Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Serverless identity management, authentication, and authorization - SDD405-R - AWS re:Inforce 2019

1,039 views

Published on

"In this workshop, you learn how to build a serverless microservices application demonstrating end-to-end authentication and authorization using Amazon Cognito, Amazon API Gateway, AWS Lambda, and all things IAM. You have the opportunity to build an end-to-end functional app with a secure identity provider showcasing user authentication patterns.

 

All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services."

  • Be the first to comment

Serverless identity management, authentication, and authorization - SDD405-R - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless identity management, authentication, and authorization Justin Pirtle Principal Serverless Solutions Architect AWS S D D 4 0 5 Lia Vader Enterprise Solutions Architect AWS
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect from this workshop • Workshop assumes that you have familiarity with serverless API architectures (Amazon API Gateway, AWS Lambda) • Learn to implement identity management for your serverless application using • AWS Amplify • Amazon Cognito user pools • Amazon Cognito identity pools • Amazon API Gateway • AWS Lambda • AWS Identity and Access Management (IAM)
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting started While we talk… • Create an AWS Cloud9 workspace • Use an IAM user/role with administrative access • AWS Cloud9 will create a VPC; make sure you have fewer than 5 VPCs https://bit.ly/auth-workshop-2019
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Cloud9 • Code with just a browser • Start new projects quickly • Build serverless applications easily • Have direct terminal access
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Federation Amazon Cognito overview Web and mobile applications Amazon Cognito Developers focus on what is special about their application Amazon Cognito handles authentication and identity Managed user directory Hosted UI AWS credentials Standard tokens
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito: Identity management scenarios Business to consumer Business to business Business to employee IoT scenarios Enterprise directoryEnterprise directory SAML Enterprise directory SAML AWS IoT
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito user pools: Comprehensive user flows Email or phone number verification Reset password User sign-up and sign-in User profile data Multi-factor authentication Customize these user flows using AWS Lambda Token-based authentication
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom user flows using AWS Lambda triggers Category Lambda trigger Example scenarios Custom authentication flow Define authentication challenge Determines the next challenge in a custom authentication flow Create authentication challenge Creates a challenge in a custom authentication flow Verify authentication challenge response Determines whether a response is correct in a custom authentication flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the ID token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito user pool tokens overview Access token • JSON web token • Used to authorize requests, including APIs • Includes • OAuth scopes • Amazon Cognito groups • Expires in 1 hour Identity token • JSON web token • Can be used for authentication • Includes user profile information • Attributes • Amazon Cognito groups • Expires in 1 hour Refresh token • Opaque blob • Used to get new ID and access tokens without re- authenticating • Expiration is configurable from 1 day to 10 years
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity token payload { "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "aud": "xxxxxxxxxxxxexample", "email_verified": true, "token_use": "id", "auth_time": 1500009400, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example", "cognito:username": "janedoe", "exp": 1500013000, "given_name": "Jane", "iat": 1500009400, "email": "janedoe@example.com" }
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Access token payload { "sub": "b90bdacc-bdf7-40e4-9857-375baf8ba563", "cognito:groups": [ "clientGroup" ], "token_use": "access", "scope": "openid profile email https://api.spacefinder.com/photos.write https://api.spacefinder.com/photos.read", "auth_time": 1530432407, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dpUQ7d0dw", "exp": 1530436007, "iat": 1530432407, "version": 2, "jti": "4e7dd129-5ed6-4c9f-a4a6-b71d60621998", "client_id": "27f9n9mqdauqbd9irmm7i4d2el", "username": "user1" }
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Built-in,customizable user interface Upload your own logo, and adjust CSS properties to fit your style and branding
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Amplify Categories for application programming with cloud services • Authentication, analytics, storage, API • Caching, i18n, logging, message bus Implemented with AWS services, open for external contribution JavaScript library, open sourced under Apache 2.0 • Declarative interfaces • Convention over configuration React and react native extensions • Native bridging for mathematical operations (Amazon Cognito user pools) • Components and higher-order components (HOCs)
