//public CognitoAWSCredentials GetCachedCognitoIdentity()
//{
// Console.WriteLine("GetCachedCognitoIdentity");
// if (!string.IsNullOrEmpty(credentials.GetCachedIdentityId()) || credentials.CurrentLoginProviders.Length > 0)
// {
// return credentials;
// }
// return null;
//}
public async Task GetAWSCredentialsWithGoogleToken(string token)
{
try
{
CognitoAWSCredentials credentials = new CognitoAWSCredentials(this.IDENTITYPOOL_ID, RegionEndpoint.EUCentral1);
credentials.Clear();
credentials.AddLogin("accounts.google.com", token);
AmazonCognitoIdentityClient cli = new AmazonCognitoIdentityClient(credentials, RegionEndpoint.EUCentral1);
var req = new Amazon.CognitoIdentity.Model.GetIdRequest();
req.Logins.Add("accounts.google.com", token);
req.IdentityPoolId = this.IDENTITYPOOL_ID;
GetIdResponse getIdResponse = await cli.GetIdAsync(req);
var getCredentialReq = new Amazon.CognitoIdentity.Model.GetCredentialsForIdentityRequest();
getCredentialReq.IdentityId = getIdResponse.IdentityId;
getCredentialReq.Logins.Add("accounts.google.com", token);
GetCredentialsForIdentityResponse getCredentialsResponse = await cli.GetCredentialsForIdentityAsync(getCredentialReq);
UserInfo.Credentials = getCredentialsResponse.Credentials;
UserInfo.IdentityId = getCredentialsResponse.IdentityId;
}
catch (Exception ex)
{
Console.WriteLine("GetAWSCredentialsWithGoogleToken ERROR: " + ex.Message);
throw ex;
}
}
public override void Invoke(AWSCredentials creds, RegionEndpoint region, int maxItems)
{
AmazonCognitoIdentityConfig config = new AmazonCognitoIdentityConfig();
config.RegionEndpoint = region;
ConfigureClient(config);
AmazonCognitoIdentityClient client = new AmazonCognitoIdentityClient(creds, config);
ListIdentityPoolsResponse resp = new ListIdentityPoolsResponse();
do
{
ListIdentityPoolsRequest req = new ListIdentityPoolsRequest
{
NextToken = resp.NextToken
,
MaxResults = maxItems
};
resp = client.ListIdentityPools(req);
CheckError(resp.HttpStatusCode, "200");
foreach (var obj in resp.IdentityPools)
{
AddObject(obj);
}
}while (!string.IsNullOrEmpty(resp.NextToken));
}
public async Task <IActionResult> ConnectToAWSViaCognitoCredsAsync()
{
try
{
if (!this.HttpContext.User.Identity.IsAuthenticated)
{
return(new OkObjectResult("you have to sign in to access AWS resources"));
}
AnonymousAWSCredentials cred = new AnonymousAWSCredentials();
AmazonCognitoIdentityClient cognitoClient = new AmazonCognitoIdentityClient(
cred,
RegionEndpoint.USEast2
);
GetIdRequest idRequest = new GetIdRequest();
idRequest.AccountId = "628654266155";
idRequest.IdentityPoolId = "us-east-2:c6e1e652-eb33-4daa-a04e-9cb0418a92cc";
var logins = new Dictionary <string, string> {
{ "dev-220949.okta.com/oauth2/default", GetOktaTokenMiddleware.OktaToken }
};
idRequest.Logins = logins;
// The identity id is in the IdentityId parameter of the response object
GetIdResponse idResp = await cognitoClient.GetIdAsync(idRequest);
//GetCredentialsForIdentityRequest getCredentialsRequest =
// new GetCredentialsForIdentityRequest { IdentityId = idResp.IdentityId, Logins = logins };
var temporaryCreds = await cognitoClient.GetCredentialsForIdentityAsync(idResp.IdentityId, logins);
//var s3Client = new AmazonS3Client(temporaryCreds.Credentials, RegionEndpoint.USEast2);
var s3Client = new AmazonS3Client(temporaryCreds.Credentials, RegionEndpoint.USEast2);
return(await this.ObjectFromBucket(s3Client));
//var assumeRoleRequest = new AssumeRoleWithWebIdentityRequest
//{
// RoleArn = "arn:aws:iam::628654266155:role/acme_empoyees_accessing_s3",
// RoleSessionName = "testsession",
// WebIdentityToken = GetOktaTokenMiddleware.OktaToken,
