Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jim Tran and Justin Pirtle
November 30, 2016
MBL...
What to expect from the session
• Assumes high-level familiarity with serverless API
architectures (API Gateway, Lambda)
•...
Hybrid mobile app
• Runs in web browser, Android, Apple iOS devices
• Built using Ionic 2 Framework
• Angular 2 / TypeScri...
Managing
Identities
Sign-up and sign-in
1. Sign-up
Sign-up and sign-in
2. Sign-in
Sign-up and sign-in
Username Email Password
beverly123 beverly123@example.com Password$123
pilotjane pilotjane@example.com...
• Never store passwords in plaintext!
• Vulnerable to rogue employees
• A hacked DB results in
all passwords being comprom...
Sign-up and sign-in
Username Email Hashed Password
beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f
pilo...
• MD5/SHA1 collisions
• Rainbow Tables
• Dictionary attacks, brute-force (GPUs can compute
billions of hashes/sec)
Usernam...
Sign-up and sign-in
Username Email Salted Hash
beverly123 beverly123@example.com 1e66f9358530620b2bcae79dada717c…
pilotjan...
Sign-up and sign-in
2. Sign in
1. Sign up
Username Email
beverly123 beverly123@example.com
pilotjane pilotjane@example.com...
Sign-up and sign-in
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pi...
Sign-up and sign-in
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pi...
Sign-up and sign-in
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pi...
Sign-up and sign-in
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pi...
Sign-up and sign-in
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pi...
Sign-up and sign-in
2. Sign in
1. Sign up
User flows
☐ Registration
☐ Verify email/phone
☐ Secure sign-in
☐ Forgot passwor...
Sign-up and Sign-in
Amazon Cognito
User Pools
Sign up and sign in
Amazon Cognito
User Pools
Register
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS / Email
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS / Email
Confirm registration
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Register
Verification SMS or email
Confirm registration
Successful registrat...
Sign up and sign in
Amazon Cognito
User Pools
Pre Sign-Up
Validation
Post Confirmation
Custom logic
Define Authentication
...
Sign up and sign in
Amazon Cognito
User Pools
Authenticate (via SRP)
JWT Tokens
Sign up and sign in
Amazon Cognito
User Pools
Authenticate (via SRP)
JWT Tokens
JWT token
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB
OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz
dWIiOiI2ZjU1Nz...
JWT token
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB
OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz
dWIiOiI2ZjU1Nz...
JWT token
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB
OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz
dWIiOiI2ZjU1Nz...
JWT token
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB
OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz
dWIiOiI2ZjU1Nz...
JWT token
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB
OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz
dWIiOiI2ZjU1Nz...
Application so far…
Amazon Cognito
User Pools
AWS resources
(e.g. Amazon S3)
Amazon Cognito
Federated Identities
Federating
access to
AWS resources
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
Federating access to AWS resources
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon S3
Amazon Cognito
Federated I...
DEMO
Authorizing
Serverless APIs
SpaceFinder API
(Microservice)
Application so far…
Amazon Cognito
User Pools
AWS resources
(e.g. Amazon S3)
Amazon Cognito...
SpaceFinder API
POST /locations
GET /locations
GET /locations/{locationId}
DELETE /locations/{locationId}
GET /locations/{...
SpaceFinder API
Admin only
Admin only
Admin only
Admin only
POST /locations
GET /locations
GET /locations/{locationId}
DEL...
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Pr...
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Pr...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
AmazonAPI
Gateway
User Pools authorizers
Amazon Cognito
User Pools
