Choose your framework/language

v1v2
Edit on GitHub

Page updated Dec 5, 2023

Federated identities

You are currently viewing the AWS SDK for Mobile documentation which is a collection of low-level libraries. Use the Amplify libraries for all new app development. Learn more

Currently, the federation feature in the AWSMobileClient supports Cognito Identity Pools only.

Federated Sign In

1AWSMobileClient.getInstance().federatedSignIn(IdentityProvider.FACEBOOK.toString(), "FACEBOOK_TOKEN_HERE", new Callback<UserStateDetails>() {
2    @Override
3    public void onResult(final UserStateDetails userStateDetails) {
4        //Handle the result
5    }
6

7    @Override
8    public void onError(Exception e) {
9        Log.e(TAG, "sign-in error", e);
10    }
11});

federatedSignIn() can be used to obtain federated "Identity ID" using external providers like Google, Facebook or Twitter. If the tokens are expired and new tokens are needed, a notification will be dispatched on the AWSMobileClient listener with the user state SIGNED_OUT_FEDERATED_TOKENS_INVALID. You can give the updated tokens via the same federatedSignIn() method.

The API calls to get AWS credentials will be asynchronously blocked until you fetch the social provider's token and give it to AWSMobileClient. Once you pass the tokens, the AWSMobileClient will fetch AWS Credentials using the new tokens and unblock all waiting calls. It will then use the new credentials.

SAML with Cognito Identity

To federate your SAML sign-in provider as a user sign-in provider for AWS services called in your app, you will pass tokens to AWSMobileClient.getInstance().federatedSignIn(). You must first register your SAML application with AWS IAM by using the following instructions.

Once you retrieve the SAML tokens from your sign-in, you can call the federatedSignIn API in AWSMobileClient:

1// Perform SAML token federation
2AWSMobileClient.getInstance().federatedSignIn("YOUR_SAML_PROVIDER_NAME", "YOUR_SAML_TOKEN", new Callback<UserStateDetails>() {
3    @Override
4    public void onResult(final UserStateDetails userStateDetails) {
5        //Handle the result
6    }
7

8    @Override
9    public void onError(Exception e) {
10        Log.e(TAG, "sign-in error", e);
11});

**Note:**If the SAML token contains more than one Role ARN, you will need to specify which role will be assumed when federating. If the SAML token has more than one Role ARN and a customRoleARN is not specified, it will result in an error.

1// Choose one of the roles available in the token
2FederatedSignInOptions options = FederatedSignInOptions.builder()
3                                     .customRoleARN("choose-one")
4                                     .build();
5// Perform SAML token federation
6AWSMobileClient.getInstance().federatedSignIn("YOUR_SAML_PROVIDER_NAME", "YOUR_SAML_TOKEN", options, new Callback<UserStateDetails>() {
7    @Override
8    public void onResult(final UserStateDetails userStateDetails) {
9        //Handle the result
10    }
11

12    @Override
13    public void onError(Exception e) {
14        Log.e(TAG, "sign-in error", e);
15});

Set up Facebook

To federate Facebook as a user sign-in provider for AWS services called in your app, you will pass tokens to AWSMobileClient.getInstance().federatedSignIn(). You must first register your application with Facebook by using the Facebook Developers portal and configure this with Amazon Cognito Identity Pools.

AWS Amplify helps set this up for you but first this topic explains how to set up Facebook as an identity provider for your app.

If you already have a Facebook app ID, you can copy and paste it into the Facebook App ID field when configuring authentication using the AWS Amplify CLI.

To get a Facebook app ID

Set up your app in Facebook by following Facebook's App Development guide. Sign in to the Facebook Developers portal:

  • Choose Add a New App (or choose a previously created app from My Apps).
    • If asked, choose the platform of your app that will use Facebook Login and choose basic setup.
  • Type a display name for your app, select a category for your app from the Category drop-down list, then choose Create App ID; take note of the App ID.
  • In the Facebook Developer portal's left hand navigation list, choose Settings, Basic, then press the +Add Platform button.
  • Choose Android and add your app's Google Play Package Name (for example, com.example.YourProjectName) and Class Name.
  • Choose Save changes

Only users with roles assigned in the Facebook portal will be able to authenticate through your app while it is in development (not yet published). To authorize users, in the Facebook Developer portal's left hand navigation list, choose Roles, then Add Testers and provide valid Facebook IDs.

