Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013

6,493 views

Published on

Streamline your mobile app signup experience with social login. We demonstrate how to use web identity federation to enable users to log into your app using their existing Facebook, Google, or Amazon accounts. Learn how to apply policies to these identities to secure access to AWS resources, such as personal files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.

Published in: Technology, Business
  • Be the first to comment

Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013

  1. 1. Integrate Social Login Into Mobile Apps Bob Kinney, AWS Mobile November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Agenda • • • • AWS Mobile Why are we here? Web identity federation Other options
  3. 3. AWS Mobile Online Data Social Login Mobile Push File Storage Amazon DynamoDB AWS IAM Amazon S3 Amazon SNS
  4. 4. AWS Mobile • http://aws.amazon.com/mobile – AWS Mobile SDKs (iOS and Android) – Amazon SNS Mobile Push – Geo library for Amazon DynamoDB – S3TransferManager …plus more added all the time
  5. 5. Why are we here? signed requests ACCESS_KEY = "AK….." SECRET_KEY = "….."
  6. 6. Why are we here?
  7. 7. Why are we here? • Get credentials onto device • Limit lifetime, enforce rotation • Limit access to users’ resources web identity federation
  8. 8. What is Web Identity Federation?
  9. 9. Mobile Photo Share DEMO
  10. 10. Mobile Photo Share – Architecture Geo Library for Amazon DynamoDB Geo AWS IAM Web Identity Federation MBL402 AWS Mobile SDKs S3 Transfer Manager Amazon S3 Amazon DynamoDB
  11. 11. Web Identity Auth Flow Mobile Client Amazon S3 Bucket AWS STS AWS Cloud
  12. 12. Getting Started with Web Identity Federation • • • • AWS Mobile SDKs Application with identity provider AWS IAM role for web identity federation SDK to authenticate with identity provider
  13. 13. Login with Amazon http://login.amazon.com/
  14. 14. Setting Up Application Through Login with Amazon DEMO
  15. 15. Getting Started with Web Identity Federation • • • • AWS Mobile SDKs Application with identity provider AWS IAM role for web identity federation SDK to authenticate with identity provider
  16. 16. AWS IAM Roles • Mechanism for delivering temporary credentials • Has two policies – Trust (who can assume role) – Access (what resources the role can access) • Three types of roles – AWS service roles – Cross-account access – Web identity federation
  17. 17. Role for Web Identity Federation • Trust policy – What provider do we trust? – What application with that provider do we trust? • Access policy – What resources should the user have access to?
  18. 18. Creating an IAM Role DEMO
  19. 19. Getting Started with Web Identity Federation • • • • AWS Mobile SDKs Application with identity provider AWS IAM role for web identity federation SDK to authenticate with identity provider
  20. 20. Adding Login with Amazon SDK • Download SDK from http://login.amazon.com/ • Add files to project • Integrate into app – APIKey – AWS IAM role ARN
  21. 21. Adding Login with Amazon SDK DEMO
  22. 22. Getting Started with Web Identity Federation • • • • AWS Mobile SDKs Application with identity provider AWS IAM role for web identity federation SDK to authenticate with identity provider
  23. 23. Web Identity Auth Flow Mobile Client Amazon S3 Bucket AWS STS AWS Cloud
  24. 24. Breaking Permissions DEMO
  25. 25. Access Policy { "Effect":"Allow", "Action":["s3:*"], "Resource":"*" } { "Effect": "Allow", "Action": ["dynamodb:*"], "Resource": "*" } { "Effect": "Allow", "Action": ["sns:*"], "Resource": "*" }
  26. 26. Access Policy Restriction { "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject", "s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/*" } { "Effect":"Allow", "Action":["s3:ListBucket","s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME" } { "Effect": "Allow", "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"], "Resource" : "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME” } { "Effect": "Allow", "Action": "sns:CreatePlatformEndpoint", "Resource": "arn:aws:sns:REGION:123456789:app/PLATFORM/APP_NAME" }
  27. 27. Access Policy Restriction { "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject", "s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/BobKinney/*" } { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":"BobKinney/"}} } { "Effect":"Allow", "Action":["s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME" }
