Nowadays, security of any application has become very important role in developing application and more than it maintaining users in the application is critical.
So instead of creating new users in your application and maintaining its security, this library helps you to authenticate users from their existing Google/Facebook/Amazon accounts and gives you authenticated user directly.
-
In future we will add more.
-
Developer can choose any one use-case according to project requirement.
In this use-case devloper can directly use IAM-Auth module to Login users into devloper's project. It does not require registration flow. It internally handles it.
In this use-case developer can provide set of registration fields during registration. IAM-Auth module will not check for uniqueness of Username in this use- case. User need to be registered before logging in. During login user does not have to provide usename.
In this use-case developer can provide set of registration fields during registration. IAM-Auth module will explicitly check for uniqueness of Username in this use-case. User need to be registered before logging in. Username is mandatory during login.
-
Only if you want Registration-Login flow then add registration fields in this array. Please make sure to pass all registration fields during registration request.
-
If you want Registration-Login feature with Unique Username in the System, set this field to
true
, or remove it if not needed. Once this field is set totrue
you will have to create index on theusername
column in DynamoDB table in which user data is stored. If it is set tofalse
then username will not have any contraints for its uniqueness in system. -
When deploying this module on AWS EC2 or Beanstalk, you will have to add IP address of that instance.
-
This field contains all the Amazon Web server details. add your AWS
accountId
,awsRegion
,cognitoIdentityPoolId
,iamRoleArn
created for authenticated users. -
Enter the name of the table creating in DynamoDB.
-
Enter name of the partition key provided while creating above table.
-
Enter the name of the index created in DynamoDB on above table (This is in case of Unique username requirement).
-
Enter name of the index key provided while creating above table (This is in case of Unique username requirement). Make sure that partition key column should be present in table.
-
Now you have to provide which third party identity providers that you want in your application to support.
Presently IAM-Auth module supports for:
- Amazon
You have to create developer account for those providers on their provided sites, and there you will get
clientID
,clientSecret
. You have to providecallback URL
on which third party authentication provider will redirect after successfull authentication. You can provide which profile fields you want to read from users's third party account. By default IAM-Auth fetchesusername, name, email
information.
{
"fields": ["provider", "request", "authId", "cognitoId", "accessKey", "secretKey", "sessionToken"],
"regFields": ["username", "name", "city", "email"],
"uniqueUsername": true, //true or false
"serverAddress": "http://localhost:8081",
"tableName": "users",
"tableKey": "cognito_id",
"indexName": "username-index",
"indexKey": "username",
"aws": {
"accountId": "AWS-ACCOUNT-ID,
"awsRegion": "AWS-REGION",
"cognitoIdentityPoolId": "COGNITO-IDENTITY-POOL-ID",
"iamRoleArn": "IAM-ROLE-ARN"
},
"facebook": {
"clientID" : "FACEBOOK CLIENT ID",
"clientSecret" : "FACEBOOK CLIENT SECRET",
"callbackURL" : "http://localhost:8081/auth/facebook/callback", // server-address + /auth/facebook/callback
"profileFields" : ["displayName", "email", "id"]
},
"google": {
"clientID" : "GOOGLE CLIENT ID",
"clientSecret" : "GOOGLE CLIENT SECRET",
"callbackURL" : "http://localhost:8081/auth/google/callback", // server-address + /auth/google/callback
"profileFields" : ["displayName", "email", "id"]
},
"amazon": {
"clientID" : "AMAZON CLIENT ID",
"clientSecret" : "AMAZON CLIENT SECRET",
"callbackURL" : "http://localhost:8081/auth/amazon/callback", // server-address + /auth/amazon/callback
"profileFields" : ["displayName", "email", "id"]
}
}
-
$ cd glm/server
-
$ npm install
-
$ node server.js
We have provided sample client application which demonstrates how to use IAM-Auth Module in your application.
-
Make sure that index.html page should remain in your client application folder. You can refer this link for deploying web app in Tomcat server.
-
Then open client application in your browser.
Following are the routes that are provided by IAM-Auth module which client application should use to get required response.
Whenever the user wants to login/register then request should be made to this route.
-
During login request client should send
provider-name
andrequest-type
(it will be "login" in this case) as URL parameter.http://localhost:8081/auth?provider=facebook&request=login&username=myusername
http://localhost:8081/auth?provider=facebook&request=login
-
During registration request client should send
provider-name
andrequest-type
(it will be "register" in this case) and all the registration fields that are required as URL parameter.http://localhost:8081/auth?provider=facebook&request=register&username=myusername&name=your-name&city=city-name
http://localhost:8081/auth?provider=facebook&request=register&name=your-name&city=city-name
When client session will expire, then to get the new session tokens this URL should be requested with provider-name
, access-token
and refresh-token
as HTTP request body parameter. This is POST request.
{
provider: 'google'
accessToken: 'google access token',
refreshToken: 'google refresh token'
}
When any kind of request is sent to IAM-Auth Module then it responds client application with following STATUS_CODES
.
These STATUS_CODES
can be used in client application.
-
Incase of login failure. Very rare response in case of server internal errors.
-
On successfull login, client will receive this status along with all user data.
-
This response encounteres if you are registering with same account again.
-
This response encounters if you are logging with non registered account.
-
Incase of register failure. Very rare response in case of server internal errors.
