private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
{
var ars = new AutoResetEvent(false);
Amazon.SecurityToken.Model.Credentials credentials = null;
Exception exception = null;
sts.AssumeRoleWithWebIdentityAsync(assumeRequest, (assumeResult) =>
{
if (assumeResult.Exception != null)
exception = assumeResult.Exception;
else
credentials = assumeResult.Response.Credentials;
ars.Set();
});
ars.WaitOne();
if (exception != null)
throw exception;
return credentials;
}
internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
{
var task = AssumeRoleWithWebIdentityAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
throw e.InnerException;
}
}
internal AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
{
var task = AssumeRoleWithWebIdentityAsync(request);
try
{
return task.Result;
}
catch(AggregateException e)
{
ExceptionDispatchInfo.Capture(e.InnerException).Throw();
return null;
}
}
/// <summary>
/// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web
/// identity provider, such as Login with Amazon, Facebook, or Google. <c>AssumeRoleWithWebIdentity</c> is an API call that does not require the
/// use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary
/// security credentials without including long-term AWS credentials in the application or by deploying server-based proxy services that use
/// long-term AWS credentials. </para> <para> The temporary security credentials consist of an access key ID, a secret access key, and a
/// security token. Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for
/// the duration that you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds
/// (1 hour). By default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access
/// policy to this operation. The temporary security credentials that are returned by the operation have the permissions that are associated
/// with the access policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way
/// to further restrict the permissions for the federated user. These policies and any applicable resource-based policies are evaluated when
/// calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call
/// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application
/// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other
/// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity
/// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para>
/// <ul>
/// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider"> Creating a Mobile
/// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html"> Creating Temporary
/// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li>
/// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html"> Web Identity Federation Playground</a> . This
/// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary
/// security credentials, and then using those credentials to make a request to AWS. </li>
/// <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for
/// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from
/// these providers to get and use temporary security credentials. </li>
/// <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web Identity Federation with Mobile Applications</a> . This article
/// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li>
///
/// </ul>
///
/// </summary>
///
/// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service
/// method on AmazonSecurityTokenService.</param>
///
/// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns>
///
/// <exception cref="T:Amazon.SecurityToken.Model.PackedPolicyTooLargeException" />
/// <exception cref="T:Amazon.SecurityToken.Model.IDPRejectedClaimException" />
/// <exception cref="T:Amazon.SecurityToken.Model.MalformedPolicyDocumentException" />
/// <exception cref="T:Amazon.SecurityToken.Model.InvalidIdentityTokenException" />
/// <exception cref="T:Amazon.SecurityToken.Model.ExpiredTokenException" />
/// <exception cref="T:Amazon.SecurityToken.Model.IDPCommunicationErrorException" />
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
return Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(assumeRoleWithWebIdentityRequest, marshaller, unmarshaller, signer, cancellationToken);
}
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle2(
string client_id,
string client_secret,
string role)
{
string query = "https://accounts.google.com/o/oauth2/auth?" +
string.Format("client_id={0}&", client_id) +
"response_type=code&" +
"scope=email%20profile&" +
"redirect_uri=http://www.padisetty.com";
string id_token = null;
using (var wc = new WebClient())
{
var data = new NameValueCollection();
data["code"] = GetToken("code", query);
data["client_id"] = client_id;
data["client_secret"] = client_secret;
data["redirect_uri"] = "http://www.padisetty.com";
data["grant_type"] = "authorization_code";
var response = wc.UploadValues(
"https://accounts.google.com/o/oauth2/token",
"POST", data);
string responsebody = Encoding.UTF8.GetString(response);
dynamic result = JsonConvert.DeserializeObject(responsebody);
id_token = result.id_token;
}
AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
new AssumeRoleWithWebIdentityRequest ()
{
WebIdentityToken = id_token,
RoleArn = role
};
return GetAssumeRoleWithWebIdentityResponse(assumeRoleWithWebIdentityRequest);
