I'm trying to integrate Google with Amazon Cognito in an iOS application using the Google Sign-In SDK but I can't seem to figure out how to obtain the JWT id token correctly. Everything is set up correctly, I believe, as both Google Sign-In and Cognito work independently.
I am setting up the GIDSignIn like this.
[GIDSignIn sharedInstance].scopes = @[kGTLAuthScopePlusLogin, kGTLAuthScopeDrive];
[[GIDSignIn sharedInstance] setClientID:kClientID];
[GIDSignIn sharedInstance] setServerClientID:kServerClientId];
and then to get the id_token, as specified here with the exception being that I am using Google Sign-In and not Google+ signin, which has no GTMOAuth2Authentication.
- (void)googleSignedIn:(GIDGoogleUser *) user
{
NSLog(@"AWSManager: Google signed in, id token = %@", user.authentication.idToken);
NSString *idToken = user.authentication.idToken;
self.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyGoogle): idToken};
but the idtoken is not json formatted web token, it is just a hunk of characters. AWS throws this error --
AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:185
| __51-[AWSAbstractCognitoIdentityProvider getIdentityId]_block_invoke169
| GetId failed.
Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=9
"The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 9.)"
UserInfo=0x8fa5eb8e4e40{__type=NotAuthorizedException, message=Token is not from a supported provider of this identity pool.}]
I have no idea what I'm to do. I'm pretty new to objective-c and have done all of this on Android before. On android I did:
String mServerClientId = "audience:server:client_id:xxxxxxxxxx.apps.googleusercontent.com"
String token = GoogleAuthUtil.getToken(getApplicationContext(), accountName, mServerClientId);
to retrieve the tokens, but far as I can tell there's nothing like that on iOS. I can provide more information if needed.
Thanks!
From the error it looks like the clientId is not setup correctly in the identity pool configuration. Google has different client ids for each platform, to support multiple client ids, you should use the Cognito's support for generic OpenID Connect Identity Providers. Please follow these steps:
You can follow the Cognito documentation for Google login here and OpenID connect providers here.
Additionally, the token which you are getting is actually Base64 encoded. It has three parts separated by a period.
You can use this cool tool for decoding the tokens.
Thanks,
Rachit