Successfully reported this slideshow.

Add End User Sign-in, User Management, and Security to Your Mobile and Web Applications with Amazon Cognito

10

Share

1 of 69
1 of 69

Add End User Sign-in, User Management, and Security to Your Mobile and Web Applications with Amazon Cognito

10

Share

Description

by Ed Lima, Associate Solution Architect, AWS

Transcript

  1. 1. 08/2017 Add End user sign-in, User management, and Security to your Mobile and Web Applications with Amazon Cognito Ed Lima, Solutions Architect AWS Mobile Week | San Francisco Pop-up Loft
  2. 2. Source: https://www.fairfaxstatic.com.au/content/dam/images/g/t/4/d/r/3/image.related.articleLeadwide.620x349.gt4dq6.png/1481602779022.jpg
  3. 3. Source: images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg
  4. 4. Topics  AWS Mobile Services and Amazon Cognito  Introduction to Amazon Cognito Identity  Summary of Features  App Integration  Demo  OAuth2 Support in Cognito User Pools  Sample Use Cases  Getting Started
  5. 5. Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Amazon RDS Run Targeted Campaigns Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Build and Scale Your Apps on AWS Amazon Pinpoint Amazon Pinpoint
  6. 6. AWS Mobile Hub: Fastest Way to Build Apps on AWS
  7. 7. Identity is mission critical for your applications Security Revenue Generation Application Backbone  Know your users  Monitor engagement with your application  Store and manage user data  Personalize your users’ experiences  Protect sensitive data  Secure business- critical processes User Identity
  8. 8. Authentication User ManagementAuthorization  Manage user lifecycles  Store and manage user profile data  Monitor engagement  Protect data and operations  Provide fine-grained access control  Sign in users  Enable federation with enterprise identities  Enable federation with social identities User Identity Identity is mission critical for your applications
  9. 9. Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Implementing token-based authentication • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  10. 10. Comprehensive Support for Identity Use Cases
  11. 11. Amazon Cognito Identity Facebook Corporate OIDC Sign in with Your User Pools You can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users. Federated Identities Your users can sign in with third-party identity providers, such as Facebook and SAML providers, and you can control access to AWS resources from your app. SAML Sign in Username Password Submit
  12. 12. 1 2 3 4 5
  13. 13. Cognito Federated Identities (Identity Pools) • Exchanges tokens from authenticated users for AWS credentials to access resources such as S3 or DynamoDB • You can defined rules for mapping users to different IAM roles to manage permissions • Provides an identity pool id to uniquely identify users Cognito Identity Pool AWS Credentials / / etc token Mobile or web app DynamoDB S3 API GW Access backend resources - tied to IAM role 1 3 2
  14. 14. Your User Pools Add user sign-up and sign- in easily to your mobile and web apps without worrying about server infrastructure Serverless Authentication and User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory 1 2 3
  15. 15. Extensive Admin Capabilities Create and Manage User Pools Define Custom Attributes Require Submission of Attribute Data Set per-App Permissions Set up Password Policies Manage and Search Users
  16. 16. Comprehensive User Flows User Sign-Up and Sign-In User Profile Data Forgot Password Token Based Authentication Email or Phone Number Verification SMS Multifactor Authentication
  17. 17. Custom User Flows Using Lambda Hooks
  18. 18. Custom User Flows Using Lambda Hooks Category Lambda Hook Example Scenarios Custom Authentication Flow Define Auth Challenge Determines the next challenge in a custom auth flow Create Auth Challenge Creates a challenge in a custom auth flow Verify Auth Challenge Response Determines if a response is correct in a custom auth flow Authentication Events Pre Authentication Custom validation to accept or deny the sign-in request Post Authentication Event logging for custom analytics Sign-Up Pre Sign-up Custom validation to accept or deny the sign-up request Post Confirmation Custom welcome messages or event logging for custom analytics Messages Custom Message Advanced customization and localization of messages
  19. 19. Custom Auth Flow Cognito User Pools Custom Authentication Challenges (e.g., CAPTCHA, passworldless auth, custom 2nd factors) 1 2 5 6 3 4
  20. 20. Groups Cognito User Pools Groups and Multiple Authenticated Roles Group A IAM Role A Group B IAM Role B … Authenticated User Identity Get Credentials Multiple Roles for Authenticated Identities Cognito Federated Identities IAM Role and Policy IAM Role and Policy IAM Role and Policy Backend Resources MaptodifferentIAMroles API Gateway DynamoDB S3 ControlAccess
  21. 21. Control Attribute Permissions Choose which user attributes each app can read and write Read Write name phone custom:paid
  22. 22. Creating Users as an Administrator  Developers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS message  New users sign in with a temporary password and create a new password  User pools can be configured to only allow users created by an administrator
  23. 23. Understanding User Status  New users start with “Registered” status  Users must be confirmed before they can sign-in  Users must be disabled before they can be deleted Registered (cannot sign in) Sign-up Confirmed Disabled Admin Confirm Confirm via email/phone or Disable Delete (deleted) Lambda Trigger: Pre Sign-up Reset Required User import Force Change Password Admin Create User Reset password Enable
  24. 24. Verifying Email and Phone  Your User Pools provide built-in verification of email addresses and phone numbers  A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API  If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone  Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification Your verification code is 938764