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking EndAssumeRoleWithWebIdentity
/// operation.</returns>
public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state)
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
return BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller,
callback, state);
}
private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn)
{
CredentialsRefreshState credentialsState;
// Retrieve Open Id Token
// (Reuses existing IdentityId or creates a new one)
var identityId = await GetIdentityIdAsync().ConfigureAwait(false);
var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identityId };
// If logins are set, pass them to the GetOpenId call
if (Logins.Count > 0)
getTokenRequest.Logins = Logins;
var getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false);
string token = getTokenResult.Token;
// IdentityId may have changed, save the new value
UpdateIdentity(getTokenResult.IdentityId, true);
// Assume role with Open Id Token
var assumeRequest = new AssumeRoleWithWebIdentityRequest
{
WebIdentityToken = token,
RoleArn = roleArn,
RoleSessionName = "NetProviderSession",
DurationSeconds = DefaultDurationSeconds
};
var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials;
// Return new refresh state (credentials and expiration)
credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
return credentialsState;
}
// Retrieves credentials for the specific role, by making a call to STS
private CredentialsRefreshState GetCredentialsForRole(string roleArn)
{
CredentialsRefreshState credentialsState;
// Retrieve Open Id Token
// (Reuses existing IdentityId or creates a new one)
var identity = this.GetIdentityIdWithCaching();
var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity.IdentityId };
// If logins are set, pass them to the GetOpenId call
if (Logins.Count > 0)
getTokenRequest.Logins = Logins;
bool retry = false;
GetOpenIdTokenResponse getTokenResult = null;
try
{
getTokenResult = GetOpenId(getTokenRequest);
}
catch (AmazonCognitoIdentityException e)
{
if (ShouldRetry(e, identity))
retry = true;
else
throw;
}
if (retry)
{
return GetCredentialsForRole(roleArn);
}
string token = getTokenResult.Token;
// IdentityId may have changed, save the new value
UpdateIdentity(getTokenResult.IdentityId, true);
// Assume role with Open Id Token
var assumeRequest = new AssumeRoleWithWebIdentityRequest
{
WebIdentityToken = token,
RoleArn = roleArn,
RoleSessionName = "NetProviderSession",
DurationSeconds = DefaultDurationSeconds
};
var credentials = GetStsCredentials(assumeRequest);
credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
return credentialsState;
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, System.Threading.CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
return InvokeAsync<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller,
unmarshaller, cancellationToken);
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on AmazonSecurityTokenServiceClient.</param>
/// <param name="callback">An Action delegate that is invoked when the operation completes.</param>
/// <param name="options">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
public void AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, AmazonServiceCallback<AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse> callback, AsyncOptions options = null)
{
options = options == null?new AsyncOptions():options;
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
Action<AmazonWebServiceRequest, AmazonWebServiceResponse, Exception, AsyncOptions> callbackHelper = null;
if(callback !=null )
callbackHelper = (AmazonWebServiceRequest req, AmazonWebServiceResponse res, Exception ex, AsyncOptions ao) => {
AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse> responseObject
= new AmazonServiceResult<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>((AssumeRoleWithWebIdentityRequest)req, (AssumeRoleWithWebIdentityResponse)res, ex , ao.State);
callback(responseObject);
};
BeginInvoke<AssumeRoleWithWebIdentityRequest>(request, marshaller, unmarshaller, options, callbackHelper);
}
private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
{
var assumeResult = sts.AssumeRoleWithWebIdentity(assumeRequest);
var credentials = assumeResult.Credentials;
return credentials;
}
IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request, AsyncCallback callback, object state, bool synchronized)
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
return Invoke(request, callback, state, synchronized, marshaller, unmarshaller, signer);
}
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingGoogle(
string client_id,
string role)
{
string query = "https://accounts.google.com/o/oauth2/auth?" +
string.Format("client_id={0}&", client_id) +
"response_type=id_token&" +
"scope=email%20profile&" +
"redirect_uri=http://www.padisetty.com";
AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
new AssumeRoleWithWebIdentityRequest ()
{
WebIdentityToken = GetToken ("id_token", query),
RoleArn = role
};
return GetAssumeRoleWithWebIdentityResponse(
assumeRoleWithWebIdentityRequest);
}
AssumeRoleWithWebIdentityResponse GetAssumeRoleWithWebIdentityResponse(
AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest)
{
// Start with Anonymous AWS Credentials and get temporary credentials.