Amaz...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amaz...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amaz...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gatewa...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
4. Validate
Identity token
Amazon
DynamoDB
Lambd...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
5. Invoke API Call
Amazon
DynamoDB
Lambda
functi...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
User Pools authorizers
6. Access
AWS Resources
Amazon
DynamoDB
Lambda
f...
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Pr...
IAM-based authorization
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gatew...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gat...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
IAM-based authorizati...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
3. Request AWS credentials
Amazon
DynamoDB
Lambda
function
AmazonAPI
Ga...
Trottling
Cache
Monitoring
Auth
Mobile app
4. Validate Id token
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
IAM-base...
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
5. Temp AWS credentials
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gatew...
Trottling
Cache
Logging
Monitoring
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
IAM-based authorization
Am...
Trottling
Cache
Logging
Monitoring
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
IAM-based authorization
Am...
Trottling
Cache
Logging
Monitoring
Mobile app
8. Invoke Lambda
Lambda
function
AmazonAPI
Gateway
IAM-based authorization
A...
IAM policy detail
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource...
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Pr...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Amazon
DynamoDB
AWS Identity &
Access ...
Custom Authorizer
Lambda function
Mobile app
Lambda
function
AmazonAPI
Gateway
Amazon
DynamoDB
AWS Identity &
Access Manag...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Amazon
DynamoDB
AWS Identity &
Access ...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Amazon
DynamoDB
AWS Identity &
Access ...
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Custom authorizers
Amazon
DynamoDB
4. Check
policy
cache
AWS Identity &
...
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Custom authorizers
Amazon
DynamoDB
5.Validatetoken
AWS Identity &
Access...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Custom authorizers
Amazon
DynamoDB
6.G...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Custom authorizers
Amazon
DynamoDB
AWS...
Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Custom authorizers
Amazon
DynamoDB
8. ...
Custom authorizer Lambda
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMe...
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Pr...
DEMO
Integrating
with SAML
SpaceFinder API
(Microservice)
Architecture so far…
Amazon Cognito
User Pools
Enterprise
Identity
Provider
AWS resources
(...
Integrating with SAML
• Microsoft Active Directory Federation Services (ADFS)
and Shibboleth are popular SAML providers.
•...
SAML
Endpoint
e.g. ADFS
or Shibboleth
Integrating with SAML
Corporate Directory
e.g. Active Directory
or OpenLDAP
SAML
Endpoint
e.g. ADFS
or Shibboleth
Amazon Cognito
Federated Identities
2. Get AWS credentials
Integrating with SAML
Cor...
SAML
Endpoint
e.g. ADFS
or Shibboleth
Amazon Cognito
Federated Identities
2. Get AWS credentials
Integrating with SAML
Cor...
Wrap up
SpaceFinder API
(Microservice)
SpaceFinder mobile app
Amazon Cognito
User Pools
Enterprise
Identity
Provider
AWS resources...
SpaceFinder API
(Microservice)
SpaceFinder web app
Amazon Cognito
User Pools
Enterprise
Identity
Provider
AWS resources
(e...
Do try this at home
• Mobile app + API are open-sourced (Apache 2.0 license)
https://github.com/awslabs/
aws-serverless-au...
Thank you!
Remember to complete
your evaluations!
Related Sessions
• MLB404 – Real-World Deep Dive: Native, Hybrid, and
Web with Serverless and AWS Mobile
Services
• MLB310...
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Management for Serverless Architectures (MBL306)
Upcoming SlideShare
Loading in …5
×

AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Management for Serverless Architectures (MBL306)

9,031 views

Published on

By leveraging "serverless architectures", startups and enterprises are building and running modern applications and services with increased agility and simplified scalability—all without managing a single server. Many applications need to manage user identities and support sign-in/sign-up. In this session, we dive deep on how to support millions of user identities, as well as how to integrate with social identity providers (such as Google and Facebook) and existing corporate directories. You learn the real-world design patterns that AWS customers use to implement authentication and authorization. By combining Amazon Cognito identity pools and user pools with API Gateway, AWS Lambda, and AWS IAM, you can add security without adding servers.

Published in: Technology

AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Management for Serverless Architectures (MBL306)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jim Tran and Justin Pirtle November 30, 2016 MBL306 Serverless Authentication and Authorization Identity Management for Serverless Architectures
  2. 2. What to expect from the session • Assumes high-level familiarity with serverless API architectures (API Gateway, Lambda) • Learn how to implement identity management for your serverless apps, using • Amazon Cognito User Pools • Amazon Cognito Federated Identities • Amazon API Gateway • AWS Lambda • AWS Identity and Access Management (IAM)
  3. 3. Hybrid mobile app • Runs in web browser, Android, Apple iOS devices • Built using Ionic 2 Framework • Angular 2 / TypeScript • AWS SDKs for JavaScript Do try this at home • Mobile app + API are open-sourced (Apache 2.0 license) • https://github.com/awslabs/ aws-serverless-auth-reference-app SpaceFinder Helps you book conference rooms and desks
  4. 4. Managing Identities
  5. 5. Sign-up and sign-in
  6. 6. 1. Sign-up Sign-up and sign-in 2. Sign-in
  7. 7. Sign-up and sign-in Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up
  8. 8. • Never store passwords in plaintext! • Vulnerable to rogue employees • A hacked DB results in all passwords being compromised Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a Sign-up and sign-in 2. Sign-in 1. Sign-up
  9. 9. Sign-up and sign-in Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign in 1. Sign up
  10. 10. • MD5/SHA1 collisions • Rainbow Tables • Dictionary attacks, brute-force (GPUs can compute billions of hashes/sec) Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d Sign-up and sign-in 2. Sign in 1. Sign up
  11. 11. Sign-up and sign-in Username Email Salted Hash beverly123 beverly123@example.com 1e66f9358530620b2bcae79dada717c… pilotjane pilotjane@example.com 88fccd9cf82377d11d2fede177457d47… sudhir1977 sudhir197@example.com 08a5981de4fecf04b1359a179962a48... 2. Sign in 1. Sign up • Incorporate app-specific salt + random user-specific salt • Use algorithm with configurable # of iterations (e.g. bcrypt, PBKDF2), to slow down brute force attacks
  12. 12. Sign-up and sign-in 2. Sign in 1. Sign up Username Email beverly123 beverly123@example.com pilotjane pilotjane@example.com sudhir1977 sudhir197@example.com
  13. 13. Sign-up and sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign in 1. Sign up
  14. 14. Sign-up and sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign in 1. Sign up • Secure Remote Password (SRP) Protocol • Verifier-based protocol • Passwords never travel over the wire • Resistant to several attack vectors • Perfect Forward Secrecy
  15. 15. Sign-up and sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign in 1. Sign up Best practices ☐ Secure password handling
  16. 16. Sign-up and sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign in 1. Sign up Best practices ☐ Secure password handling ☐ Encrypt all data server-side ☐ Enforce password policies (min length, valid characters) ☐ Token-based Authentication ☐ MFA - via SMS for sign-in and forgot password flows ☐ Support CAPTCHAs and other custom authentication flows ☐ Scalable to 100s of millions of users
  17. 17. Sign-up and sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign in 1. Sign up User flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Best practices ☐ Secure password handling ☐ Encrypt all data server-side ☐ Enforce password policies (min length, valid characters) ☐ Token-based Authentication ☐ MFA - via SMS for sign-in and forgot password flows ☐ Support CAPTCHAs and other custom authentication flows ☐ Scalable to 100s of millions of users
  18. 18. Sign-up and sign-in 2. Sign in 1. Sign up User flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Best practices ☐ Secure password handling ☐ Encrypt all data server-side ☐ Enforce password policies (min length, valid characters) ☐ Token-based Authentication ☐ MFA - via SMS for sign-in and forgot password flows ☐ Support CAPTCHAs and other custom authentication flows ☐ Scalable to 100s of millions of users Amazon Cognito User Pools
  19. 19. Sign-up and Sign-in Amazon Cognito User Pools
  20. 20. Sign up and sign in Amazon Cognito User Pools Register
  21. 21. Sign up and sign in Amazon Cognito User Pools Register Verification SMS / Email
  22. 22. Sign up and sign in Amazon Cognito User Pools Register Verification SMS / Email Confirm registration
  23. 23. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration
  24. 24. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Authenticate (via SRP)
  25. 25. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Authenticate (via SRP) JWT Tokens
  26. 26. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration
  27. 27. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Authenticate (via SRP)
  28. 28. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Authenticate (via SRP) Define Authentication Challenge
  29. 29. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Define Authentication Challenge Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP)
  30. 30. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Define Authentication Challenge Verify Authentication Challenge Response Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP) Challenge response
  31. 31. Sign up and sign in Amazon Cognito User Pools Register Verification SMS or email Confirm registration Successful registration Define Authentication Challenge Verify Authentication Challenge Response Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP) Challenge response JWT Tokens
  32. 32. Sign up and sign in Amazon Cognito User Pools Pre Sign-Up Validation Post Confirmation Custom logic Define Authentication Challenge Verify Authentication Challenge Response Pre Authentication Validation Post Authentication custom logic Register Verification SMS or email Confirm registration Successful registration Authenticate (via SRP) Custom challenge (CAPTCHA, custom 2FA) Challenge response JWT Tokens
  33. 33. Sign up and sign in Amazon Cognito User Pools Authenticate (via SRP) JWT Tokens
  34. 34. Sign up and sign in Amazon Cognito User Pools Authenticate (via SRP) JWT Tokens
  35. 35. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ
  36. 36. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header