//};
//var stsServiceClient = new AmazonSecurityTokenServiceClient(temporaryCreds.Credentials, RegionEndpoint.USEast2);
//var response = await stsServiceClient.AssumeRoleWithWebIdentityAsync(assumeRoleRequest);
//return new OkObjectResult($" assumed role is {response.AssumedRoleUser.AssumedRoleId}");
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
// Retrieves credentials for existing identities
async Task <GetCredentialsForIdentityResponse> GetCredentialsForExistingIdentity(string identity)
{
// As this is a public API, we call it with fake access keys
AmazonCognitoIdentityClient cognitoClient = new AmazonCognitoIdentityClient("A", "B", this.region);
var resp = await cognitoClient.GetCredentialsForIdentityAsync(identity);
return(resp);
}
static private async Task <UserCognitoCredentials> getCognitoCredentials(String userEmail, String userPassword)
{
String cognitoUserPoolId = "us-east-1_n8TiZp7tu";
String cognitoClientId = "6clvd0v40jggbaa5qid2h6hkqf";
String cognitoIdentityPoolId = "us-east-1:bff024bb-06d0-4b04-9e5d-eb34ed07f884";
Amazon.RegionEndpoint cognitoRegion = Amazon.RegionEndpoint.USEast1;
AmazonCognitoIdentityProviderClient provider =
new AmazonCognitoIdentityProviderClient(new Amazon.Runtime.AnonymousAWSCredentials(), Amazon.RegionEndpoint.USEast1);
CognitoUserPool userPool = new CognitoUserPool(cognitoUserPoolId, cognitoClientId, provider);
CognitoUser user = new CognitoUser(userEmail, cognitoClientId, userPool, provider);
AuthFlowResponse context = await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = userPassword
}).ConfigureAwait(false);
String accessToken = context.AuthenticationResult.AccessToken;
String idToken = context.AuthenticationResult.IdToken;
CognitoAWSCredentials credentials =
user.GetCognitoAWSCredentials(cognitoIdentityPoolId, cognitoRegion);
var identityClient = new AmazonCognitoIdentityClient(credentials, cognitoRegion);
var idRequest = new Amazon.CognitoIdentity.Model.GetIdRequest();
idRequest.IdentityPoolId = cognitoIdentityPoolId;
idRequest.Logins = new Dictionary <string, string> {
{ "cognito-idp.us-east-1.amazonaws.com/" + cognitoUserPoolId, idToken }
};
var idResponseId = await identityClient.GetIdAsync(idRequest).ConfigureAwait(false);
if (idResponseId.HttpStatusCode != System.Net.HttpStatusCode.OK)
{
Console.WriteLine(String.Format("Failed to get credentials for identity. Status code: {0} ", idResponseId.HttpStatusCode));
System.Environment.Exit(1);
}
var idResponseCredential = await identityClient.GetCredentialsForIdentityAsync(idResponseId.IdentityId, new Dictionary <string, string> {
{ "cognito-idp.us-east-1.amazonaws.com/" + cognitoUserPoolId, idToken }
}).ConfigureAwait(false);
if (idResponseCredential.HttpStatusCode != System.Net.HttpStatusCode.OK)
{
Console.WriteLine(String.Format("Failed to get credentials for identity. Status code: {0} ", idResponseCredential.HttpStatusCode));
System.Environment.Exit(1);
}
var cognitoCredentials = new UserCognitoCredentials(idResponseCredential.Credentials);
return(cognitoCredentials);
}
protected IAmazonCognitoIdentity CreateClient(AWSCredentials credentials, RegionEndpoint region)
{
var config = new AmazonCognitoIdentityConfig {
RegionEndpoint = region
};
Amazon.PowerShell.Utils.Common.PopulateConfig(this, config);
this.CustomizeClientConfig(config);
var client = new AmazonCognitoIdentityClient(credentials, config);
client.BeforeRequestEvent += RequestEventHandler;
client.AfterResponseEvent += ResponseEventHandler;
return(client);
}
/// <summary>
/// Initializes a new MIC client instance using the specified
/// MIC Manifest document.