  25. 25. Remembered Devices Remember the devices associated with your users 1 How do I reduce the friction that my users face when having to complete the 2nd factor challenge on every sign-in? How do I build logic to associate devices with my users to achieve my specific business requirements? 2
  26. 26. Importing Existing Users Batch Imports  Import users by uploading .csv files  Users will create a new password when they first sign- in  Each imported user must have an email address or a phone number One-at-a-Time Migration  Migrate users individually as they sign in  App first tries to sign in via Cognito, if user does not exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito  Retains passwords, but requires app coding and maintenance of prior system for some period Prior IdP
  27. 27. Source: https://freerangestock.com/photos/39981/victorious--man-standing-on-the-top-of-a-mountain-raising-.html
  28. 28. App Integration with User Pools - Beta • User Pools now provide a Hosted UI for sign up, sign in, forgot password, etc. • WebView for Mobile • You can customize the UI and domain • Basic in beta, more advanced coming
  29. 29. Federation with User Pools - Beta • Cognito handles interactions with IdPs to authenticate users and receive tokens • Identity providers (IdPs) are configured in Cognito • E.g., SAML metadata document, issuer URL, identifiers/domains • Cognito User Pools act as a universal directory providing user profiles and authentication tokens for federated and “native” users • Initially supporting SAML in beta, but more IdPs are coming
  30. 30. Why Federation with User Pools? • Enables management of federated users with User Pool profiles and groups • Attributes (claims) from federated user identities can be mapped to user pool profile attributes • Standardizes auth across all users – Apps can simply direct all users to our hosted UI to sign in, and they all get the same OIDC standard User Pool tokens
  31. 31. How easy is it to implement?
  32. 32. User Pool SAML Federation Amazon Cognito IdPIdPIdP Hosted UI Determine IdP 1 2 3 5 IdP UI 4 7 Redirect to IdP POST back with SAML assertion User authenticated by IdP (SSO if active session) Amazon Cognito tokens provided to app Mobile or web app <SAML> Create/Update profile 6 OIDC token
  33. 33. Demo
  34. 34. Cognito User Pools Cognito Federated Identities Amazon Lex AWS Lambda Amazon API Gateway Amazon DynamoDB AWS Lambda Amazon S3 (Website) Amazon CloudFront
  35. 35. “No server is easier to manage than no server” Werner Vogels CTO, Amazon.com
  36. 36. Two Ways to Federate with Amazon Cognito Cognito User Pools Cognito Identity Pools • Handles the IdP interactions for you • Provides profiles to manage users • Provides OpenID Connect and OAuth2.0 standard tokens • Priced per monthly active user • IdP interactions and user profiles handled by application • Provides AWS credentials for accessing resources on behalf of users • Supports rules to map users to different IAM roles • Free
  37. 37. Security Standards and Protocols
  38. 38. JSON Web Tokens (JWT) • Compact and Self-contained way for securely transmitting information between parties as a JSON object • Digitally Signed • Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token • Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains • Typically saved in the browser’s local storage (but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie • Stateless Authentication Mechanism JWT Key Set: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
  39. 39. JSON Web Tokens (JWT)
  40. 40. JWT Anatomy Header: Encryption Algorithm for Signature Payload: Claims • iss • aud • sub • exp
  41. 41. Why use JSON Web Tokens? • Scalability – Unlike server-based authentication, token-based authentication doesn’t require you to store session state on the server side, which increases the scalability of applications • Reusability – Multiple services or applications could leverage the same token for authorizing • Security – Protection against Cross Site Request Forgery (CSRF), token expiry, and revocation capabilities
  42. 42. OAuth 2.0 Support in Cognito User Pools
  43. 43. OAuth 2.0 Support in Cognito User Pools • Industry standard protocol for authorization • Permissions are defined as “scopes” • E.g., permission to read a user profile or edit photos • Client apps can request a set of scopes, and if permitted, get back an access token with those scopes • If the request is in the context of a user, the user can be authenticated - end user consent is not yet supported • Client apps take the access token to a resource server to access the resources as permitted by the scopes
  44. 44. OAuth 2.0 Flows Supported in Cognito • Authorization code • User is authenticated • Returns code to be used with token service to retrieve tokens • Avoids exposing tokens to the client • Use PKCE for security on native apps • Implicit (for single page web apps) • User is authenticated • Returns tokens directly
  45. 45. OAuth 2.0 Scopes - Standard • Standard Scopes define what tokens and attributes are returned: o openid: required to get the User Pool Id token o email: required for email and email_verified o phone: required for phone and phone_verified o profile: required for non phone/email attributes o aws.cognito.signin.user.admin: required to use the access token with the User Pool (e.g., to call getUser) • Scopes can be used in combination, separated by spaces • Scopes must be enabled for each client app • If no scopes are requested, Cognito will apply all scopes enabled for the app client
  46. 46. • An Identity Layer on top of the OAuth 2.0 protocol – authentication • Request and receive information about authenticated sessions and end- users
  47. 47. Sample Use Cases