For more information about integrating with Facebook Login see the Facebook Login Getting Started Guide.

Amplify CLI Configuration - Facebook

In a terminal window, navigate to the root of your app files and add the auth category to your app. The CLI prompts you for configuration parameters. Choose I will setup my own configuration and AWS IAM controls when prompted.

1cd YOUR_PROJECT_FOLDER
2amplify add auth              ##"amplify update auth" if already configured
1❯ Manual Configuration.
2❯ User Sign-Up, Sign-In, connected with AWS IAM controls

Choose YES to ? Allow unauthenticated logins? and YES to ? Do you want to enable 3rd party authentication providers in your identity pool?

Choose Facebook and then provide your Facebook App ID that you saved earlier.

When configuration for Facebook sign-in is complete, the CLI displays a message confirming that you have configured local CLI metadata for this category. Run the following to update your changes in the cloud:

1amplify push

You can now configure Facebook in your mobile app.

Note that the CLI allows you to select more than one identity provider for your app. You can also run amplify auth update to add an identity provider to an existing auth configuration.

Set up Google

To federate Google as a user sign-in provider for AWS services called in your app, you will pass tokens to AWSMobileClient.getInstance().federatedSignIn(). You must first register your application with Google Sign-In in the Google Developers Console, and then configure this with Amazon Cognito Identity Pools.

To implement Google Sign-in into your iOS app, you need two things:

  1. OAuth Web Client ID
  2. Android Client ID

These Client IDs are part of your Google Developers project. The Web Client ID will be used by Cognito Identity Pools to manage the OAuth flow between Cognito and Google on the server side. The Android Client ID will be used in your Android app to authorize the OAuth flow directly with Google allowing your users to authenticate with Google using their Google login credentials.

NOTE: The creation and configuration steps for creating OAuth Clients for Google Sign-In is constantly changing, always refer to the official setup instructions from Google.

First, navigate to the "Start Integrating" section of the Google Developer portal and click CREATE AN OAUTH CLIENT ID to get an OAuth client ID.

When prompted choose Android as the calling platform along with your Package name and certificate. Once created the Android Client ID will be created; take note of this value.

Next, obtain your OAuth Web Client ID by navigating to the Credentials section of the Google Developer console. Select your project (you may need to click All) and under OAuth 2.0 client IDs copy the Client ID associated with the Web application type; take note of this value.

Amplify CLI Configuration - Google

In a terminal window, navigate to the root of your app files and add auth. The CLI prompts you for configuration parameters. Choose I will setup my own configuration and AWS IAM controls when prompted.

1cd YOUR_PROJECT_FOLDER
2amplify add auth # or `amplify update auth`
1❯ Manual Configuration
2❯ User Sign-Up, Sign-In, connected with AWS IAM controls

Choose YES to ? Allow unauthenticated logins? and YES to ? Do you want to enable 3rd party authentication providers in your identity pool?

Choose Google and then provide the Web Client ID and iOS Client ID noted above. Once complete, run the following to update your backend:

1amplify push

You can now configure Google in your mobile app.

Note that the CLI allows you to select more than one identity provider for your app. You can also run amplify update auth to add an identity provider to an existing auth configuration.

Set up Sign in with Apple

To federate Sign in with Apple as a user sign-in provider for AWS services called in your app, you will pass tokens to AWSMobileClient.getInstance().federatedSignIn(). You must set up your application to use Sign in with Apple, and then configure Amazon Cognito Identity Pools to use Apple as an authentication provider. There are three main steps to setting up Sign in with Apple: implementing Sign in with Apple in your app, configuring Sign in with Apple as an authentication provider in your Amazon Cognito Identity Pool, and passing the Sign in with Apple token to AWSMobileClient via federatedSignIn.

  1. Implementing Sign in with Apple in your app

    Since we don’t have an SDK that supports Sign in with Apple for Android, you need to use the web flow in a web view. To configure Sign in with Apple in your application, follow Configuring Your Webpage for Sign In with Apple in the Apple documentation. To add a Sign in with Apple button to your Android user interface, follow Displaying and Configuring Sign In with Apple Buttons in the Apple documentation. To securely authenticate users using Sign in with Apple, follow Configuring Your Webpage for Sign In with Apple in the Apple documentation.

  2. Configuring Sign in with Apple as an authentication provider in your Amazon Cognito Identity Pool

    Once you have configured your application to use Sign in with Apple, paste your app's Service Identifier into the Apple Services ID field of your Amazon Cognito Identity Pool. The Service Identifier can be found in the Certificates, IDs & Profiles section of your Apple Developer Account.