/// </summary>
/// <param name="manifest"></param>
protected MicClient(MicManifest manifest) : base()
{
Manifest = manifest ?? throw new ArgumentNullException(nameof(manifest));
Config = new MicClientConfig()
{
RegionEndpoint = Manifest.AwsRegion
};
var anonymousCreds = new AnonymousAWSCredentials();
cognitoClient = new AmazonCognitoIdentityClient(anonymousCreds, Config.Create <AmazonCognitoIdentityConfig>());
stsClient = new AmazonSecurityTokenServiceClient(anonymousCreds, Config.Create <AmazonSecurityTokenServiceConfig>());
AwsCredentials = new CognitoAWSCredentials(accountId: null, identityPoolId: Manifest.IdentityPool,
unAuthRoleArn: null, authRoleArn: null,
cognitoClient, stsClient
);
}
//Tests GetCognitoAWSCredentials
public async void TestGetCognitoAWSCredentials()
{
string password = "******";
string poolRegion = user.UserPool.PoolID.Substring(0, user.UserPool.PoolID.IndexOf("_"));
string providerName = "cognito-idp." + poolRegion + ".amazonaws.com/" + user.UserPool.PoolID;
AuthFlowResponse context =
await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = password
}).ConfigureAwait(false);
//Create identity pool
identityClient = new AmazonCognitoIdentityClient(clientCredentials, clientRegion);
CreateIdentityPoolResponse poolResponse =
await identityClient.CreateIdentityPoolAsync(new CreateIdentityPoolRequest()
{
AllowUnauthenticatedIdentities = false,
CognitoIdentityProviders = new List <CognitoIdentityProviderInfo>()
{
new CognitoIdentityProviderInfo()
{
ProviderName = providerName, ClientId = user.ClientID
}
},
IdentityPoolName = "TestIdentityPool" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).ConfigureAwait(false);
identityPoolId = poolResponse.IdentityPoolId;
//Create role for identity pool
managementClient = new AmazonIdentityManagementServiceClient(clientCredentials, clientRegion);
CreateRoleResponse roleResponse = managementClient.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = "_TestRole_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
AssumeRolePolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect" +
"\": \"Allow\",\"Principal\": {\"Federated\": \"cognito-identity.amazonaws.com\"}," +
"\"Action\": \"sts:AssumeRoleWithWebIdentity\"}]}"
}).Result;
roleName = roleResponse.Role.RoleName;
//Create and attach policy for role
CreatePolicyResponse policyResponse = managementClient.CreatePolicyAsync(new CreatePolicyRequest()
{
PolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": " +
"[{\"Effect\": \"Allow\",\"Action\": [\"mobileanalytics:PutEvents\",\"cog" +
"nito-sync:*\",\"cognito-identity:*\",\"s3:*\"],\"Resource\": [\"*\"]}]}",
PolicyName = "_Cognito_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).Result;
policyArn = policyResponse.Policy.Arn;
AttachRolePolicyRequest attachRequest = new AttachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
};
AttachRolePolicyResponse attachRolePolicyResponse = managementClient.AttachRolePolicyAsync(attachRequest).Result;
//Set the role for the identity pool
await identityClient.SetIdentityPoolRolesAsync(new SetIdentityPoolRolesRequest()
{
IdentityPoolId = identityPoolId,
Roles = new Dictionary <string, string>()
{
{ "authenticated", roleResponse.Role.Arn },
{ "unauthenticated", roleResponse.Role.Arn }
},
}).ConfigureAwait(false);
//Create and test credentials
CognitoAWSCredentials credentials = user.GetCognitoAWSCredentials(identityPoolId, clientRegion);