var stsClient = new AmazonSecurityTokenServiceClient(
new AnonymousAWSCredentials());
assumeRoleWithWebIdentityRequest.DurationSeconds = 3600;
assumeRoleWithWebIdentityRequest.RoleSessionName = "MySession";
return stsClient.AssumeRoleWithWebIdentity(
assumeRoleWithWebIdentityRequest);
}
/// <summary>
/// Returns a set of temporary security credentials for users who have been authenticated
/// in a mobile or web application with a web identity provider, such as Amazon Cognito,
/// Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
///
///
/// <note>
/// <para>
/// For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon
/// Cognito with the <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a> and
/// the <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a> to uniquely
/// identify a user and supply the user with a consistent identity throughout the lifetime
/// of an application.
/// </para>
///
/// <para>
/// To learn more about Amazon Cognito, see <a href="http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840">Amazon
/// Cognito Overview</a> in the <i>AWS SDK for Android Developer Guide</i> guide and <a
/// href="http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664">Amazon
/// Cognito Overview</a> in the <i>AWS SDK for iOS Developer Guide</i>.
/// </para>
/// </note>
/// <para>
/// Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of AWS security
/// credentials. Therefore, you can distribute an application (for example, on mobile
/// devices) that requests temporary security credentials without including long-term
/// AWS credentials in the application, and without deploying server-based proxy services
/// that use long-term AWS credentials. Instead, the identity of the caller is validated
/// by using a token from the web identity provider.
/// </para>
///
/// <para>
/// The temporary security credentials returned by this API consist of an access key ID,
/// a secret access key, and a security token. Applications can use these temporary security
/// credentials to sign calls to AWS service APIs. The credentials are valid for the duration
/// that you specified when calling <code>AssumeRoleWithWebIdentity</code>, which can
/// be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary
/// security credentials are valid for 1 hour.
/// </para>
///
/// <para>
/// Optionally, you can pass an IAM access policy to this operation. If you choose not
/// to pass a policy, the temporary security credentials that are returned by the operation
/// have the permissions that are defined in the access policy of the role that is being
/// assumed. If you pass a policy to this operation, the temporary security credentials
/// that are returned by the operation have the permissions that are allowed by both the
/// access policy of the role that is being assumed, <i><b>and</b></i> the policy that
/// you pass. This gives you a way to further restrict the permissions for the resulting
/// temporary security credentials. You cannot use the passed policy to grant permissions
/// that are in excess of those allowed by the access policy of the role that is being
/// assumed. For more information, see <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html">Permissions
/// for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>Using
/// IAM</i>.
/// </para>
///
/// <para>
/// Before your application can call <code>AssumeRoleWithWebIdentity</code>, you must
/// have an identity token from a supported identity provider and create a role that the
/// application can assume. The role that your application assumes must trust the identity
/// provider that is associated with the identity token. In other words, the identity
/// provider must be specified in the role's trust policy.
