Solved

Remix App - Authorize AWS Cognito Users

markogill
Shopify Partner
16 3 4

Hello,

 

I am hosting an AWS Amplify app, and use Cognito to authenticate users. I would like to implement a passwordless Authentication with my AWS resources, but I am unable to determine the best way to do this.

 

I see that I can access an OpenID Connect ID Token

 

How can I provide this token to AWS to sign-in Cognito users?

 

Maybe this approach isn't even correct. This stuff is fairly lost on me at the moment. Thanks for any advice.

 

Thanks.

Developing Order Otter
https://apps.shopify.com/order-otter

Import PDF Purchases to your Store.
Accepted Solution (1)
markogill
Shopify Partner
16 3 4

This is an accepted solution.

For anyone who winds up here,

 

I tried to use Developer Authenticated Identities in Cognito

 

I was unable to authenticate AppSync calls from this method as I found the documentation lacking and I had too much uncertainty over how to proceed.

 

I also looked into using Shopify as an OIDC provider directly with Cognito. This is not supported by Cognito out of the box, as each Shop has their own OAuth URLs. Cognito expects a consistent OAuth URL per provider, so you will have to create a custom Cognito Auth flow. I found some documentation on that here https://www.richdevelops.dev/implementing-shopify-oauth2-with-cogntio-user-pool-amplify-and-lambda

 

I decided not to pursue any of this at the moment as it is time consuming, and I am stalling out on this.

 

I instead opted for traditional username/password logins with the Amplify SDK, and that's working well enough. It's working well enough.

 

Good luck!

Developing Order Otter
https://apps.shopify.com/order-otter

Import PDF Purchases to your Store.

View solution in original post

Replies 3 (3)

Liam
Shopify Staff
2731 302 783

Hi Markogill,

I believe you're on the right track! Cognito supports passwordless authentication and you can use the OpenID Connect ID Token to authenticate users.

 

Here's a high-level overview of how you can achieve this:

  1.  User Registration: When a new user wants to register, they will provide their email address. Your application will generate a unique verification code and send it to the user's email.
  2. User Verification: The user enters the received verification code into your application. Your application will confirm the code, and if it's correct, the user is considered as verified.

  3. User Authentication: Now that the user is verified, they can authenticate themselves using their email address. Your application will generate a new unique verification code and send it to the user's email.

  4. User Login: user enters received verification code into your application. Your application will confirm the code, and if it's correct, the user is considered as authenticated.

 

You might find it helpful to review the AWS Cognito Developer Guide, particularly the sections on User Authentication Flow and Using Tokens with User Pools: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-f...

 

I hope this helps! Let me know if you have any more questions.

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

markogill
Shopify Partner
16 3 4

Hi Liam,

 

Thank you kindly for responding.

 

I forgot to mention I'm using the Remix template to build a Shopify Admin App.

 

Accessed through

npm init @Shopify/app@latest

 

I was thinking that the Shopify Admin user is authenticated by the time they access my application, and that I wouldn't need to ask them for email or any other inputs. I thought the OpenID token provided by Shopify through the Admin API should be enough.

 

Considering this do you still think it is correct for me to provide a log-in screen, requiring the user to provide credentials such as e-mail?

Developing Order Otter
https://apps.shopify.com/order-otter

Import PDF Purchases to your Store.
markogill
Shopify Partner
16 3 4

This is an accepted solution.

For anyone who winds up here,

 

I tried to use Developer Authenticated Identities in Cognito

 

I was unable to authenticate AppSync calls from this method as I found the documentation lacking and I had too much uncertainty over how to proceed.

 

I also looked into using Shopify as an OIDC provider directly with Cognito. This is not supported by Cognito out of the box, as each Shop has their own OAuth URLs. Cognito expects a consistent OAuth URL per provider, so you will have to create a custom Cognito Auth flow. I found some documentation on that here https://www.richdevelops.dev/implementing-shopify-oauth2-with-cogntio-user-pool-amplify-and-lambda

 

I decided not to pursue any of this at the moment as it is time consuming, and I am stalling out on this.

 

I instead opted for traditional username/password logins with the Amplify SDK, and that's working well enough. It's working well enough.

 

Good luck!

Developing Order Otter
https://apps.shopify.com/order-otter

Import PDF Purchases to your Store.