  48. 48. Cognito User Pool as a Standalone IdP Username Password Sign In Cognito User Pool CUP Token Backend resources Authenticate with a user pool via our SDK or hosted UI (beta) Access backend resources • Cognito User Pools can be used as standalone IdPs • User Pools provide OpenID Connect and OAuth2.0 standard tokens that can be used for authorizing access to your APIs / backend CUP Token API GW 1 2 3
  49. 49. Business to Consumer Sign in with Facebook Or Username Password Sign In Authenticate with Facebook via their SDK FB Token Cognito User Pool CUP Token Exchange user tokens for AWS credentials tied to an IAM role Cognito Identity Pool CUP/FB Token Authenticate with a user pool via our SDK DynamoDB S3 API GW Access backend resources 1b 1a 2 3 • User Pools provide a directory for users to sign up and sign in • Identity Pools provide AWS credentials to access backend resources
  50. 50. Business to Business/Employee with SAML Get AWS credentials Cognito Identity Pool DynamoDB S3 API GW Access backend resources SAML IdP (e.g., ADFS) Cognito User Pool• User Pools authenticate users and returns OpenID Connect and OAuth2.0 standard tokens • Identity Pools provide AWS credentials to access backend resources Authenticate 3 CUP Token1 SAML 2 Redirect / Post back CUP Token 4 5
  51. 51. Business to Business/Employee with SAML v2 SAML IdP (e.g., ADFS) Cognito User Pool• User Pools authenticate users and returns OpenID Connect and OAuth2.0 standard tokens • User Pool tokens can be used for authorizing access to your APIs / backend Authenticate 3 CUP Token1 SAML 2 Redirect / Post back Backend resources Access backend resources CUP Token API GW 4
  52. 52. Your User Pools and Amazon API Gateway Native Support Custom Authorizer Function Control access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges Configure API Gateway to accept ID tokens to authorize users based on their existence in a user pool – User Pools works together with API Gateway to authorize API requests 1 2
  53. 53. Amazon Cognito User Pools Amazon API Gateway Lambda Hooks Lambda Function Amazon DynamoDB Throttling Cache Logging Monitoring Auth Mobile apps Amazon Cognito Federated Identities (IAM) Lambda Custom Authorizer AWS Proxy External HTTP/S Backend Amazon Cognito and Amazon API Gateway
  54. 54. Cognito User Pool (CUP) Amazon API Gateway Google User A User B User C Cognito Identity Pool (CIP) A B C A B /google /cip /cup AWS Lambda Amazon DynamoDB A B C Token AWS Credentials User A Data User B Data User C Data IAM Authorization IAM Authorization Cognito UP Authorizer API Resources https://github.com/awslabs/aws-cognito-apigw-angular-auth Amazon Cognito and Amazon API Gateway
  55. 55. Amazon Cognito and AWS IoT Username Password Sign In Cognito User Pool CUP Token Exchange user tokens for AWS credentials tied to an IAM role Cognito Identity Pool CUP Token Authenticate with a user pool via our SDK Access IoT/Device resources 1 2 3 • User Pools provide a directory for users to sign up and sign in • Identity Pools provide AWS credentials to access IoT resources • AttachPrincipal Policy API call attaches Cognito ID to IoT Policy AWS IoT
  56. 56. Demo
  57. 57. Getting Started with Your User Pools See aws.amazon.com/cognito/dev-resources/ for links to  Getting Started Guides  Documentation, SDKs, and Sample Apps  Videos  Presentation Slides  Blog Posts  Developer Forums
  58. 58. Useful Links • Amazon Cognito User Pools supports federation with SAML - http://amzn.to/2uCB6hJ • Amazon Cognito User Pools App Integration and Federation - http://amzn.to/2uxbnqb • Amazon Cognito Federation for User Pools Server Contract Reference - http://amzn.to/2tzLLVy • Amazon Cognito User Pools OAuth2 Flows and Scopes- http://amzn.to/2tAu08i • Customizing Amazon Cognito User Pool Authentication Flow - http://amzn.to/2vbVlQg • Passwordless Login Demo - https://youtu.be/8DDIxqIW1sM?t=2212 • SAML for Your Serverless JavaScript Application - http://amzn.to/2mRmKEX and http://amzn.to/2w4MIXo • Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway - http://amzn.to/2rItQQm • Authorizing Access Through a Proxy Resource to Amazon API Gateway and AWS Lambda Using Amazon Cognito User Pools - http://amzn.to/2jO3qYt
  59. 59. Something Extra…
  60. 60. Amazon Cognito Points to Remember • Unique Identity • DDB indexes • S3 Prefixes • Short-Term Credentials • Credentials object triple • Token, access key, secret key • Pass to AWS SDKs • Sigv4 auto-signing • Amazon Cognito User Pools • Secure Remote Password • Passwords never travel over wire • Verifier calculated and stored • http://srp.stanford.edu/ndss.html • Developer-only attributes • API Gateway back-end calls • Don’t send outside infra
  61. 61. Granular Auth Controls • IAM Roles • Fine-grained API access • Enterprise SAML Federation • RBAC • User Pool Lambda Triggers • Cognito Policy Variables • API Gateway Authorizers • User Pool Authorizer • Custom Authorizer Takeaway: Sort out Identity and Auth; everything else gets easier
  62. 62. Amazon Cognito Identity and AWS Identity and Access Management Variables
  63. 63. OAUTH, OIDC Outsourcing Auth to 3rd party • Oauth: Authorization (grant access to data/API/etc.) • OpenID: Authentication Redirect to authorization server in query string: • Response_type (contains grant code), scope, etc. ClientID & Secret • ClientID is public used for login URLs. • Secret embedded in app source code (not for JavaScript apps) ID (Identity - OIDC), Access (Session – OAUTH2), Refresh (Password – OAUTH2) Tokens
  64. 64. Web Server OAuth flow
  65. 65. SRP Problem with salting/hashing passwords in DB • Rainbow Tables, MD5 collisions • GPUs can compute billions hashes/sec • Dictionary attacks, brute-force SRP: Passwords never travel over the wire • Verifier calculated and stored in Database • http://srp.stanford.edu/ndss.html
  66. 66. SAML 2-Way trust to securely exchange claims SAML doesn’t accept passwords! • That’s what an IdP is for! Terms • Service Provider (Relaying Party) • STS (ADFS, Shibboleth) • Signed and Base-64 encoded claims in <samlp: /> notation • IdP • “SAML authority” or “Asserting Party” = “SAML IdP” – AKA “guy that has all the claims to share” Bindings