using (var client = new AmazonS3Client(credentials, Amazon.RegionEndpoint.USEast1))
{
int tries = 0;
ListBucketsResponse bucketsResponse = null;
var retryLimit = 5;
Exception lastException = null;
for (; tries < retryLimit; tries++)
{
try
{
bucketsResponse = await client.ListBucketsAsync(new ListBucketsRequest()).ConfigureAwait(false);
Assert.Equal(bucketsResponse.HttpStatusCode, System.Net.HttpStatusCode.OK);
break;
}
catch (Exception ex)
{
lastException = ex;
System.Threading.Thread.Sleep(3000);
}
}
if (tries == retryLimit && lastException != null)
{
throw lastException;
}
}
}
public ActionResult Browse()
{
List <Models.S3File> files = new List <Models.S3File>();
strCurrentUsername = HttpContext.User.Identity.Name;
if (!string.IsNullOrEmpty(strCurrentUsername))
{
if (strCurrentUsername.EndsWith("workerbee.com"))
{
strUserCognitoPoolId = strWorkerBeeCognitoPoolId;
}
else if (strCurrentUsername.EndsWith("queenbee.com"))
{
strUserCognitoPoolId = strQueenBeeCognitoPoolId;
}
else if (strCurrentUsername.EndsWith("beehive.com"))
{
strUserCognitoPoolId = strBeeHiveCognitoPoolId;
}
else //any other email domain
{
strUserCognitoPoolId = strFreeBeeCognitoPoolId;
}
}
Amazon.RegionEndpoint northVirginiaRegion = Amazon.RegionEndpoint.USEast1; //Virginia location
string strAccessKeyId = ConfigurationManager.AppSettings["CognitoDeveloperAccessKeyId"];
string strAccessKeySecret = ConfigurationManager.AppSettings["CognitoDeveloperAccessKeySecret"];
AmazonCognitoIdentityClient cognitoIdClient = new AmazonCognitoIdentityClient(strAccessKeyId, strAccessKeySecret, northVirginiaRegion);
if (cognitoIdClient != null)
{
Dictionary <string, string> customLogin = new Dictionary <string, string>();
customLogin.Add(DEVELOPER_PROVIDER_NAME, HttpContext.User.Identity.Name);
GetOpenIdTokenForDeveloperIdentityRequest oidcTokenReq = new GetOpenIdTokenForDeveloperIdentityRequest();
//oidcTokenReq.IdentityId = HttpContext.User.Identity.Name;
oidcTokenReq.IdentityPoolId = strUserCognitoPoolId;
oidcTokenReq.TokenDuration = 86400; //24hr for ID token validaty
oidcTokenReq.Logins = customLogin;
//Get an OpenID Connect token from AWS Cognito
GetOpenIdTokenForDeveloperIdentityResponse oidcTokenRes = cognitoIdClient.GetOpenIdTokenForDeveloperIdentity(oidcTokenReq);
//Get the Cognito Identity ID for the current user
GetCredentialsForIdentityRequest credentialsForIdReq = new GetCredentialsForIdentityRequest()
{
IdentityId = oidcTokenRes.IdentityId,
//Logins = customLogin
};
Dictionary <string, string> token = new Dictionary <string, string>();
token.Add("cognito-identity.amazonaws.com", oidcTokenRes.Token);//
//Get the token from AWS STS (through AWS Cognito) to assume an AWS role that will allow to user to query AWS S3
GetCredentialsForIdentityResponse credentialsForIdRes = cognitoIdClient.GetCredentialsForIdentity(oidcTokenRes.IdentityId, token);
Credentials awsCreds = credentialsForIdRes.Credentials;
using (var s3Client = new AmazonS3Client(awsCreds, northVirginiaRegion))
{
try
{
var bucketsRes = s3Client.ListBuckets();
List <S3Bucket> buckets = bucketsRes.Buckets;
foreach (S3Bucket bucket in buckets)
{
try
{
ListObjectsResponse listObjectsRes = s3Client.ListObjects(bucket.BucketName);
List <S3Object> s3Objects = listObjectsRes.S3Objects;
foreach (S3Object s3file in s3Objects)
{
files.Add(new Models.S3File()
{
FileName = s3file.Key
});
}
}
catch (Exception ex)
{
}
}
}
catch (AmazonCognitoIdentityException cex)
{