  3. Passing the Sign in with Apple token to AWSMobileClient via federatedSignIn

    Sign in with Apple uses a session object to track its state. Amazon Cognito uses the id token from this session object to authenticate the user, generate the unique identifier, and, if needed, grant the user access to other AWS resources.

    Once you have configured Sign in with Apple as an authentication provider for your Amazon Cognito Identity Pool, and your app implements authentication with Sign in with Apple, you can retrieve the id_token value of the Sign in with Apple authentication response to use as the token for the federatedSignIn method:

    1// The onSuccess method of your app's Sign in with Apple flow
    2

    3@Override
    4public void onSuccess(Bundle response) {
    5    String token = response.getString("id_token");
    6

    7    AWSMobileClient.getInstance().federatedSignIn("appleid.apple.com", token, new Callback<UserStateDetails>() {
    8        @Override
    9        public void onResult(final UserStateDetails userStateDetails) {
    10            //Handle the result
    11        }
    12

    13        @Override
    14        public void onError(Exception e) {
    15            Log.e(TAG, "sign-in error", e);
    16        }
    17    });
    18}

    After the federatedSignIn method successfully completes, AWSMobileClient will automatically use the federated identity to obtain credentials to make AWS service calls.

Facebook Login in Your Mobile App

Use Android API level 23 or higher The AWSMobileClient library for Android sign-in provides the activity and view for presenting a SignInUI for the sign-in providers you configure. This library depends on the Android SDK API Level 23 or higher.

Add the following permissions and Activity to your AndroidManifest.xml file:

1<uses-permission android:name="android.permission.INTERNET"/>
2<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
3

4<activity
5    android:name="com.facebook.FacebookActivity"
6    android:exported="true">
7<intent-filter>
8    <action android:name="android.intent.action.VIEW" />
9    <category android:name="android.intent.category.DEFAULT" />
10    <category android:name="android.intent.category.BROWSABLE" />
11    <data android:scheme="@string/fb_login_protocol_scheme" />
12</intent-filter>
13</activity>
14

15<meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/facebook_app_id" />

Add the following dependencies to your app/build.gradle file:

1dependencies {
2    // Mobile Client for initializing the SDK
3    implementation 'com.amazonaws:aws-android-sdk-mobile-client:ANDROID_SDK_VERSION'
4

5    // Facebook SignIn
6    implementation 'com.android.support:support-v4:28.+'
7    implementation 'com.amazonaws:aws-android-sdk-auth-facebook:ANDROID_SDK_VERSION'
8

9    // Sign in UI
10    implementation 'com.android.support:appcompat-v7:28.+'
11    implementation 'com.amazonaws:aws-android-sdk-auth-ui:ANDROID_SDK_VERSION'
12}

Note: When you add the dependencies, make sure that the major version of appcompat and support libraries match. In the previous example, you're using version 28.

In strings.xml, add string definitions for your Facebook app ID and login protocol scheme. The value for app_id is your Facebook app ID and the value for logic_protocol_scheme should be your Facebook app ID prefixed with fb.

1<string name="facebook_app_id">1231231231232123123</string>
2<string name="fb_login_protocol_scheme">fb1231231231232123123</string>

Next, create an activity that will present your sign-in screen. In Android Studio, choose File > New > Activity > Basic Activity and type an activity name, such as AuthenticatorActivity. If you want to make this your starting activity, move the intent filter block containing .LAUNCHER to the AuthenticatorActivity in your app's AndroidManifest.xml.

1<activity android:name=".AuthenticatorActivity">
2    <intent-filter>
3        <action android:name="android.intent.action.MAIN" />
4        <category android:name="android.intent.category.LAUNCHER" />
5    </intent-filter>
6</activity>

Finally, you can update the onCreate function of your AuthenticatorActivity to call AWSMobileClient.getInstance().federatedSignIn() as outlined earlier.

