550 forks source link

[CognitoAuth] Facebook federation is not working #693

Open minbi opened 5 years ago

minbi commented 5 years ago

@Shusshu I moved your issue, so we can track it without combining issues.

I managed to get the Google auth working with user pools but not for Facebook follow the steps here: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

  1. oauth/authorize -> we get the state back in the 302 Location redirect
  2. we can ignore the login call as we do the native SDK login with google
  3. b. oauth2/idresponse -> we send the serverAuth token from google val googleSignInOptions = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN) .requestServerAuthCode(serverClientId) .requestId() .requestEmail() .build()
  4. our server can verify this

Only works for google and not facebook .... issue with the facebook access token ... it's not the one aws needs

=-=-=-=-=-=-=-=-=-=

@minbi Could you help out with facebook?

oauth2/idresponse on AWS needs to be able to work with the access token from facebook (Firebase Auth is doing it) Maybe you can use: https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing#long-via-code

minbi commented 5 years ago

Hi @Shusshu,

Can you provide some more detail on how you are getting the Facebook token and what you are passing to Amazon Cognito? Are you exchanging the code for a token before you pass the code to Cognito?

Shusshu commented 5 years ago

Hi @minbi I'm using the Facebook Login button via their SDK 4.40 thus I receive a long-lived access token from facebook which I then pass to cognito oauth2/idresponse

I also tried to exchange the long-lived access token against a short lived access token by calling https://graph.facebook.com/oauth/client_code (see https://developers.facebook.com/docs/facebook-login/access-tokens/refreshing#long-via-code) I was planning to migrate that part server side as the client secret shouldn't be in the app but anyway it did not work either.

minbi commented 5 years ago

Hi @Shusshu ,

The oauth2/idresponse path does not accept tokens. It accepts the code that is passed back during the OAuth protocol.

Shusshu commented 5 years ago

Since there is no way to get that code back from the Facebook SDK when will AWS support this feature? Firebase Auth is properly dealing with Facebook's access token... it can be done!

minbi commented 5 years ago

I will take this request to the service team. This is currently not supported by the service.

Shusshu commented 5 years ago

It seems the google solution I posted earlier isn't working anymore... @minbi did you guys patch something server side to block this workaround?