  28. 28. Policy Variables for Web Identity Federation • Facebook – graph.facebook.com:app_id – graph.facebook.com:id • Login with Amazon – www.amazon.com:app_id – www.amazon.com:user_id • Google – accounts.google.com:aud – accounts.google.com:sub
  29. 29. Access Policy – Personal Photos <!-- Write/Read/Delete individual items --> { "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject", "s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/${www.amazon.com:user_id}/*" } <!-- List these items --> { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":"${www.amazon.com:user_id}/"}} } <!-- Multipart Operations --> { "Effect":"Allow", "Action":"s3:ListBucketMultipartUploads", "Resource":"arn:aws:s3:::BUCKET_NAME" }
  30. 30. Access Policy – Public Photos <!-- Read all public photos --> { "Effect":"Allow", "Action":"s3:GetObject", "Resource":"arn:aws:s3:::BUCKET_NAME/public/*" } <!-- Write/Delete our public photos --> { "Effect":"Allow", "Action":["s3:PutObject","s3:DeleteObject", "s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/public/${www.amazon.com:user_id}/*" } <!-- List these items --> { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":"public/"}} }
  31. 31. Access Policy – Amazon DynamoDB <!– DynamoDB policy --> { "Effect" : "Allow", "Action" : [ "dynamodb:GetItem", "dynamodb:Query" ], "Resource" : "arn:aws:dynamodb:REGION:12345678:table/Favorites", "Condition" : { "ForAllValues:StringEquals" : { "dynamodb:LeadingKeys" : "${www.amazon.com:user_id}" } } }
  32. 32. Correcting Permissions DEMO
  33. 33. Web Identity Federation – Summary • Three supported providers – Facebook, Google, and Amazon • Uses IAM roles to provide access restrictions • Uses IAM policy variables to allow for per-user customized access
  34. 34. What about other logins? • User doesn’t have Facebook, Google, or Amazon account • Want to support a private pool of users (Identity) Token Vending Machine (TVM)
  35. 35. Identity TVM Auth Flow Amazon DynamoDB TVM Server Register User Amazon S3 Login Private Key (Encrypted) AWS STS Get Token Token Amazon SNS
  36. 36. Policies with Identity TVM Root Credentials AWS IAM User Policy AWS STS Policy App App TVM
  37. 37. Identity TVM Code • Server code available on GitHub – https://github.com/awslabs/aws-tvm-identity • Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples – https://github.com/awslabs/aws-sdk-android-samples • Provided as sample – Use and modify as necessary
  38. 38. What About Anonymous Access? anonymous TVM
  39. 39. Anonymous TVM Auth Flow Amazon DynamoDB TVM Server Register Device Amazon S3 Get Token AWS STS Token Amazon SNS
  40. 40. Policies with Anonymous TVM Anonymous == Read-Only
  41. 41. Anonymous Access DEMO
  42. 42. Anonymous TVM Code • Server code available on GitHub – https://github.com/awslabs/aws-tvm-anonymous • Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples – https://github.com/awslabs/aws-sdk-android-samples • Provided as sample – Use and modify as necessary
  43. 43. Conclusions • User has a Facebook, Google, or Amazon account web identity federation • User has another account identity TVM • User has no account anonymous TVM
  44. 44. Next Steps Mobile Photo Share https://github.com/awslabs/reinvent2013-mobile-photo-share – iOS Application – Backend application • identity TVM • anonymous TVM • geo server
  45. 45. Web Identity Federation Playground
  46. 46. AWS Mobile SDKs • SDKs and Samples – http://aws.amazon.com/mobile – https://github.com/awslabs/aws-sdk-ios-samples – https://github.com/awslabs/aws-sdk-android-samples • Assistance – https://forums.aws.amazon.com/forum.jspa?forumID=88 – http://stackoverflow.com/questions/tagged/amazon-web-services
  47. 47. Connect • Booth & Office Hours Thursday 4:30 – 5:30 pm Friday 9:00 – 10:00 am • AWS Mobile Blog http://mobile.awsblog.com • Twitter @awsformobile
  48. 48. Please give us your feedback on this presentation SEC401 As a thank you, we will select prize winners daily for completed surveys!
  49. 49. Additional Resources • Web Identity Federation – – – – – – https://web-identity-federation-playground.s3.amazonaws.com/index.html http://aws.amazon.com/articles/4617974389850313 http://mobile.awsblog.com/post/Tx1P67OUG61P9CB/ http://mobile.awsblog.com/post/Tx15RSS024YGKUL/ https://github.com/awslabs/aws-mobile-sample-wif http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html • TVM – http://aws.amazon.com/articles/4611615499399490 – http://aws.amazon.com/code/8872061742402990 – http://aws.amazon.com/code/7351543942956566

×