Focuses on API authentication, access scopes, and permission management.
Hello,
I am hosting an AWS Amplify app, and use Cognito to authenticate users. I would like to implement a passwordless Authentication with my AWS resources, but I am unable to determine the best way to do this.
I see that I can access an OpenID Connect ID Token
How can I provide this token to AWS to sign-in Cognito users?
Maybe this approach isn't even correct. This stuff is fairly lost on me at the moment. Thanks for any advice.
Thanks.
Solved! Go to the solution
This is an accepted solution.
For anyone who winds up here,
I tried to use Developer Authenticated Identities in Cognito
I was unable to authenticate AppSync calls from this method as I found the documentation lacking and I had too much uncertainty over how to proceed.
I also looked into using Shopify as an OIDC provider directly with Cognito. This is not supported by Cognito out of the box, as each Shop has their own OAuth URLs. Cognito expects a consistent OAuth URL per provider, so you will have to create a custom Cognito Auth flow. I found some documentation on that here https://www.richdevelops.dev/implementing-shopify-oauth2-with-cogntio-user-pool-amplify-and-lambda
I decided not to pursue any of this at the moment as it is time consuming, and I am stalling out on this.
I instead opted for traditional username/password logins with the Amplify SDK, and that's working well enough. It's working well enough.
Good luck!
Hi Markogill,
I believe you're on the right track! Cognito supports passwordless authentication and you can use the OpenID Connect ID Token to authenticate users.
Here's a high-level overview of how you can achieve this:
User Verification: The user enters the received verification code into your application. Your application will confirm the code, and if it's correct, the user is considered as verified.
User Authentication: Now that the user is verified, they can authenticate themselves using their email address. Your application will generate a new unique verification code and send it to the user's email.
User Login: user enters received verification code into your application. Your application will confirm the code, and if it's correct, the user is considered as authenticated.
You might find it helpful to review the AWS Cognito Developer Guide, particularly the sections on User Authentication Flow and Using Tokens with User Pools: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-f...
I hope this helps! Let me know if you have any more questions.
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Hi Liam,
Thank you kindly for responding.
I forgot to mention I'm using the Remix template to build a Shopify Admin App.
Accessed through
npm init @Shopify/app@latest
I was thinking that the Shopify Admin user is authenticated by the time they access my application, and that I wouldn't need to ask them for email or any other inputs. I thought the OpenID token provided by Shopify through the Admin API should be enough.
Considering this do you still think it is correct for me to provide a log-in screen, requiring the user to provide credentials such as e-mail?
This is an accepted solution.
For anyone who winds up here,
I tried to use Developer Authenticated Identities in Cognito
I was unable to authenticate AppSync calls from this method as I found the documentation lacking and I had too much uncertainty over how to proceed.
I also looked into using Shopify as an OIDC provider directly with Cognito. This is not supported by Cognito out of the box, as each Shop has their own OAuth URLs. Cognito expects a consistent OAuth URL per provider, so you will have to create a custom Cognito Auth flow. I found some documentation on that here https://www.richdevelops.dev/implementing-shopify-oauth2-with-cogntio-user-pool-amplify-and-lambda
I decided not to pursue any of this at the moment as it is time consuming, and I am stalling out on this.
I instead opted for traditional username/password logins with the Amplify SDK, and that's working well enough. It's working well enough.
Good luck!