Deployment settings
There are some deployment wide settings that can be configured based on your requirements. Please understand the implications before enabling.
OAuth only deployment
An alternative cost-effective solution for identity management based on the standard OAuth 2.0 protocol which allows just social logins. This uses Amazon Cognito Identity pool instead of User pool. This changes a lot of configuration on the client side. All RainMaker functionality is supported except the below list.
This setting is not for existing customers. Please read all the Feature limitations, as this action cannot be reversed.
Feature limitations:
- Phone app Sign up and Login experience: The native app experience of logging in with username and password will be replaced with a pop-up URL redirected to browser. This will be fine if you plan to use standard social identity providers as they always require browser. However, username password based users will be impacted.
- Mutiple Identity providers are not supported for Voice assistant account linking.
- Email and phone number based users cannot be directly created. Hence, Signup, password operations are disabled. (You can however use Amazon Cognito from any AWS account or any other standard OIDC provider which support such users.)
- Admin user management: MFA is unsupported. Also, standard APIs and Cloud to Cloud based APIs aren't supported.
- REST API gateway is unavailable (HTTP API gateway is the default). For more details refer to RainMaker API URL (Base URL). As a result, API rate limiting is also unavailable.
- Enabling or disabling identity providers per app client (Right now all are enabled) is not customisable.
- ESP Insights is unsupported for now.
- Superadmin user email cannot be updated. (Swagger)
OAuth limitations (Not implemented yet):
- Implicit grant (Legacy and less secure)
- Client credentials grant
- Device Code grant
- PKCE
- Scope restriction (Just openid supported for now)
- Token revocation
- Client Authentication: client_secret_jwt, private_key_jwt
- State
If you require support for any of the above features, get in touch with the RainMaker support team. (esp-rainmaker-support@espressif.com)
Steps to enable
- Login: Login using the API using HTTP Base URL from the deployment details email sent to the superadmin. You will get an accesstoken in response to this. This will be required in the 'Authorization' header of all further API requests.
Please note if you change your password before this step anytime, you will have to do 'forgot password' again after enabling OAuth_only setting and set the password.
-
Enable setting: Call the Deployment settings API to enable 'OAuth_only' to true.
-
Now like standard OAuth 2.0 we can add any OIDC compliant providers like Google, Apple, or Amazon Cognito.
How to know if an Identity provider is OIDC compliant?
There should be a discovery URL like: .well-known/openid-configuration
. Examples:
As a pre-requisite to use RainMaker, the users of your Identity provider should have an associated email or phone number. This should be embedded in the JWT IdToken, fields: email
or phone_number
-
Create OAuth client in the Identity provider of your choice:
Callback or Redirect URL to be allowed:
{HTTP API Endpoint}/cognitocallback
where:
- HTTP API Endpoint: Follow these steps to get the URL
importantRainMaker users require an email Id or phone number. Hence make sure you allow the scope giving access to this information.
Example: Cognito as the Identity provider: Steps for Cognito can be accessed here. If using Cognito as the identity provider, make sure you include 'aws.cognito.signin.user.admin' in the scope. This is to support the Change password feature out of the box for Cognito users.
By the end of this step, you will have a client id (or app id) and secret from the Identity provider console.
-
Add provider to RainMaker: Apple and Google have in built support and can be directly added.
- Adding Google as an Identity provider in RainMaker
- Adding Apple as an Identity provider in RainMaker
For others, Use the API. Refer example 'OIDC provider (OAuth only deployment).
where:
- client_id and client_secret fetched from step 6
- oidc_url: The OIDC issuer URL (Adding .well-known/openid-configuration should give the OIDC metadata. Ref: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
Verifying OAuth login works
Authorisation code grant
- Go to a browser of your choice
- Paste the Authorize API where client ID and redirect URL can be fetched from the dashboard using steps and the identity_provider will be the provider name you configured above
- The Identity provider sign-in page should open. Login.
- You should get a code on the redirect URI in the browser now (Inspect the page if required)
- Now call the Token API with the grant_type:
authorization_code
, code and other parameters - You should receive success response with tokens
Resource Owner Password Credentials (ROPC) grant
- Call the Token API with the grant_type:
password
, username, password, client Id, client secret, and identity_provider will be the provider name you configured above - You should receive success response with tokens
Phone app configurations
-
tokenUrl:
{HTTP Base URL}/{Stage}/token
(Swagger) -
Verify the redirect URIs for both Android and iOS are added to Client. For more info check steps
Please get in touch with the ESP RainMaker support team (esp-rainmaker-support@espressif.com) for more information.