Editor's Notes

  • <Connect with the audience>
    If you’re anything like me, this is probably how that makes you feel. <pause, hopefully for a bit of laughter>

    The good news is that there is a lot of help. I’ll try to give you a bit of a roadmap today on how you might think about going on this journey.

    Firstly, you’ll need to take a look at your organisation, the teams that are working on your projects.
    You’ll need to put some new definitions around your architecture.
    You will probably need to know how to deal with your existing application investments, so we’ll talk about how to approach migrations
    and lastly, I’ll try to give you some of my best tips and tricks, best practices for avoiding some of those challenges along the way and hopefully avoid some of the frustrations like what this poor guy is feeling.

    http://images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg
  • Who Loves AAA?! Who Hates it?
  • We have amazing services that integrate to your app and provide essential features for your users.
    Authentication, Data Sync, Analytics, media, push notifications, serverless backends, enterprise features and chat bots
    However it might take some time to get acquainted, learn and configure all these services and how they interact with each other. Time you could be using to focus on your application code.
    AWS have successfully removed the undifferentiated heavy lifting of infrastructure, now we’re going one step further. What if I told you now we could also remove the heavy lifting of provisioning and configuration of your mobile backend for you?

    Pulling this all together is easier through Mobile SDKs for iOS, Android, Xamarin, Unity…or use Mobile Hub which makes development even simpler with a single integrated console.


  • This is what our Mobile Hub service is here for! With Mobile Hub you can select, mix and match what features you want to add to your app and the related services are automatically provisioned for you, bootstrapping your mobile backend in a matter of minutes! Not only that but all the backend services are pre-configured and personalized with all the best practices and security in mind.

  • Session Based Auth
    Server does heavy lifting. Stateful.
    Client session ID attached to every request, associated with user ID that must be referenced on server
    Pros: Auditing, revocation of actions
    Cons: Scaling
    Token Based Auth
    Stateless, nothing persisted on server
    Simple validation of token signing
    Pros: Scaling
  • Create and manage User Pools - Create, configure, and delete multiple user pools across AWS regions
    Define Custom Attributes - Define custom attributes for your user profiles
    Require Submission of Attribute Data - Select which attributes must be provided by the user prior to completion of the sign-up process
    Set per-App Permissions - Set read and write permissions for each user attribute on a per-app basis
    Set up Password Policies - Enforce password policies like minimum length and requirement of certain types of characters
    Search Users - Search users based on a full match or a prefix match of their attributes through the console or Admin API
    Manage Users - Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  • User Sign-Up and Sign-In
    Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.
    User Profile Data
    Enable users to view and update their profile data – including custom attributes
    Forgot Password
    Provide users the ability to change their password when they forget it with a one-time password challenge
    Token Based Authentication
    Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
    Email or Phone Number Verification
    Require users to verify their email address or phone number prior to activating their account with a one-time password challenge
    SMS Multifactor Authentication
    Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow
  • Lambda is our microserivces framework, which let’s you run code without provisioning or managing servers. And you can use Lambda in conjunction with User Pools to customize the user flow according to your business requirements.
  • Before Migrate, Always Federate
  • Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
    Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
    Stateless authentication mechanism as the user state is never saved in server memory
  • https://freerangestock.com/photos/44722/photo-details.html
  • OAuth 2.0 looks at the problem of "How does Software A give Software B access to User X's data without Software B having access to User X's login credentials."
  • Redirect URIs must be registered with the OAuth service with TLS in order to prevent MTM attacks. Registration process gives ClientID & Secret.
  • Service Providers provide web services and rely on a “trusted” Identity Provider and Security Token Service for AuthN and AuthZ. This is the WS-Fed definition where a SP is called a Relaying Party. The SP depends on having assertions from the IdP
  • The key here is that the SAML Authnrequest was signed. That’s what allows direct sending of user data from the IdP on the right back to the Resource server on the left.
  • Description

