Integrating Google Login with Cognito & API Gateway

3
votes

I am looking to integrate Google Login (not the Google+ one provided by Cognito, I don't want to require users to be Google+ users) with Cognito & API Gateway.

Am I on the right track?

  • I have added account.google.com to Cognito's Federated Identities pool

  • After login: 

    AWS.config.region = "ap-northeast-2"
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'ap-northeast-2:31cc246c-bd2e-46ee-91da-2b8eefcf0745',
    Logins: {
      "accounts.google.com": googleUser.getAuthResponse().id_token
    }
})

Am I on the right track so far? But with this alone I do not have a cognito token?

I think I need to follow one of the flows from the docs. But which?

Do I just use Enchanced (Simplified)? And call GetId & GetCredentialsForIdentity? But do I even need GetId. I think I just need a token?

Any examples or guidance? I don't want to just bruteforce whatever works but not understand whats the use case of each flow ... can someone help explain?

1
amazon-web-servicesamazon-cognito

1 Answers

2
votes

By configuring AWS.config.credentials you are effectively configuring the credentials object used to obtain an AWS Access Key ID and Secret Access Key automagically.

The CognitoIdentityCredentials (see here) object establishes these for you when you attempt to call any other AWS library, for example S3. If you need access to the keys themselves, call either AWS.config.credentials.refresh() (refresh) or AWS.config.credentials.get() and inside the callback you can then access AWS.config.credentials.secretAccessKey (secretAccessKey) etc.

Finally, if you're looking to obtain a Open ID token using a federated identity, for use in a similar fashion to Cognito User Pools - as far as I'm aware, this is not currently possible. The closest you can get is GetOpenIdToken.