string strError = cex.ToString();
}
catch (Exception ex)
{
////throw;
}
}
}
return(View(files));
}
//Tests GetCognitoAWSCredentials
public async void TestGetCognitoAWSCredentials()
{
var password = "******";
var poolRegion = user.UserPool.PoolID.Substring(0, user.UserPool.PoolID.IndexOf("_", StringComparison.Ordinal));
var providerName = "cognito-idp." + poolRegion + ".amazonaws.com/" + user.UserPool.PoolID;
var context =
await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = password
}).ConfigureAwait(false);
//Create identity pool
identityClient = new AmazonCognitoIdentityClient(clientCredentials, clientRegion);
var poolResponse =
await identityClient.CreateIdentityPoolAsync(new CreateIdentityPoolRequest()
{
AllowUnauthenticatedIdentities = false,
CognitoIdentityProviders = new List <CognitoIdentityProviderInfo>()
{
new CognitoIdentityProviderInfo()
{
ProviderName = providerName, ClientId = user.ClientID
}
},
IdentityPoolName = "TestIdentityPool" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).ConfigureAwait(false);
identityPoolId = poolResponse.IdentityPoolId;
//Create role for identity pool
managementClient = new AmazonIdentityManagementServiceClient(clientCredentials, clientRegion);
var roleResponse = managementClient.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = "_TestRole_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
AssumeRolePolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect" +
"\": \"Allow\",\"Principal\": {\"Federated\": \"cognito-identity.amazonaws.com\"}," +
"\"Action\": \"sts:AssumeRoleWithWebIdentity\"}]}"
}).Result;
roleName = roleResponse.Role.RoleName;
//Create and attach policy for role
var policyResponse = managementClient.CreatePolicyAsync(new CreatePolicyRequest()
{
PolicyDocument = "{\"Version\": \"2012-10-17\",\"Statement\": " +
"[{\"Effect\": \"Allow\",\"Action\": [\"mobileanalytics:PutEvents\",\"cog" +
"nito-sync:*\",\"cognito-identity:*\",\"s3:*\"],\"Resource\": [\"*\"]}]}",
PolicyName = "_Cognito_" + DateTime.Now.ToString("yyyyMMdd_HHmmss"),
}).Result;
policyArn = policyResponse.Policy.Arn;
var attachRequest = new AttachRolePolicyRequest()
{
PolicyArn = policyArn,
RoleName = roleName
};
var attachRolePolicyResponse = managementClient.AttachRolePolicyAsync(attachRequest).Result;
//Set the role for the identity pool
await identityClient.SetIdentityPoolRolesAsync(new SetIdentityPoolRolesRequest()
{
IdentityPoolId = identityPoolId,
Roles = new Dictionary <string, string>()
{
{ "authenticated", roleResponse.Role.Arn },
{ "unauthenticated", roleResponse.Role.Arn }
},
}).ConfigureAwait(false);
//Create and test credentials
var credentials = user.GetCognitoAWSCredentials(identityPoolId, clientRegion);
using (var client = new AmazonS3Client(credentials, Amazon.RegionEndpoint.USEast1))
{
var tries = 0;
var bufferExMsg = "Invalid identity pool configuration. Check assigned IAM roles for this pool.";
ListBucketsResponse bucketsResponse = null;
for (; tries < 5; tries++)
{
try
{
bucketsResponse = await client.ListBucketsAsync(new ListBucketsRequest()).ConfigureAwait(false);
break;
}
catch (NullReferenceException)
{
System.Threading.Thread.Sleep(3000);
}
catch (Exception ex)
{
if (string.Equals(bufferExMsg, ex.Message))
{
System.Threading.Thread.Sleep(3000);
}
else
{
throw ex;
}
}
}
Assert.True(tries < 5, "Failed to list buckets after 5 tries");
Assert.Equal(bucketsResponse.HttpStatusCode, System.Net.HttpStatusCode.OK);
}
}
