Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014

2,424 views

Published on

Streamline your mobile app sign-up experience with Amazon Cognito. In this session, we demonstrate how to use Cognito to build secure mobile apps without storing keys in them. Learn how to apply policies to existing Facebook, Google, or Amazon identities to secure access to AWS resources, such as personnel files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.

Published in: Technology

(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014

  1. 1. MBL310 MBL311
  2. 2. web identity federation
  3. 3. Manage authenticated and guest users across identity providers Guest Identity Management Synchronize user’s data across devices and platforms via the cloud Data Synchronization Securely access AWS services from mobile devices and platforms Secure AWS Access Guest Your own Auth MBL301
  4. 4. •Identity Pool: Pool of app users. Can be shared across apps. •Identity: An individual user. Consistent across identity providers. Can be a guest user. •Login: Identifier in a login provider AWS Account Dataset Identity Identity Identity Dataset Login Identity Pool 1:60 1:n 0:n
  5. 5. Sign up for an AWS account and login to the AWS Management Console Download and integrate the AWS Mobile SDK Create an identity poolfor authenticated and unauthenticated users in the AWS Management Console
  6. 6. Login
  7. 7. AssumeRoleWithWebIdentity
  8. 8. Login AssumeRoleWithWebIdentity All this is handled by the credentials provider.
  9. 9. Cognito STS
  10. 10. –Identity Provider Access
  11. 11. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] }
  12. 12. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } Defines that we should trust Cognito
  13. 13. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } Defines that we should trust identities from our pool
  14. 14. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } Defines that we should trust unauthenticated identitities
  15. 15. { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }] }
  16. 16. { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }] } Grants access to Analytics and CognitoSync
  17. 17. { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }] } May seem too permissive, but CognitoSyncprevents identities accessing others data.
  18. 18. ${cognito-identity.amazonaws.com:sub} ${cognito-identity.amazonaws.com:sub}
  19. 19. ${cognito-identity.amazonaws.com:sub} ${cognito-identity.amazonaws.com:sub} Will be replaced by the identity ID
  20. 20. ${cognito-identity.amazonaws.com:sub}
  21. 21. ${cognito-identity.amazonaws.com:sub} Will be replaced by the identity ID
  22. 22. Your own Username And Password Your own user authentication system Several apps prefer to have their own username and password instead of public identity providers for authentication. Manage mappings easily Cognito manages the mappings across login systems (public or private) using a unique Cognito ID Easily integrate with existing systems Implement GetOpenIdTokeForDeveloperIdentity() using our server-side SDKs like Java, Python, Ruby etc.
  23. 23. Login
  24. 24. GetOpenIdTokenForDeveloperIdentity
  25. 25. AssumeRoleWithWebIdentity
  26. 26. Login GetOpenIdTokenForDeveloperIdentity AssumeRoleWithWebIdentity This is handled by the credentials provider.
  27. 27. Login GetOpenIdTokenForDeveloperIdentity AssumeRoleWithWebIdentity How does this feed to credentials provider?
  28. 28. access_token
  29. 29. GetOpenIdTokenForDeveloperIdentity
  30. 30. AssumeRoleWithWebIdentity
  31. 31. access_token GetOpenIdTokenForDeveloperIdentity AssumeRoleWithWebIdentity This can be handled by custom AWSIdentityProvider
  32. 32. •AWS Mobile Home http://aws.amazon.com/mobile •AWS Mobile Blog http://mobile.awsblog.com •Twitter @awsformobile •Forums http://forums.aws.amazon.com •StackOverflowhttp://stackoverflow.com/tags/amazon-cognito •GitHub http://github.com/aws/ http://github.com/awslabs/
  33. 33. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×