Auth0 Home Blog Docs

React Native & AWS Auth Federation?

auth0
oidc
react-native
aws

#1

I have SAML SSO configured via the docs here https://auth0.com/docs/integrations/aws/sso

So now the question is can the RN Auth0 module here https://github.com/auth0/react-native-auth0 be configured to use the saml endpoint for authentication so I can use the credentials received to call aws services?

Thanks.


#2

A react-native-auth0 application should be redirecting you to your Universal Login Page using the authorization code grant with PKCE; you don’t have to know how to do the auth code grant with PKCE, the SDK will help you implement it. To accomplish this you can pass connection: <your saml connection name> when calling authorize. This will automatically have Auth0 redirect your user to the SAML IDP to log them in.

NOTE: you can not do a native login form and authenticate someone using your SAML connection. SAML IDP authentication must be done by redirecting to the IDP to collect the credentials. The IDP will not give you a method that you can call to validate a user’s credentials from your own app. You should be using universal login for your own username/password database as well, see the reasons here.


#3

Thanks for the information.

So I have this setup under the Application > Addons > SAML2 Web Auth in the callback URL what should I have this set to?

Currently it is https://signin.aws.amazon.com/saml I am assuming it needs to be something else?

Like https://safettradedev.auth0.com/login/callback?connection= ?

I am basically trying to get SAML response fro AWS IAM so I can assume an AWS role to call certain AWS services with that assumed role in my RN app.

Is this possible if so where or what would be the connection name I need to specifiy in the RN auth configuration.

Thanks again!


#4

It sounds like what you want two separate things here:

  1. you want to log into AWS using your credentials that you configure in Auth0 for your users/employees. For that you want to setup the way you described with the documentation where Auth0 is the IDP (Identity Provider) with AWS is the SP (Service Provider). This allows you to authenticate using your Auth0 tenant to get into your AWS account.
  2. You have an app that you want to be able to use “user specific tokens” to call AWS services. In this case AWS is the resource server. You need some sort of OIDC scenario if you want to get an access token to call AWS services. If you can tell me which services you want to call, it would help tailor a response for how you can do it.

NOTE: be careful here with a mobile app. A mobile app is a public client this means people can crack into their phone and get their hands on any access token you send to the mobile app. This means you don’t want to put an access token on the mobile app that you would be concerned if someone used to call services directly (outside of your app). If you want to constrain their access to only what your app will let them do, then you need to proxy their access through your backend and instead of getting a user based token to AWS, you should create API keys and use those from your app in the backend and create a user based token to your API instead.


#5

Thanks :slight_smile: Yeah I will want to use services like S3, SNS, SES, etc. and setup aws policies for the assumed aws roles.

I have used AWS Cognito before and would be a perfect fit for my needs but sure on how to go about implementing it in RN auth.


#6

This looks promising https://datalanguage.com/news/s3-managed-uploads.

This shows how to configure an OpenIDConnect provider for use with S3. You could extend this example to others. Where you would diverge with this example is when you get to the dropzone scripts at the bottom. Instead you would have your react-native script call authorize and get you tokens, and then you can pass those tokens as the web id credentials.

This example shows using an ID token. I would recommend creating an Access Token instead. The changes would be that you create an API in Auth0 in addition to the Application as described in this example. Then you set the Audience parameter in the AWS OpenIDConnect Provider configuration to match the API identifier/audience of the API you created in Auth0. Then in your React Native app, make sure you pass audience: <API identifier/audience> to authorize. This will make sure that you get an access token as well as an ID token. You should then be able to pass the access token as the webidcredentials here:

  AWS.config.credentials = new AWS.WebIdentityCredentials({
    RoleArn: 'arn:aws:iam::{my-AWS-Account-ID}:role/OpenIdS3Role',
    WebIdentityToken: accessToken
  });

#7

I’ll give it go Carlos :slight_smile: Thanks, and once I come up with a solution based on this I’ll post it here for reference.


#8

Okay Carlos thanks for that tutorial link for assuming the web identity role with STS I was able to get my RN app integrated with AWS Cognito’s Identity pool which allows me to get temp credentials per federated identity and little more functionality than vanilla STS (secure token service)

Using this setup in the docs

import AWS from "aws-sdk"
import Auth0 from "react-native-auth0";

const auth0 = new Auth0(credentials);

 auth0.webAuth
  .authorize({
    scope: "openid profile",
    audience: "https://mydomain.auth0.com/userinfo",
  })
  .then(credentials => {

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
      IdentityPoolId: "us-east-1:poolidhere...",
      RoleSessionName: "mysession",
      Logins: { 
        "mydomain.auth0.com": credentials.idToken,
      },
    },
    {
      region: "us-east-1",

    }
    );

    AWS.config.getCredentials(err => {
      if (err != undefined && err != null) {
        console.log("authActions=> Cognito getGredentials()", err);
      }
    });
    console.log("authActions=> Cognito credentials", AWS.config.credentials);

It Works :slight_smile:

There might be more configuring I need to do but this gets me going thanks again for your assistance.