    by Ed Lima, Associate Solution Architect, AWS

    Transcript

    1. 1. 08/2017 Add End user sign-in, User management, and Security to your Mobile and Web Applications with Amazon Cognito Ed Lima, Solutions Architect AWS Mobile Week | San Francisco Pop-up Loft
    2. 2. Source: https://www.fairfaxstatic.com.au/content/dam/images/g/t/4/d/r/3/image.related.articleLeadwide.620x349.gt4dq6.png/1481602779022.jpg
    3. 3. Source: images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg
    4. 4. Topics  AWS Mobile Services and Amazon Cognito  Introduction to Amazon Cognito Identity  Summary of Features  App Integration  Demo  OAuth2 Support in Cognito User Pools  Sample Use Cases  Getting Started
    5. 5. Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Amazon RDS Run Targeted Campaigns Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Build and Scale Your Apps on AWS Amazon Pinpoint Amazon Pinpoint
    6. 6. AWS Mobile Hub: Fastest Way to Build Apps on AWS
    7. 7. Identity is mission critical for your applications Security Revenue Generation Application Backbone  Know your users  Monitor engagement with your application  Store and manage user data  Personalize your users’ experiences  Protect sensitive data  Secure business- critical processes User Identity
    8. 8. Authentication User ManagementAuthorization  Manage user lifecycles  Store and manage user profile data  Monitor engagement  Protect data and operations  Provide fine-grained access control  Sign in users  Enable federation with enterprise identities  Enable federation with social identities User Identity Identity is mission critical for your applications
    9. 9. Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Implementing token-based authentication • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
    10. 10. Comprehensive Support for Identity Use Cases
    11. 11. Amazon Cognito Identity Facebook Corporate OIDC Sign in with Your User Pools You can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users. Federated Identities Your users can sign in with third-party identity providers, such as Facebook and SAML providers, and you can control access to AWS resources from your app. SAML Sign in Username Password Submit
    12. 12. 1 2 3 4 5
    13. 13. Cognito Federated Identities (Identity Pools) • Exchanges tokens from authenticated users for AWS credentials to access resources such as S3 or DynamoDB • You can defined rules for mapping users to different IAM roles to manage permissions • Provides an identity pool id to uniquely identify users Cognito Identity Pool AWS Credentials / / etc token Mobile or web app DynamoDB S3 API GW Access backend resources - tied to IAM role 1 3 2
    14. 14. Your User Pools Add user sign-up and sign- in easily to your mobile and web apps without worrying about server infrastructure Serverless Authentication and User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory 1 2 3
    15. 15. Extensive Admin Capabilities Create and Manage User Pools Define Custom Attributes Require Submission of Attribute Data Set per-App Permissions Set up Password Policies Manage and Search Users
    16. 16. Comprehensive User Flows User Sign-Up and Sign-In User Profile Data Forgot Password Token Based Authentication Email or Phone Number Verification SMS Multifactor Authentication
    17. 17. Custom User Flows Using Lambda Hooks
    18. 18. Custom User Flows Using Lambda Hooks Category Lambda Hook Example Scenarios Custom Authentication Flow Define Auth Challenge Determines the next challenge in a custom auth flow Create Auth Challenge Creates a challenge in a custom auth flow Verify Auth Challenge Response Determines if a response is correct in a custom auth flow Authentication Events Pre Authentication Custom validation to accept or deny the sign-in request Post Authentication Event logging for custom analytics Sign-Up Pre Sign-up Custom validation to accept or deny the sign-up request Post Confirmation Custom welcome messages or event logging for custom analytics Messages Custom Message Advanced customization and localization of messages
    19. 19. Custom Auth Flow Cognito User Pools Custom Authentication Challenges (e.g., CAPTCHA, passworldless auth, custom 2nd factors) 1 2 5 6 3 4
    20. 20. Groups Cognito User Pools Groups and Multiple Authenticated Roles Group A IAM Role A Group B IAM Role B … Authenticated User Identity Get Credentials Multiple Roles for Authenticated Identities Cognito Federated Identities IAM Role and Policy IAM Role and Policy IAM Role and Policy Backend Resources MaptodifferentIAMroles API Gateway DynamoDB S3 ControlAccess
    21. 21. Control Attribute Permissions Choose which user attributes each app can read and write Read Write name phone custom:paid
    22. 22. Creating Users as an Administrator  Developers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS message  New users sign in with a temporary password and create a new password  User pools can be configured to only allow users created by an administrator
    23. 23. Understanding User Status  New users start with “Registered” status  Users must be confirmed before they can sign-in  Users must be disabled before they can be deleted Registered (cannot sign in) Sign-up Confirmed Disabled Admin Confirm Confirm via email/phone or Disable Delete (deleted) Lambda Trigger: Pre Sign-up Reset Required User import Force Change Password Admin Create User Reset password Enable
    24. 24. Verifying Email and Phone  Your User Pools provide built-in verification of email addresses and phone numbers  A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API  If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone  Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification Your verification code is 938764
    25. 25. Remembered Devices Remember the devices associated with your users 1 How do I reduce the friction that my users face when having to complete the 2nd factor challenge on every sign-in? How do I build logic to associate devices with my users to achieve my specific business requirements? 2