  37. 37. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.us-east-1.amazonaws.com /us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload
  38. 38. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});
  39. 39. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.us-east-1.amazonaws.com /us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});
  40. 40. Application so far… Amazon Cognito User Pools AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  41. 41. Federating access to AWS resources
  42. 42. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  43. 43. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  44. 44. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  45. 45. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 3. Get Identity ID
  46. 46. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 4. Identity ID
  47. 47. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 5. GetCredentials (ID JWT Token)
  48. 48. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  49. 49. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  50. 50. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 8. Temporary AWS credentials
  51. 51. Federating access to AWS resources Trottling Cache Logging Monitoring Auth Mobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS)
  52. 52. DEMO
  53. 53. Authorizing Serverless APIs
  54. 54. SpaceFinder API (Microservice) Application so far… Amazon Cognito User Pools AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  55. 55. SpaceFinder API POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
  56. 56. SpaceFinder API Admin only Admin only Admin only Admin only POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
  57. 57. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  58. 58. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  59. 59. Trottling Cache Logging Monitoring Auth Mobile app AmazonAPI Gateway User Pools authorizers Amazon Cognito User Pools Amazon DynamoDB Lambda function
  60. 60. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
  61. 61. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
  62. 62. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  63. 63. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers 4. Validate Identity token Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  64. 64. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers 5. Invoke API Call Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  65. 65. Trottling Cache Logging Monitoring Auth Mobile app User Pools authorizers 6. Access AWS Resources Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  66. 66. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  67. 67. IAM-based authorization Trottling Cache Logging Monitoring Auth Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Identity & Access Management
  68. 68. Trottling Cache Logging Monitoring Auth Mobile app Amazon Cognito User Pools Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito Federated Identities AWS Identity & Access Management
  69. 69. Trottling Cache Logging Monitoring Auth Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  70. 70. Trottling Cache Logging Monitoring Auth Mobile app 3. Request AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  71. 71. Trottling Cache Monitoring Auth Mobile app 4. Validate Id token Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  72. 72. Trottling Cache Logging Monitoring Auth Mobile app 5. Temp AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  73. 73. Trottling Cache Logging Monitoring Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  74. 74. Trottling Cache Logging Monitoring Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  75. 75. Trottling Cache Logging Monitoring Mobile app 8. Invoke Lambda Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management Amazon DynamoDB
  76. 76. IAM policy detail { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*" }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
  77. 77. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  78. 78. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom authorizers
  79. 79. Custom Authorizer Lambda function Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom authorizers
  80. 80. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom authorizers
  81. 81. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom authorizers
  82. 82. Auth Mobile app Lambda function AmazonAPI Gateway Custom authorizers Amazon DynamoDB 4. Check policy cache AWS Identity & Access Management Custom Authorizer Lambda function
  83. 83. Auth Mobile app Lambda function AmazonAPI Gateway Custom authorizers Amazon DynamoDB 5.Validatetoken AWS Identity & Access Management Custom Authorizer Lambda function
  84. 84. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom authorizers Amazon DynamoDB 6.Generateandreturn userIAMpolicy AWS Identity & Access Management
  85. 85. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom authorizers Amazon DynamoDB AWS Identity & Access Management
  86. 86. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom authorizers Amazon DynamoDB 8. Invoke Lambda AWS Identity & Access Management
  87. 87. Custom authorizer Lambda var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy()); Sample Code
  88. 88. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  89. 89. DEMO
  90. 90. Integrating with SAML
  91. 91. SpaceFinder API (Microservice) Architecture so far… Amazon Cognito User Pools Enterprise Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  92. 92. Integrating with SAML • Microsoft Active Directory Federation Services (ADFS) and Shibboleth are popular SAML providers. • SAML 2.0 supports two bindings: • POST • Re-direct • Capturing the SAML response in a mobile app is non- trivial.
  93. 93. SAML Endpoint e.g. ADFS or Shibboleth Integrating with SAML Corporate Directory e.g. Active Directory or OpenLDAP
  94. 94. SAML Endpoint e.g. ADFS or Shibboleth Amazon Cognito Federated Identities 2. Get AWS credentials Integrating with SAML Corporate Directory e.g. Active Directory or OpenLDAP ?
  95. 95. SAML Endpoint e.g. ADFS or Shibboleth Amazon Cognito Federated Identities 2. Get AWS credentials Integrating with SAML Corporate Directory e.g. Active Directory or OpenLDAP Serverless APIs or AWS resources
  96. 96. Wrap up
  97. 97. SpaceFinder API (Microservice) SpaceFinder mobile app Amazon Cognito User Pools Enterprise Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  98. 98. SpaceFinder API (Microservice) SpaceFinder web app Amazon Cognito User Pools Enterprise Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  99. 99. Do try this at home • Mobile app + API are open-sourced (Apache 2.0 license) https://github.com/awslabs/ aws-serverless-auth-reference-app SpaceFinder
  100. 100. Thank you!
  101. 101. Remember to complete your evaluations!
  102. 102. Related Sessions • MLB404 – Real-World Deep Dive: Native, Hybrid, and Web with Serverless and AWS Mobile Services • MLB310 – Add User Sign-In, User Management, and Security to your Mobile and Web Applications with Amazon Cognito • MLB305 – Developing Mobile Apps and Serverless Microservices for Enterprises using AWS

×