Google Authentication fails with AWS Cognito Identity Pool on Android

mipnw Published at Dev

mipnw

I get an NotAuthorizedException:Token is not from a supported provider of this identity pool when I call Amazon.CognitoIdentity.AmazonCognitoIdentityClient.GetIdAsync()

I do not understand why, the token was obtained by authenticating with GoogleSignInApi, and the AWS Identity Pool is configured to federate to the Google authentication provider with the same "Google WebApp Client ID" used to authenticate on the Android device.

Also I've tried to obtain the Google token using 2 different ways

using the result of .RequestIdToken() on the GoogleSignInOptions
by calling the GoogleAuthUtil.GetToken API

Both tokens are different when inspected, both look like good tokens, and both fail with the same error when given to AmazonCognitoIdentityClient. Clearly the user is authenticated on the Android device, the app is able to get the Email, DisplayName etc...

var googleSignInOptions = new 
GoogleSignInOptions.Builder(GoogleSignInOptions.DefaultSignIn)
   .RequestIdToken("Google WebApp Client ID")
   .RequestEmail()
   .Build();

mGoogleApiClient = new GoogleApiClient.Builder(this)
   .EnableAutoManage(
      this, // FragmentActivity
      this) // OnConnectionFailedListener
   .AddApi(Auth.GOOGLE_SIGN_IN_API, gso)
   .Build();

mGoogleApiClient.Connect();

var result = await Auth.GoogleSignInApi.SilentSignIn(mGoogleApiClient);

// Only need one or the other, trying to figure out which
var idToken = result.SignInAccount.IdToken;
var authToken = await GetGoogleAuthTokenAsync(result.SignInAccount.Email);

var shortLivedAWScredentials = new CognitoAWSCredentials("identity-pool-id", AWSConfigs.RegionEndpoint);
var cognitoClient = new AmazonCognitoIdentityClient(shortLivedAWScredentials,AWSConfigs.RegionEndpoint);

var logins = new Dictionary<string, string>();
logins["accounts.google.com"] = idToken; // same failure if I use authToken

var request = new GetIdRequest();
request.IdentityPoolId = "identity-pool-id";
request.Logins = logins;

var result = await cognitoClient.GetIdAsync(request); // THIS THROWS Amazon.CognitoIdentity.Model.NotAuthorizedException

private async Task<string> GetGoogleAuthTokenAsync(string accountEmail)
{
   Account googleAccount = new Account(accountEmail, GoogleAuthUtil.GoogleAccountType);
   string scopes = "audience:server:client_id:" + "Google WebApp Client ID"
   var token = await Task.Run(() => { return GoogleAuthUtil.GetToken(this, googleAccount, scopes); });
   return token;
}

Notes - Right after the exception, the AWS Console shows the Cognito identity pool grows by 1 unauthenticated identity, no change to the number of google identities

mipnw

Hours of searching and I finally found a solution. Basically AWS Cognito Identity Pool Federation to Google+ is completely broken, but do not despair. What you need to do is Federate to an OpenID provider instead.

First, go to AWS console > IAM > Identity Providers > Create Provider > Provider Type = OpenID Connect > Provider URL = https://accounts.google.com > Audience = "the Google Client ID for Android or iOS you created in the Google Developer Console"

Be careful, do not use the "Google Web App Client ID" for the Audience.

Second, go to AWS Console > Cognito > Federated Identity Pools. Select your Identity Pool, then click "Edit Identity Pool", then navigate to the OpenID tab (not the Google+ tab, don't even use that one it doesn't work). You should now see a checkbox titled "accounts.google.com", check it.

Third, go edit your mobile app source code, and make sure you use the "Google WebApp Client ID" you generated in the Google Developer Console when you build the scopes string used to call GoogleAuthUtil.GetTokenGoogleAuthUtil.GetToken(this, googleAccount, scopes). That is scopes = "audience:server:client_id:" + "webClientId"

Now your call to var result = await cognitoClient.GetIdAsync(request); should succeed.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2020-10-28

Comments

0 comments

TOP Ranking

Article

Google Authentication fails with AWS Cognito Identity Pool on Android

Google Authentication fails with AWS Cognito Identity Pool on Android

Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

How to import an asset in swift using Bundle.main.path() in a react-native native module

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

Emulator wrong screen resolution in Android Studio 1.3

3D Touch Peek Swipe Like Mail

Double spacing in rmarkdown pdf

Svchost high CPU from Microsoft.BingWeather app errors

How to how increase/decrease compared to adjacent cell

Using Response.Redirect with Friendly URLS in ASP.NET

java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

BigQuery - concatenate ignoring NULL

How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Can a 32-bit antivirus program protect you from 64-bit threats

Make a B+ Tree concurrent thread safe

Bootstrap 5 Static Modal Still Closes when I Click Outside

Vector input in shiny R and then use it

Assembly definition can't resolve namespaces from external packages