-
This response encounters if your application needs
UNIQUE_USERNAME
in the system and client application trying to register with existing username. -
This response encounters if your application needs
UNIQUE_USERNAME
in the system. Invalid userame response occures in case if client is logging in with non-existing username or username and identity provider account mismatch.
If your requirement is Registration-login flow along with unique username for each user then you will have to do the following steps to configure IAM-Auth module.
-
First, modify
config.json
file as shown below for your requirement. You can add any registration fields that you want. -
Don't change the
username
field. -
During login, you should send
username
to the server. -
During registration, you will have to provide all the registration fields that you mentioned in the following file.
"regFields": ["username", "name", "city", "email"],
"uniqueUsername": true,
Sign up on aws console, and do the following.
-
Select the region as per your convenience. And make sure that during following steps you should select the same region.
You can get the region name from the following URL. Copy and paste the URL of the homepage of AWS console. The last field in the following URL is
region name
ex: https://console.aws.amazon.com/console/home?region=`us-east-1`
Paste region name in
awsRegion
field inconfig.json
file"aws": { "accountId": "AWS-ACCOUNT-ID, "awsRegion": "AWS-REGION", "cognitoIdentityPoolId": "COGNITO-IDENTITY-POOL-ID", "iamRoleArn": "IAM-ROLE-ARN" },
-
Update the following fields in
config.json
file fortable name
,table key
,index name
andindex key
that you obtained in above steps."tableName": "table name", "tableKey": "table key", "indexName": "index name", "indexKey": "username"
-
"aws": { "accountId": "AWS-ACCOUNT-ID, "awsRegion": "AWS-REGION", "cognitoIdentityPoolId": "COGNITO-IDENTITY-POOL-ID", "iamRoleArn": "IAM-ROLE-ARN" },
-
"aws": { "accountId": "AWS-ACCOUNT-ID, "awsRegion": "AWS-REGION", "cognitoIdentityPoolId": "COGNITO-IDENTITY-POOL-ID", "iamRoleArn": "IAM-ROLE-ARN" },
"serverAddress": "http://[ Paste URL Here ]",
"facebook": {
"clientID" : "App ID",
"clientSecret" : "client Secret",
"callbackURL" : "http://[ Elastic Beanstalk URL ]/auth/facebook/callback",
"profileFields" : ["displayName", "email", "id"]
},
-
"google": { "clientID" : "Google Client ID", "clientSecret" : "Google Client Secret", "callbackURL" : "http://[ Elastic Beanstalk URL]/auth/google/callback", "profileFields" : ["displayName", "email", "id"] },
-
https://console.developers.google.com/projectselector/apis/dashboard
"amazon": {
"clientID" : "client ID",
"clientSecret" : "client Secret",
"callbackURL" : "http://[ Elastic Beanstalk URL]/auth/amazon/callback",
"profileFields" : ["displayName", "email", "id"]
}
-
GO to
i-auth
folder on your computer. -
You will see following directories/files in it.
- modules
- node_modules
- package.json
- package-lock.json
- server.js
-
Select them all and make a ZIP of it.
-
Now, open
Elastic Beanstalk
from AWS console. -
You will see your previously created instance. Click on it.
-
Click on Upload and Deploy.
-
Select the ZIP file created and add label version. Then click on
Deploy
. It will take some time. -
If you see the following screen then your deployment is successful.
You can refer sample client application that we have provided. In client application we have provided some functions that you can directly use in your application. In this client appplication we have created functions for:
- Log in or register user.
- Refreshing user session (user session ends after every one hour.).
- Accessing DynamoDB from client application using AWS Cognito AccessKey and SecretKey and SessionKey.
-
In client application, go to
js
directory and openconstants.js
file.const CLIENT_REDIRECT_URL = "http://localhost:8080/client/index.html"; const AWS_REGION = "us-east-1"; const AWS_ENDPOINT = "http://dynamodb.us-east-1.amazonaws.com"; const TABLE_NAME = "users"; const SERVER_ADDRESS = "http://localhost:8081"; const URL_AUTHENTICATION = SERVER_ADDRESS + "/auth"; const REFRESH_URL = SERVER_ADDRESS + "/refresh"; const REQUIRE_LOGIN_NAME = true; const SESSION_EXPIRE_TIME = 0; const SESSION_REFRESH_TIME = 5; const SESSION_TIME = 60;
-
Change
CLIENT_REDIRECT_URL
to your tomcat server address. -
Change
AWS_REGION
to the region that you have selected on aws account. -
Change
AWS_ENDPOINT
to http://dynamodb.`[AWS_REGION]`.amazonaws.com. Replace AWS_REGION with your aws region. -
Change
TABLE_NAME
to table name in DynamoDB. -
Chnage
SERVER_ADDRESS
toAWS Beanstalk URL
that we used before. -
URL_AUTHENTICATION
, this is the URL on which login/register request will be processed. -
`REFRESH_URL, on this URL; session refresh request will be processed.
-
Rest of the code ypour can refer and understand.
-
To run the client application deploy it on Tomcat server. I have provided how to install and deploy web app on Tomcat Server above.
In this case you have to follow all above steps that are needed to complete for CASE-1: Login-register with unique Username in the system
.
Only you don't have to create index on table.
In this case you have to follow all above steps that are needed to complete for CASE-1: Login-register with unique Username in the system
.
Only you don't have to create index on table.