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Amplify authentication module • Declarative APIs for sign-up, sign-in, MFA, and credential status • React HOCs • Pre-built UI, or build a custom UX import Amplify, {Auth} from 'aws-amplify'; import awsConfig from './YOUR_PATH_TO_EXPORTS/aws- exports' Amplify.configure(awsConfig}); Auth.signIn(username, password) .then(data => console.log(data)) .catch(err => console.log(err));
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito identity pool AWS credentials with Amazon Cognito identity pools • Exchanges tokens from authenticated users for AWS credentials to access resources such as Amazon S3 or Amazon DynamoDB • You can define rules for mapping users to different IAM roles to manage permissions • Provides an identity pool ID to uniquely identify users Mobile or web app Amazon DynamoDB Amazon S3 Amazon API Gateway Access backend resources 3 AWS credentials tied to IAM role 2 Bearer token 1
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito user pools Amazon Cognito identity pools Two ways to integrate with Amazon Cognito • Handles the IdP interactions for you • Provides profiles to manage users • Provides OpenID connect and OAuth 2.0 standard tokens • Priced per monthly active user • Provides AWS credentials for accessing resources on behalf of users • Supports rules to map users to different IAM roles • Free
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Using JSON web tokens for authorization Parsing OAuth 2.0 custom resource servers and scopes Validating signature, timestamp, and groups/scopes from access tokens { "sub": "b90bdacc-bdf7-40e4-9857-375baf8ba563", "cognito:groups": [ "clientGroup" ], "token_use": "access", "scope": "openid profile email https://api.spacefinder.com/photos.write https://api.spacefinder.com/photos.read", "auth_time": 1530432407, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dpUQ7d0dw", "exp": 1530436007, "iat": 1530432407, "version": 2, "jti": "4e7dd129-5ed6-4c9f-a4a6-b71d60621998", "client_id": "27f9n9mqdauqbd9irmm7i4d2el", "username": "user1" }
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS integrated authorization Amazon API Gateway AWS Application Load Balancer AWS credentials (any AWS service) Amazon Cognito tokens Amazon Cognito tokens Amazon Cognito tokens Amazon Cognito Amazon API Gateway Amazon Cognito Amazon Cognito Amazon DynamoDB, Amazon S3, etc. Application Load Balancer
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito User pools Custom identity providers IAM authorization Lambda authorizers Amazon API Gateway: Three types of authorization Amazon Cognito Identity pools Amazon Cognito authorizers
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication option 1: Amazon Cognito user pools authorizer Internet Mobile apps Partner services AWS Lambda functions Endpoints on Amazon EC2 Amazon API Gateway Amazon Cognito Websites User login Built-in authentication check OIDC token OIDC token Any publicly accessible endpoint
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication option 2: IAM authorization Internet Mobile apps Partner services Amazon Cognito IAM IAM user/role acquisition Request signature Websites AWS Lambda functions Endpoints on Amazon EC2Amazon API Gateway Amazon Cognito
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Authentication option 3: Custom Lambda authorizer Internet Amazon API Gateway OAuth provider 403 AWS Lambda functions Endpoints on Amazon EC2 Any publicly accessible endpoint Lambda custom authorizer function Policy cache Mobile apps Partner services Websites
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Today’s workshop: Wild Rydes
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Today’s architecture
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 1: User authentication • Create Amazon Cognito user and identity pools • Set up application client for Amazon Cognito user pool • Add sign-up and sign-in to your application
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 2: Serverless API authentication Enable API Gateway authorization • Amazon Cognito user pool authorizer • IAM authorization
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 3: IAM authorization • Integrate AWS resource access via IAM roles within Wild Rydes application • Create new profile management capability with photo rendering and uploads • Link photo management with Amazon Cognito user pool attributes
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop instructions
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop guide https://bit.ly/auth-workshop-2019
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Other resources Serverless authentication reference app (SpaceFinder) https://github.com/awslabs/aws-serverless-auth-reference-app Amazon Cognito OAuth 2.0 serverless workshop https://github.com/aws-samples/aws-serverless- workshops/tree/master/WebApplication/5_OAuth Amazon Cognito and API Gateway web application reference https://github.com/awslabs/aws-cognito-angular-quickstart Amazon Cognito and API Gateway federation reference https://github.com/aws-samples/aws-cognito-apigw-angular-auth
  34. 34. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

×