search

awslabs / amazon-kinesis-video-streams-webrtc-sdk-android

Android SDK for interfacing with Amazon Kinesis Video Streams Signaling Service.
Apache License 2.0
58 stars 37 forks source link

Is it possible to remove Cognito from AWS Kinesis Video Streams WebRTC Android SDK #33

Closed samanaz closed 3 years ago

samanaz commented 3 years ago

Hi Guys, Is it possible to remove Cognito from AWS Kinesis Video Streams WebRTC Android SDK ?

MushMal commented 3 years ago

These are open source components and as such you can fork and modify your codebase.

I am going to resolve this issue as it's not actionable

dynaxis commented 3 years ago

People need to understand Cognito and IAM to get an idea of how to remove Cognito from the code. And I bet most want to use their own authentication mechanism and don't know how to do it. That's why many just ask how or if it is possible to remove Cognito in using Kinesis WebRTC IMHO.

@samanaz you can use whatever AWS credentials with proper permissions (that is, for Kinesis Video Stream) in place of one obtained via Cognito in the current code. Such an example is at https://github.com/dynaxis/amazon-kinesis-video-streams-webrtc-sdk-android which is a fork of this repo that uses a plain user credentials (the access/secret keys are exposed in the source code but I already revoked them).

But in most cases, such a direct embedding of basic AWS credentials is not recommended, because, for instance, you have to send out a new version of your app just to update the credentials. Anyway, if you have to take this route, please consider using something like Android's KeyStore, since my example exposes the keys in the open and it's definitely a bad thing.

If you have your own authentication mechanism and think Cognito gets in your way, then you may use only identity pool part of Coginito (https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html).

There is another way to getting rid of Cognito, which uses Security Token Service (STS), but Cognito actually uses STS underneath. So it is quite likely that Cognito is an easier way to go. FYI, It's called Token Vending Machine and was previously a recommended practice of dealing with the use cases Cognito currently do with (https://aws.amazon.com/ko/articles/authenticating-users-of-aws-mobile-applications-with-a-token-vending-machine/).

Hope this helps.