1import android.app.Activity;
2import android.os.Bundle;
3

4import com.amazonaws.mobile.auth.ui.SignInUI;
5import com.amazonaws.mobile.client.AWSMobileClient;
6import com.amazonaws.mobile.client.AWSStartupHandler;
7import com.amazonaws.mobile.client.AWSStartupResult;
8

9public class AuthenticatorActivity extends Activity {
10    @Override
11    protected void onCreate(Bundle savedInstanceState) {
12        super.onCreate(savedInstanceState);
13        setContentView(R.layout.activity_authenticator);
14

15        AWSMobileClient.getInstance().initialize(this, new Callback<UserStateDetails>() {
16            @Override
17            public void onResult(UserStateDetails userStateDetails) {
18                Log.i("INIT", userStateDetails.getUserState());
19                AWSMobileClient.getInstance().showSignIn(
20                        AuthenticatorActivity.this,
21                        SignInUIOptions.builder()
22                                .nextActivity(NextActivity.class)
23                                .build(),
24                        new Callback<UserStateDetails>() {
25                            @Override
26                            public void onResult(UserStateDetails result) {
27                                Log.d(TAG, "onResult: " + result.getUserState());
28                            }
29

30                            @Override
31                            public void onError(Exception e) {
32                                Log.e(TAG, "onError: ", e);
33                            }
34                        }
35                );
36            }
37

38            @Override
39            public void onError(Exception e) {
40                Log.e("INIT", "Error during initialization", e);
41            }
42        });
43    }
44}

Google Login in Your Mobile App

Use Android API level 23 or higher The AWSMobileClient library for Android sign-in provides the activity and view for presenting a SignInUI for the sign-in providers you configure. This library depends on the Android SDK API Level 23 or higher.

Add the following permissions to your AndroidManifest.xml file:

1<uses-permission android:name="android.permission.INTERNET"/>
2<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>

Add the following dependencies to your app/build.gradle file:

1dependencies {
2    // Mobile Client for initializing the SDK
3    implementation 'com.amazonaws:aws-android-sdk-mobile-client:ANDROID_SDK_VERSION'
4

5    // Google SignIn
6    implementation 'com.android.support:support-v4:28.+'
7    implementation 'com.amazonaws:aws-android-sdk-auth-google:ANDROID_SDK_VERSION'
8

9    // Sign in UI Library
10    implementation 'com.android.support:appcompat-v7:28.+'
11    implementation 'com.amazonaws:aws-android-sdk-auth-ui:ANDROID_SDK_VERSION'
12}

Note: When you add the dependencies, make sure that the major version of appcompat and support libraries match. In the previous example, you're using version 28.

Create an activity that will present your sign-in screen. In Android Studio, choose File > New > Activity > Basic Activity and type an activity name, such as AuthenticatorActivity. If you want to make this your starting activity, move the intent filter block containing .LAUNCHER to the AuthenticatorActivity in your app's AndroidManifest.xml.

1<activity android:name=".AuthenticatorActivity">
2    <intent-filter>
3        <action android:name="android.intent.action.MAIN" />
4        <category android:name="android.intent.category.LAUNCHER" />
5    </intent-filter>
6</activity>

Finally, you can update the onCreate function of your AuthenticatorActivity to call AWSMobileClient.getInstance().federatedSignIn() as outlined earlier.

1import android.app.Activity;
2import android.os.Bundle;
3

4import com.amazonaws.mobile.auth.ui.SignInUI;
5import com.amazonaws.mobile.client.AWSMobileClient;
6import com.amazonaws.mobile.client.AWSStartupHandler;
7import com.amazonaws.mobile.client.AWSStartupResult;
8

9public class AuthenticatorActivity extends Activity {
10    @Override
11    protected void onCreate(Bundle savedInstanceState) {
12        super.onCreate(savedInstanceState);
13        setContentView(R.layout.activity_authenticator);
14

15        AWSMobileClient.getInstance().initialize(this, new Callback<UserStateDetails>() {
16            @Override
17            public void onResult(UserStateDetails userStateDetails) {
18                Log.i("INIT", userStateDetails.getUserState());
19                AWSMobileClient.getInstance().showSignIn(
20                        AuthenticatorActivity.this,
21                        SignInUIOptions.builder()
22                                .nextActivity(NextActivity.class)
23                                .build(),
24                        new Callback<UserStateDetails>() {
25                            @Override
26                            public void onResult(UserStateDetails result) {
27                                Log.d(TAG, "onResult: " + result.getUserState());
28                            }
29

30                            @Override
31                            public void onError(Exception e) {
32                                Log.e(TAG, "onError: ", e);
33                            }
34                        }
35                );
36            }
37

38            @Override
39            public void onError(Exception e) {
40                Log.e("INIT", "Error during initialization", e);
41            }
42        });
43    }
44}
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.