    26. 26. Importing Existing Users Batch Imports  Import users by uploading .csv files  Users will create a new password when they first sign- in  Each imported user must have an email address or a phone number One-at-a-Time Migration  Migrate users individually as they sign in  App first tries to sign in via Cognito, if user does not exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito  Retains passwords, but requires app coding and maintenance of prior system for some period Prior IdP
    27. 27. Source: https://freerangestock.com/photos/39981/victorious--man-standing-on-the-top-of-a-mountain-raising-.html
    28. 28. App Integration with User Pools - Beta • User Pools now provide a Hosted UI for sign up, sign in, forgot password, etc. • WebView for Mobile • You can customize the UI and domain • Basic in beta, more advanced coming
    29. 29. Federation with User Pools - Beta • Cognito handles interactions with IdPs to authenticate users and receive tokens • Identity providers (IdPs) are configured in Cognito • E.g., SAML metadata document, issuer URL, identifiers/domains • Cognito User Pools act as a universal directory providing user profiles and authentication tokens for federated and “native” users • Initially supporting SAML in beta, but more IdPs are coming
    30. 30. Why Federation with User Pools? • Enables management of federated users with User Pool profiles and groups • Attributes (claims) from federated user identities can be mapped to user pool profile attributes • Standardizes auth across all users – Apps can simply direct all users to our hosted UI to sign in, and they all get the same OIDC standard User Pool tokens
    31. 31. How easy is it to implement?
    32. 32. User Pool SAML Federation Amazon Cognito IdPIdPIdP Hosted UI Determine IdP 1 2 3 5 IdP UI 4 7 Redirect to IdP POST back with SAML assertion User authenticated by IdP (SSO if active session) Amazon Cognito tokens provided to app Mobile or web app <SAML> Create/Update profile 6 OIDC token
    33. 33. Demo
    34. 34. Cognito User Pools Cognito Federated Identities Amazon Lex AWS Lambda Amazon API Gateway Amazon DynamoDB AWS Lambda Amazon S3 (Website) Amazon CloudFront
    35. 35. “No server is easier to manage than no server” Werner Vogels CTO, Amazon.com
    36. 36. Two Ways to Federate with Amazon Cognito Cognito User Pools Cognito Identity Pools • Handles the IdP interactions for you • Provides profiles to manage users • Provides OpenID Connect and OAuth2.0 standard tokens • Priced per monthly active user • IdP interactions and user profiles handled by application • Provides AWS credentials for accessing resources on behalf of users • Supports rules to map users to different IAM roles • Free
    37. 37. Security Standards and Protocols
    38. 38. JSON Web Tokens (JWT) • Compact and Self-contained way for securely transmitting information between parties as a JSON object • Digitally Signed • Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token • Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains • Typically saved in the browser’s local storage (but cookies can be also used), instead of the traditional approach of creating a session in the server and returning a cookie • Stateless Authentication Mechanism JWT Key Set: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
    39. 39. JSON Web Tokens (JWT)
    40. 40. JWT Anatomy Header: Encryption Algorithm for Signature Payload: Claims • iss • aud • sub • exp
    41. 41. Why use JSON Web Tokens? • Scalability – Unlike server-based authentication, token-based authentication doesn’t require you to store session state on the server side, which increases the scalability of applications • Reusability – Multiple services or applications could leverage the same token for authorizing • Security – Protection against Cross Site Request Forgery (CSRF), token expiry, and revocation capabilities
    42. 42. OAuth 2.0 Support in Cognito User Pools
    43. 43. OAuth 2.0 Support in Cognito User Pools • Industry standard protocol for authorization • Permissions are defined as “scopes” • E.g., permission to read a user profile or edit photos • Client apps can request a set of scopes, and if permitted, get back an access token with those scopes • If the request is in the context of a user, the user can be authenticated - end user consent is not yet supported • Client apps take the access token to a resource server to access the resources as permitted by the scopes
    44. 44. OAuth 2.0 Flows Supported in Cognito • Authorization code • User is authenticated • Returns code to be used with token service to retrieve tokens • Avoids exposing tokens to the client • Use PKCE for security on native apps • Implicit (for single page web apps) • User is authenticated • Returns tokens directly
    45. 45. OAuth 2.0 Scopes - Standard • Standard Scopes define what tokens and attributes are returned: o openid: required to get the User Pool Id token o email: required for email and email_verified o phone: required for phone and phone_verified o profile: required for non phone/email attributes o aws.cognito.signin.user.admin: required to use the access token with the User Pool (e.g., to call getUser) • Scopes can be used in combination, separated by spaces • Scopes must be enabled for each client app • If no scopes are requested, Cognito will apply all scopes enabled for the app client
    46. 46. • An Identity Layer on top of the OAuth 2.0 protocol – authentication • Request and receive information about authenticated sessions and end- users
    47. 47. Sample Use Cases
    48. 48. Cognito User Pool as a Standalone IdP Username Password Sign In Cognito User Pool CUP Token Backend resources Authenticate with a user pool via our SDK or hosted UI (beta) Access backend resources • Cognito User Pools can be used as standalone IdPs • User Pools provide OpenID Connect and OAuth2.0 standard tokens that can be used for authorizing access to your APIs / backend CUP Token API GW 1 2 3
