<Connect with the audience>
If you’re anything like me, this is probably how that makes you feel. <pause, hopefully for a bit of laughter>
The good news is that there is a lot of help. I’ll try to give you a bit of a roadmap today on how you might think about going on this journey.
Firstly, you’ll need to take a look at your organisation, the teams that are working on your projects.
You’ll need to put some new definitions around your architecture.
You will probably need to know how to deal with your existing application investments, so we’ll talk about how to approach migrations
and lastly, I’ll try to give you some of my best tips and tricks, best practices for avoiding some of those challenges along the way and hopefully avoid some of the frustrations like what this poor guy is feeling.
Who Loves AAA?! Who Hates it?
We have amazing services that integrate to your app and provide essential features for your users.
Authentication, Data Sync, Analytics, media, push notifications, serverless backends, enterprise features and chat bots
However it might take some time to get acquainted, learn and configure all these services and how they interact with each other. Time you could be using to focus on your application code.
AWS have successfully removed the undifferentiated heavy lifting of infrastructure, now we’re going one step further. What if I told you now we could also remove the heavy lifting of provisioning and configuration of your mobile backend for you?
Pulling this all together is easier through Mobile SDKs for iOS, Android, Xamarin, Unity…or use Mobile Hub which makes development even simpler with a single integrated console.
This is what our Mobile Hub service is here for! With Mobile Hub you can select, mix and match what features you want to add to your app and the related services are automatically provisioned for you, bootstrapping your mobile backend in a matter of minutes! Not only that but all the backend services are pre-configured and personalized with all the best practices and security in mind.
Session Based Auth
Server does heavy lifting. Stateful.
Client session ID attached to every request, associated with user ID that must be referenced on server
Pros: Auditing, revocation of actions
Token Based Auth
Stateless, nothing persisted on server
Simple validation of token signing
Create and manage User Pools - Create, configure, and delete multiple user pools across AWS regions
Define Custom Attributes - Define custom attributes for your user profiles
Require Submission of Attribute Data - Select which attributes must be provided by the user prior to completion of the sign-up process
Set per-App Permissions - Set read and write permissions for each user attribute on a per-app basis
Set up Password Policies - Enforce password policies like minimum length and requirement of certain types of characters
Search Users - Search users based on a full match or a prefix match of their attributes through the console or Admin API
Manage Users - Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
User Sign-Up and Sign-In
Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.
User Profile Data
Enable users to view and update their profile data – including custom attributes
Provide users the ability to change their password when they forget it with a one-time password challenge
Token Based Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
Email or Phone Number Verification
Require users to verify their email address or phone number prior to activating their account with a one-time password challenge
SMS Multifactor Authentication
Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow
Lambda is our microserivces framework, which let’s you run code without provisioning or managing servers. And you can use Lambda in conjunction with User Pools to customize the user flow according to your business requirements.
Before Migrate, Always Federate
Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
Stateless authentication mechanism as the user state is never saved in server memory
OAuth 2.0 looks at the problem of "How does Software A give Software B access to User X's data without Software B having access to User X's login credentials."
Redirect URIs must be registered with the OAuth service with TLS in order to prevent MTM attacks. Registration process gives ClientID & Secret.
Service Providers provide web services and rely on a “trusted” Identity Provider and Security Token Service for AuthN and AuthZ. This is the WS-Fed definition where a SP is called a Relaying Party. The SP depends on having assertions from the IdP
The key here is that the SAML Authnrequest was signed. That’s what allows direct sending of user data from the IdP on the right back to the Resource server on the left.