Getting cross client id token for AWS from Google Sign-In SDK

Question

I'm trying to integrate Google with Amazon Cognito in an iOS application using the Google Sign-In SDK but I can't seem to figure out how to obtain the JWT id token correctly. Everything is set up correctly, I believe, as both Google Sign-In and Cognito work independently.

I am setting up the GIDSignIn like this.

[GIDSignIn sharedInstance].scopes = @[kGTLAuthScopePlusLogin, kGTLAuthScopeDrive];
[[GIDSignIn sharedInstance] setClientID:kClientID];
[GIDSignIn sharedInstance] setServerClientID:kServerClientId];

and then to get the id_token, as specified here with the exception being that I am using Google Sign-In and not Google+ signin, which has no GTMOAuth2Authentication.

- (void)googleSignedIn:(GIDGoogleUser *) user
    {
    NSLog(@"AWSManager: Google signed in, id token = %@", user.authentication.idToken);
    NSString *idToken = user.authentication.idToken;
    self.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyGoogle): idToken};

but the idtoken is not json formatted web token, it is just a hunk of characters. AWS throws this error --

AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:185 
| __51-[AWSAbstractCognitoIdentityProvider getIdentityId]_block_invoke169 
| GetId failed. 

Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=9 
"The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 9.)" 
UserInfo=0x8fa5eb8e4e40{__type=NotAuthorizedException, message=Token is not from a supported provider of this identity pool.}]

I have no idea what I'm to do. I'm pretty new to objective-c and have done all of this on Android before. On android I did:

   String mServerClientId = "audience:server:client_id:xxxxxxxxxx.apps.googleusercontent.com"
   String token = GoogleAuthUtil.getToken(getApplicationContext(), accountName, mServerClientId);

to retrieve the tokens, but far as I can tell there's nothing like that on iOS. I can provide more information if needed.

Thanks!

Answer 1

From the error it looks like the clientId is not setup correctly in the identity pool configuration. Google has different client ids for each platform, to support multiple client ids, you should use the Cognito's support for generic OpenID Connect Identity Providers. Please follow these steps:

1. Go to AWS IAM Console's identity provider section .
2. Create an OpenId Connect Identity Provider with provider URL as https://accounts.google.com and Audience as one of the client Ids.
3. Follow the steps to create identity provider and later you will have an option to add additional client ids.
4. Go to Amazon Cognito Console.
5. Create or edit an identity pool and add the OpenID connect identity provider to the pool. This will allow you to trust multiple client Ids.

You can follow the Cognito documentation for Google login here and OpenID connect providers here.

Additionally, the token which you are getting is actually Base64 encoded. It has three parts separated by a period.

1. The algorithm which is used.
2. The payload.
3. The signature which Cognito validates.

You can use this cool tool for decoding the tokens.

Thanks,
Rachit