/// </para>
///
/// <para>
/// For more information about how to use web identity federation and the <code>AssumeRoleWithWebIdentity</code>
/// API, see the following resources:
/// </para>
/// <ul> <li> <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual">Using
/// Web Identity Federation APIs for Mobile Apps</a> and <a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation
/// Through a Web-based Identity Provider</a>. </li> <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html">
/// Web Identity Federation Playground</a>. This interactive website lets you walk through
/// the process of authenticating via Login with Amazon, Facebook, or Google, getting
/// temporary security credentials, and then using those credentials to make a request
/// to AWS. </li> <li> <a href="http://aws.amazon.com/sdkforios/">AWS SDK for iOS</a>
/// and <a href="http://aws.amazon.com/sdkforandroid/">AWS SDK for Android</a>. These
/// toolkits contain sample apps that show how to invoke the identity providers, and then
/// how to use the information from these providers to get and use temporary security
/// credentials. </li> <li> <a href="http://aws.amazon.com/articles/4617974389850313">Web
/// Identity Federation with Mobile Applications</a>. This article discusses web identity
/// federation and shows an example of how to use web identity federation to get access
/// to content in Amazon S3. </li> </ul>
/// </summary>
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service method.</param>
///
/// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by SecurityTokenService.</returns>
/// <exception cref="Amazon.SecurityToken.Model.ExpiredTokenException">
/// The web identity token that was passed is expired or is not valid. Get a new identity
/// token from the identity provider and then retry the request.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.IDPCommunicationErrorException">
/// The request could not be fulfilled because the non-AWS identity provider (IDP) that
/// was asked to verify the incoming identity token could not be reached. This is often
/// a transient error caused by network conditions. Retry the request a limited number
/// of times so that you don't exceed the request rate. If the error persists, the non-AWS
/// identity provider might be down or not responding.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.IDPRejectedClaimException">
/// The identity provider (IdP) reported that authentication failed. This might be because
/// the claim is invalid.
///
///
/// <para>
/// If this error is returned for the <code>AssumeRoleWithWebIdentity</code> operation,
/// it can also mean that the claim has expired or has been explicitly revoked.
/// </para>
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.InvalidIdentityTokenException">
/// The web identity token that was passed could not be validated by AWS. Get a new identity
/// token from the identity provider and then retry the request.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.MalformedPolicyDocumentException">
/// The request was rejected because the policy document was malformed. The error message
/// describes the specific error.
/// </exception>
/// <exception cref="Amazon.SecurityToken.Model.PackedPolicyTooLargeException">
/// The request was rejected because the policy document was too large. The error message
/// describes how big the policy document is, in packed form, as a percentage of what
/// the API allows.
/// </exception>
public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest request)
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.Instance;
return Invoke<AssumeRoleWithWebIdentityRequest,AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller);
}
IAsyncResult invokeAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state, bool synchronized)
{
IRequest irequest = new AssumeRoleWithWebIdentityRequestMarshaller().Marshall(assumeRoleWithWebIdentityRequest);
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
AsyncResult result = new AsyncResult(irequest, callback, state, synchronized, signer, unmarshaller);
Invoke(result);
return result;
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
/// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/>
/// </summary>
///
/// <param name="request">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation.</param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of cancellation.
/// </param>
/// <returns>The task object representing the asynchronous operation.</returns>
public async Task<AssumeRoleWithWebIdentityResponse> AssumeRoleWithWebIdentityAsync(AssumeRoleWithWebIdentityRequest request, CancellationToken cancellationToken = default(CancellationToken))
{
var marshaller = new AssumeRoleWithWebIdentityRequestMarshaller();
var unmarshaller = AssumeRoleWithWebIdentityResponseUnmarshaller.GetInstance();
var response = await Invoke<IRequest, AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse>(request, marshaller, unmarshaller, signer, cancellationToken)
.ConfigureAwait(continueOnCapturedContext: false);
return response;
}
/// <summary>
/// Initiates the asynchronous execution of the AssumeRoleWithWebIdentity operation.
/// <seealso cref="Amazon.SecurityToken.IAmazonSecurityTokenService.AssumeRoleWithWebIdentity"/>
/// </summary>
///
/// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity operation on
/// AmazonSecurityTokenService.</param>
/// <param name="callback">An AsyncCallback delegate that is invoked when the operation completes.</param>
/// <param name="state">A user-defined state object that is passed to the callback procedure. Retrieve this object from within the callback
/// procedure using the AsyncState property.</param>
///
/// <returns>An IAsyncResult that can be used to poll or wait for results, or both; this value is also needed when invoking
/// EndAssumeRoleWithWebIdentity operation.</returns>
public IAsyncResult BeginAssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest, AsyncCallback callback, object state)
{
return invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, callback, state, false);
}
/// <summary>
/// <para> Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web
/// identity provider, such as Login with Amazon, Facebook, or Google. </para> <para> Calling <c>AssumeRoleWithWebIdentity</c> does not require
/// the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary
/// security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that
/// use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. </para>
/// <para> The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token.
/// Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for the duration that
/// you specified when calling <c>AssumeRoleWithWebIdentity</c> , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By
/// default, the temporary security credentials are valid for 1 hour. </para> <para>Optionally, you can pass an AWS IAM access policy to this
/// operation. The temporary security credentials that are returned by the operation have the permissions that are associated with the access
/// policy of the role being assumed, except for any permissions explicitly denied by the policy you pass. This gives you a way to further
/// restrict the permissions for the resulting temporary security credentials. These policies and any applicable resource-based policies are
/// evaluated when calls to AWS are made using the temporary security credentials. </para> <para> Before your application can call
/// <c>AssumeRoleWithWebIdentity</c> , you must have an identity token from a supported identity provider and create a role that the application
/// can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other
/// words, the identity provider must be specified in the role's trust policy. </para> <para> For more information about how to use web identity
/// federation and the <c>AssumeRoleWithWebIdentity</c> , see the following resources: </para>
/// <ul>
/// <li> <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider" > Creating a Mobile
/// Application with Third-Party Sign-In</a> and <a href="http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html" > Creating Temporary
/// Security Credentials for Mobile Apps Using Third-Party Identity Providers</a> in <i>Using Temporary Security Credentials</i> . </li>
/// <li> <a href="https://web-identity-federation-playground.s3.amazonaws.com/index.html" > Web Identity Federation Playground</a> . This
/// interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary
/// security credentials, and then using those credentials to make a request to AWS. </li>
/// <li> <a href="http://aws.amazon.com/sdkforios/" >AWS SDK for iOS</a> and <a href="http://aws.amazon.com/sdkforandroid/" >AWS SDK for
/// Android</a> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from
/// these providers to get and use temporary security credentials. </li>
/// <li> <a href="http://aws.amazon.com/articles/4617974389850313" >Web Identity Federation with Mobile Applications</a> . This article
/// discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3. </li>
///
/// </ul>
///
/// </summary>
///
/// <param name="assumeRoleWithWebIdentityRequest">Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service
/// method on AmazonSecurityTokenService.</param>
///
/// <returns>The response from the AssumeRoleWithWebIdentity service method, as returned by AmazonSecurityTokenService.</returns>
///
/// <exception cref="PackedPolicyTooLargeException"/>
/// <exception cref="IDPRejectedClaimException"/>
/// <exception cref="MalformedPolicyDocumentException"/>
/// <exception cref="InvalidIdentityTokenException"/>
/// <exception cref="ExpiredTokenException"/>
/// <exception cref="IDPCommunicationErrorException"/>
public AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity(AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest)
{
IAsyncResult asyncResult = invokeAssumeRoleWithWebIdentity(assumeRoleWithWebIdentityRequest, null, null, true);
return EndAssumeRoleWithWebIdentity(asyncResult);
}
private Amazon.SecurityToken.Model.Credentials GetStsCredentials(AssumeRoleWithWebIdentityRequest assumeRequest)
{
var assumeResult = Amazon.Runtime.Internal.Util.AsyncHelpers.RunSync<AssumeRoleWithWebIdentityResponse>(() => sts.AssumeRoleWithWebIdentityAsync(assumeRequest));
var credentials = assumeResult.Credentials;
return credentials;
}
// Retrieves credentials for the specific role, by making a call to STS
private CredentialsRefreshState GetCredentialsForRole(string roleArn)
