Search code examples
javascriptopenidamazon-cognitosocial-authentication

Manage users on my website using OpenID, Social Login and Amazon Cognito

I'm getting a little overwhelmed with all the information available to me.

Say I have a website on which I want to authenticate users and manage their profiles for cross mobile reuse. This website works closely with Amazon AWS.

How can I achieve the following combination?

  • Authenticate users using a wide array of providers
  • Not integrate each and every provider separately and manually
  • Use the credentials from these authenticated users to integrate with Amazon Cognito

Facts that I am aware of:

  • There are services out there that offer a single API to authenticate with a wide variety of providers (well known example: oneall.com).
  • OpenId is a standardized authentication scheme that some providers implement. But the list seems much shorter than the lists of Social Network Providers that services such as OneAll support. However, OneAll also support OpenId it seems, but I'm not sure what that means for me.
  • Amazon Cognito integrates a very limited list of Social Network Providers, but you have to do the groundwork yourself, Amazon Cognito only seems to known about the keys they produce
  • Amazon Cognito also support OpenID

Ideally I would like to use one of the Social Network Provider meta services that allow me to effortlessly add and remove login options. At the same time, I want to be able to use Amazon Cognito to link these credentials to profiles.

What are my options?

Solution

  • Amazon Cognito supports users logging in with Facebook, Amazon, Twitter, Digits, Google, or any OpenID Connect provider. If you want to support users logged in with another provider or with a federated provider, you can use OpenID Connect or Developer Authenticated Identities.

    OpenID Connect: There are products out there that federate/broker multiple social providers and expose the federated user via OpenID Connect which have special support for Cognito including Ping Federate and Auth0 to name a couple.

    Developer Authenticated Identities enables you completely control the authentication process for the user. Essentially your user logs in with your own backend (which you could use to broker social logins) and your backend makes a secure call to Amazon Cognito with an identifier that you use to uniquely identify the user to retrieve a token from Cognito. Potentially you could federate identities using this method as well. The Cognito Developer Guide has a visual showing the flow to understand the big picture and a complete guide to setting it up.

    Again, Amazon Cognito already supports the most popular social providers out of the box and we have a topic for each social provider in the Amazon Cognito Developer Guide, but above is a more exhaustive list of options.