    49. 49. Business to Consumer Sign in with Facebook Or Username Password Sign In Authenticate with Facebook via their SDK FB Token Cognito User Pool CUP Token Exchange user tokens for AWS credentials tied to an IAM role Cognito Identity Pool CUP/FB Token Authenticate with a user pool via our SDK DynamoDB S3 API GW Access backend resources 1b 1a 2 3 • User Pools provide a directory for users to sign up and sign in • Identity Pools provide AWS credentials to access backend resources
    50. 50. Business to Business/Employee with SAML Get AWS credentials Cognito Identity Pool DynamoDB S3 API GW Access backend resources SAML IdP (e.g., ADFS) Cognito User Pool• User Pools authenticate users and returns OpenID Connect and OAuth2.0 standard tokens • Identity Pools provide AWS credentials to access backend resources Authenticate 3 CUP Token1 SAML 2 Redirect / Post back CUP Token 4 5
    51. 51. Business to Business/Employee with SAML v2 SAML IdP (e.g., ADFS) Cognito User Pool• User Pools authenticate users and returns OpenID Connect and OAuth2.0 standard tokens • User Pool tokens can be used for authorizing access to your APIs / backend Authenticate 3 CUP Token1 SAML 2 Redirect / Post back Backend resources Access backend resources CUP Token API GW 4
    52. 52. Your User Pools and Amazon API Gateway Native Support Custom Authorizer Function Control access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges Configure API Gateway to accept ID tokens to authorize users based on their existence in a user pool – User Pools works together with API Gateway to authorize API requests 1 2
    53. 53. Amazon Cognito User Pools Amazon API Gateway Lambda Hooks Lambda Function Amazon DynamoDB Throttling Cache Logging Monitoring Auth Mobile apps Amazon Cognito Federated Identities (IAM) Lambda Custom Authorizer AWS Proxy External HTTP/S Backend Amazon Cognito and Amazon API Gateway
    54. 54. Cognito User Pool (CUP) Amazon API Gateway Google User A User B User C Cognito Identity Pool (CIP) A B C A B /google /cip /cup AWS Lambda Amazon DynamoDB A B C Token AWS Credentials User A Data User B Data User C Data IAM Authorization IAM Authorization Cognito UP Authorizer API Resources https://github.com/awslabs/aws-cognito-apigw-angular-auth Amazon Cognito and Amazon API Gateway
    55. 55. Amazon Cognito and AWS IoT Username Password Sign In Cognito User Pool CUP Token Exchange user tokens for AWS credentials tied to an IAM role Cognito Identity Pool CUP Token Authenticate with a user pool via our SDK Access IoT/Device resources 1 2 3 • User Pools provide a directory for users to sign up and sign in • Identity Pools provide AWS credentials to access IoT resources • AttachPrincipal Policy API call attaches Cognito ID to IoT Policy AWS IoT
    56. 56. Demo
    57. 57. Getting Started with Your User Pools See aws.amazon.com/cognito/dev-resources/ for links to  Getting Started Guides  Documentation, SDKs, and Sample Apps  Videos  Presentation Slides  Blog Posts  Developer Forums
    58. 58. Useful Links • Amazon Cognito User Pools supports federation with SAML - http://amzn.to/2uCB6hJ • Amazon Cognito User Pools App Integration and Federation - http://amzn.to/2uxbnqb • Amazon Cognito Federation for User Pools Server Contract Reference - http://amzn.to/2tzLLVy • Amazon Cognito User Pools OAuth2 Flows and Scopes- http://amzn.to/2tAu08i • Customizing Amazon Cognito User Pool Authentication Flow - http://amzn.to/2vbVlQg • Passwordless Login Demo - https://youtu.be/8DDIxqIW1sM?t=2212 • SAML for Your Serverless JavaScript Application - http://amzn.to/2mRmKEX and http://amzn.to/2w4MIXo • Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway - http://amzn.to/2rItQQm • Authorizing Access Through a Proxy Resource to Amazon API Gateway and AWS Lambda Using Amazon Cognito User Pools - http://amzn.to/2jO3qYt
    59. 59. Something Extra…
    60. 60. Amazon Cognito Points to Remember • Unique Identity • DDB indexes • S3 Prefixes • Short-Term Credentials • Credentials object triple • Token, access key, secret key • Pass to AWS SDKs • Sigv4 auto-signing • Amazon Cognito User Pools • Secure Remote Password • Passwords never travel over wire • Verifier calculated and stored • http://srp.stanford.edu/ndss.html • Developer-only attributes • API Gateway back-end calls • Don’t send outside infra
    61. 61. Granular Auth Controls • IAM Roles • Fine-grained API access • Enterprise SAML Federation • RBAC • User Pool Lambda Triggers • Cognito Policy Variables • API Gateway Authorizers • User Pool Authorizer • Custom Authorizer Takeaway: Sort out Identity and Auth; everything else gets easier
    62. 62. Amazon Cognito Identity and AWS Identity and Access Management Variables
    63. 63. OAUTH, OIDC Outsourcing Auth to 3rd party • Oauth: Authorization (grant access to data/API/etc.) • OpenID: Authentication Redirect to authorization server in query string: • Response_type (contains grant code), scope, etc. ClientID & Secret • ClientID is public used for login URLs. • Secret embedded in app source code (not for JavaScript apps) ID (Identity - OIDC), Access (Session – OAUTH2), Refresh (Password – OAUTH2) Tokens
    64. 64. Web Server OAuth flow
    65. 65. SRP Problem with salting/hashing passwords in DB • Rainbow Tables, MD5 collisions • GPUs can compute billions hashes/sec • Dictionary attacks, brute-force SRP: Passwords never travel over the wire • Verifier calculated and stored in Database • http://srp.stanford.edu/ndss.html
    66. 66. SAML 2-Way trust to securely exchange claims SAML doesn’t accept passwords! • That’s what an IdP is for! Terms • Service Provider (Relaying Party) • STS (ADFS, Shibboleth) • Signed and Base-64 encoded claims in <samlp: /> notation • IdP • “SAML authority” or “Asserting Party” = “SAML IdP” – AKA “guy that has all the claims to share” Bindings