{
CredentialsRefreshState credentialsState;
// Retrieve Open Id Token
// (Reuses existing IdentityId or creates a new one)
var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = GetIdentityId() };
// If logins are set, pass them to the GetOpenId call
if (Logins.Count > 0)
getTokenRequest.Logins = Logins;
var getTokenResult = GetOpenId(getTokenRequest);
string token = getTokenResult.Token;
// IdentityId may have changed, save the new value
UpdateIdentity(getTokenResult.IdentityId, true);
// Assume role with Open Id Token
var assumeRequest = new AssumeRoleWithWebIdentityRequest
{
WebIdentityToken = token,
RoleArn = roleArn,
RoleSessionName = "NetProviderSession",
DurationSeconds = DefaultDurationSeconds
};
var credentials = GetStsCredentials(assumeRequest);
credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
return credentialsState;
}
private Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityResponse CallAWSServiceOperation(IAmazonSecurityTokenService client, Amazon.SecurityToken.Model.AssumeRoleWithWebIdentityRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Security Token Service", "AssumeRoleWithWebIdentity");
try
{
#if DESKTOP
return(client.AssumeRoleWithWebIdentity(request));
#elif CORECLR
return(client.AssumeRoleWithWebIdentityAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingFacebook(
string client_id,
string role)
{
string query = "https://www.facebook.com/dialog/oauth?" +
string.Format ("client_id={0}&", client_id) +
"response_type=token&" +
"redirect_uri=https://www.facebook.com/connect/login_success.html";
AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
new AssumeRoleWithWebIdentityRequest ()
{
ProviderId = "graph.facebook.com",
WebIdentityToken = GetToken("access_token", query),
RoleArn = role,
};
return GetAssumeRoleWithWebIdentityResponse (assumeRoleWithWebIdentityRequest);
}
public AssumeRoleWithWebIdentityResponse GetTemporaryCredentialUsingAmazon(
string client_id,
string role)
{
string query = "https://www.amazon.com/ap/oa?" +
string.Format("client_id={0}&", client_id) +
"response_type=token&" +
"scope=profile&" +
"redirect_uri=https://www.google.com";
AssumeRoleWithWebIdentityRequest assumeRoleWithWebIdentityRequest =
new AssumeRoleWithWebIdentityRequest ()
{
ProviderId = "www.amazon.com",
WebIdentityToken = GetToken("access_token", query),
RoleArn = role
};
return GetAssumeRoleWithWebIdentityResponse(
assumeRoleWithWebIdentityRequest);
}
private async System.Threading.Tasks.Task<CredentialsRefreshState> GetCredentialsForRoleAsync(string roleArn)
{
CredentialsRefreshState credentialsState;
// Retrieve Open Id Token
// (Reuses existing IdentityId or creates a new one)
var identity = await GetIdentityIdAsync(RefreshIdentityOptions.Refresh).ConfigureAwait(false);
var getTokenRequest = new GetOpenIdTokenRequest { IdentityId = identity };
// If logins are set, pass them to the GetOpenId call
if (Logins.Count > 0)
getTokenRequest.Logins = Logins;
bool retry = false;
GetOpenIdTokenResponse getTokenResult = null;
try
{
getTokenResult = await cib.GetOpenIdTokenAsync(getTokenRequest).ConfigureAwait(false);
}
catch (AmazonCognitoIdentityException e)
{
if (ShouldRetry(e))
retry = true;
else
throw;
}
if (retry)
{
return await GetCredentialsForRoleAsync(roleArn);
}
string token = getTokenResult.Token;
// IdentityId may have changed, save the new value
UpdateIdentity(getTokenResult.IdentityId);
// Assume role with Open Id Token
var assumeRequest = new AssumeRoleWithWebIdentityRequest
{
WebIdentityToken = token,
RoleArn = roleArn,
RoleSessionName = "NetProviderSession",
DurationSeconds = DefaultDurationSeconds
};
var credentials = (await sts.AssumeRoleWithWebIdentityAsync(assumeRequest).ConfigureAwait(false)).Credentials;
// Return new refresh state (credentials and expiration)
credentialsState = new CredentialsRefreshState(credentials.GetCredentials(), credentials.Expiration);
return credentialsState;
}
