Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF

234 views

Published on

AWS Mobile Week at the San Francisco Loft

Authentication and Authorization for Connected Mobile & Web Applications using Amazon Cognito and AWS AppSync
One of the key challenges for mobile applications is managing users and their identities in order to support monetization strategies, provide differentiated services, and manage fine grained access and data controls. In this session, you’ll learn how Amazon Cognito provides user sign-up and sign-in as part of your onboarding workflow and advanced capabilities for data access/feature management and security.
Level: Intermediate
Speaker: Brice Pelle - Enterprise Support Lead, AWS

  • Be the first to comment

  • Be the first to like this

Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync Brice Pellé (@BricePelle) Enterprise Support Lead, AWS
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc. • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation Amazon Cognito Overview Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign- In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one-time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pool Tokens Overview Access Token • JSON Web Token • Used to authorize requests including Cognito APIs • Includes o OAuth scopes o Cognito groups • Expires in 1 hour Identity Token • JSON Web Token • Can be used for authentication • Includes user profile information o Attributes o Cognito groups • Expires in 1 hour Refresh Token • Opaque blob • Used to get new Id and Access tokens without re-authenticating • Expiration configurable from 1 day to 10 years
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Integration with AWS AppSync
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Several methods of authentication
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 1. Authenticate
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 2. JWT tokens
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 3. Call AWS AppSync API
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 4. Validate Identity token
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 5. Invoke Resolvers
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM AWS AppSync
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 1. Authenticate
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 2. JWT Tokens
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 3. Request AWS creds
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 4. Validate ID token
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 5. Temp AWS creds
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 6. Call AppSync API
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 7. Check IAM policy
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 8. Invoke resolvers
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>", "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>” ] } ] } IAM Policy Detail
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls • User’s identity information is available at the resolver { "sub": "uuid", "issuer": "string", "username": "string", "claims": { ... }, "sourceIp": ["x.x.x.x"], "defaultAuthStrategy": "string" } { "accountId": "string", "cognitoIdentityPoolId": "string", "cognitoIdentityId": "string", "sourceIp": ["string"], "username": "string", "userArn": "string" } Amazon Cognito User Pools Amazon Cognito Identity Pools
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Implementing Authentication Amplify for Authentication
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Authentication Amazon Cognito ü Create & configure new Amazon Cognito resources for user authentication ü Interact with Amazon Cognito using Auth class from client Library ü Pre-configured components available for React, React Native, Angular, & Ionic
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Secure, always! • Leverage Amazon Cognito • Built with best security practices • Iterate quickly with Amplify • With toolchain • Provision serverless backend resources • Use Auth module to easily interact • Wrap app in authenticator to require sign-in • Uses customizable pre-built UI components amplify import awsmobile from './aws-exports' import Amplify, { Auth } from 'aws-amplify' import { withAuthenticator } from 'aws- amplify-react’ ... Amplify.configure(awsmobile) ... class App extends Component { async componentDidMount() { session = await Auth.currentSession() this.setState({ session }) } } export default withAuthenticator(App)
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AppSync with Amplify • 4 easy steps to configure AppSync 1. Import Modules 2. Configure Client 3. Advanced Settings a. Complex data handling b. Union and interface handling 4. Wrap app in HOCs a. Make client available to provider b. Load app data from storage c. Launch app when data ready d. Require authentication import AWSAppSyncClient from 'aws-appsync' import { Rehydrated } from 'aws-appsync-react’ import awsmobile from './aws-exports' const client = new AWSAppSyncClient({ url: awsmobile.aws_appsync_graphqlEndpoint, region: awsmobile.aws_appsync_region, auth: { type: awsmobile.aws_appsync_authenticationType, jwtToken: async () =>(await Auth.currentSession()) .getIdToken().getJwtToken() }, complexObjectsCredentials: () => Auth.currentCredentials(), cacheOptions: { fragmentMatcher } }) const WithProvider = () => ( <ApolloProvider client={client}> <Rehydrated> <App /> </Rehydrated> </ApolloProvider> ) export default withAuthenticator(WithProvider) a b c d a b
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank you!

×