    Editor's Notes

  • <Connect with the audience>
    If you’re anything like me, this is probably how that makes you feel. <pause, hopefully for a bit of laughter>

    The good news is that there is a lot of help. I’ll try to give you a bit of a roadmap today on how you might think about going on this journey.

    Firstly, you’ll need to take a look at your organisation, the teams that are working on your projects.
    You’ll need to put some new definitions around your architecture.
    You will probably need to know how to deal with your existing application investments, so we’ll talk about how to approach migrations
    and lastly, I’ll try to give you some of my best tips and tricks, best practices for avoiding some of those challenges along the way and hopefully avoid some of the frustrations like what this poor guy is feeling.

    http://images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg
  • Who Loves AAA?! Who Hates it?
  • We have amazing services that integrate to your app and provide essential features for your users.
    Authentication, Data Sync, Analytics, media, push notifications, serverless backends, enterprise features and chat bots
    However it might take some time to get acquainted, learn and configure all these services and how they interact with each other. Time you could be using to focus on your application code.
    AWS have successfully removed the undifferentiated heavy lifting of infrastructure, now we’re going one step further. What if I told you now we could also remove the heavy lifting of provisioning and configuration of your mobile backend for you?

    Pulling this all together is easier through Mobile SDKs for iOS, Android, Xamarin, Unity…or use Mobile Hub which makes development even simpler with a single integrated console.


  • This is what our Mobile Hub service is here for! With Mobile Hub you can select, mix and match what features you want to add to your app and the related services are automatically provisioned for you, bootstrapping your mobile backend in a matter of minutes! Not only that but all the backend services are pre-configured and personalized with all the best practices and security in mind.

  • Session Based Auth
    Server does heavy lifting. Stateful.
    Client session ID attached to every request, associated with user ID that must be referenced on server
    Pros: Auditing, revocation of actions
    Cons: Scaling
    Token Based Auth
    Stateless, nothing persisted on server
    Simple validation of token signing
    Pros: Scaling
  • Create and manage User Pools - Create, configure, and delete multiple user pools across AWS regions
    Define Custom Attributes - Define custom attributes for your user profiles
    Require Submission of Attribute Data - Select which attributes must be provided by the user prior to completion of the sign-up process
    Set per-App Permissions - Set read and write permissions for each user attribute on a per-app basis
    Set up Password Policies - Enforce password policies like minimum length and requirement of certain types of characters
    Search Users - Search users based on a full match or a prefix match of their attributes through the console or Admin API
    Manage Users - Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  • User Sign-Up and Sign-In
    Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.
    User Profile Data
    Enable users to view and update their profile data – including custom attributes
    Forgot Password
    Provide users the ability to change their password when they forget it with a one-time password challenge
    Token Based Authentication
    Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
    Email or Phone Number Verification
    Require users to verify their email address or phone number prior to activating their account with a one-time password challenge
    SMS Multifactor Authentication
    Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow
  • Lambda is our microserivces framework, which let’s you run code without provisioning or managing servers. And you can use Lambda in conjunction with User Pools to customize the user flow according to your business requirements.
  • Before Migrate, Always Federate
  • Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
    Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
    Stateless authentication mechanism as the user state is never saved in server memory
  • https://freerangestock.com/photos/44722/photo-details.html
  • OAuth 2.0 looks at the problem of "How does Software A give Software B access to User X's data without Software B having access to User X's login credentials."
  • Redirect URIs must be registered with the OAuth service with TLS in order to prevent MTM attacks. Registration process gives ClientID & Secret.
  • Service Providers provide web services and rely on a “trusted” Identity Provider and Security Token Service for AuthN and AuthZ. This is the WS-Fed definition where a SP is called a Relaying Party. The SP depends on having assertions from the IdP
  • The key here is that the SAML Authnrequest was signed. That’s what allows direct sending of user data from the IdP on the right back to the Resource server on the left.
  • More Related Content

    Slideshows for you

    Similar to Add End User Sign-in, User Management, and Security to Your Mobile and Web Applications with Amazon Cognito

    More from Amazon Web Services

    Related Audiobooks

    Free with a 30 day trial from Scribd

    See all

    ×