Set up OpenID Connect (OIDC) Provider in AWS

Part ɪɪɪ: Connect UI to API│Story 01: Create OpenId Connect Provider in AWS

Bharat Tiwari

Published in

Fullstack with React-Native, AWS Serverless and Google oAuth2 Sign-In

5 min readFeb 5, 2019

GIT : Repo

In Part 1 of this series, we developed a serverless API for our app and deployed it to AWS.

In Part 2, we created UI for our app with react-native, got Google Sign-in implemented and added couple of screens for user to view or add words to his/her vocabulary collection with some static/hardcoded data. Finally we added redux actions to get/post data from words db table using our serverless API. However when we tried to post a word, we got a 403–Forbidden error.

Now, in this Part-III of the series, we would fix this 403 error by setting up AWS authentication and authorization for the app user to access the API using AWS Cognito Federated Identities.

Below is the summary of how authentication and authorization would work:

User logs in with Google Sign-in. Google authenticates the user credentials and provides an auth token for the user session.
We would pass the user’s Google Auth token to AWS Federated Identity, that in turn would provide a temporary access token for the user’s AWS session having an Authenticated IAM role. We can set permissions for this Authenticated IAM role to have access to our AWS API Gateway so that the user can access the API.

Thus, we would first have to create an Identity pool in AWS. Identity pool is something that provides an identity for our app user and assigns it a temp access token to access AWS resources. When creating Identity pool, we have to specify an Authentication Provider for it. There are multiple options available for Authentication Providers, like AWS Cognito User pool, Amazon oAuth, Facebook, Google or Twitter oAuth.

In our case, we are using Google Sign-in on react-native side, so would have to set up the Identity pool with Google as Identity provider.

There is a limitation with Google Identity Provider for AWS Identity pool. On the AWS Create Identity pool wizard, under Authentication Providers ➝ Google tab, we can only add one client id.

To specify multiple client ids (like in our app’s case, we need to specify client Ids for iOS and Android), instead of using Google as Authentication provider for the Identity pool, we would have to use an OpenId Connect Provider where we can specify multiple client ids.

So, as a first step, lets create an OpenID Connect Provider (OIDC) for our app in our AWS account. But before that, let’s get our iOS and Android client ids.

Google Client Ids of iOS and Android platforms

Get Google Client Ids of iOS and Android apps we created in Firebase developer console.

iOS app’s Client id can be obtained from googleservices-info.plist file that we downloaded and added to our react-native’s iOS project👇

Android app’s Client id can be obtained from google-services.json file that we downloaded and added to our react-native’s Android project 👇

📌 🅝🅞🅣🅔 # 3:iOS Client Id: <<your iOS Client Id>>
Android Client Id: <<your Android Client Id>>

Create OpenID Connect (OIDC) Provider in AWS

Building an App Using Amazon Cognito and an OpenID Connect Identity Provider | Amazon Web Services

Today, I’m happy to announce that AWS now supports OpenID Connect (OIDC), an open standard that enables app developers…

aws.amazon.com

(Follow along this guide as below or see the detailed documentation here)

1 . Go to IAM from AWS Console

2 . Select Identity Providers option from the left side navigation pane and then select Create Provider 👇

3 . On ‘Configure Provider’ screen, select ‘OpenID Connect’ as ProviderType👇

4 . Next, enter "https://accounts.google.com" for Provider URL

In the Audience field, enter the client Id of iOS App that we noted down above in Note # 3. 👇

5. Click ‘Next Step’ button

(I got an error here saying invalid Provider URL. I had an extra space after https://accounts.google.com , after removing the space, the Next Step button remained disabled and I had to start over)

6 . At this point, AWS Console would create a Thumbprint for your Identity Provider. If you were creating the OIDC using AWS CLI, you would have to generate the Thumbprint manually and provide it.

In the next screen, you will be asked to verify the generated thumbprint.

7 . Click Create button

Click on the created provider to go to its Summary view and click on ‘Add an Audience’ button.

This time enter Android ClientId that we noted down above in Note # 3 and click Save Changes👇

We have the OIDC provider created. In the next post, we would start setting up an Identity pool in AWS Cognito service for our application.

← Prev:AddEdit Component Connected┈🏠┈ Next: AWS Identity Pool→