Successfully reported this slideshow.
Your SlideShare is downloading. ×

SRV403_Serverless Authentication and Authorization

Nov. 30, 2017
16 likes 17,191 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Loading in …3
×

Check these out next

User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
SRV213-Thirty Serverless Architectures in 30 Minutes
Amazon Web Services
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
Amazon Web Services
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
Amazon Web Services
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
Amazon Web Services
GPSBUS206_Best Practices for Building a Partner Database Practice on AWS
Amazon Web Services
1 of 119 Ad

SRV403_Serverless Authentication and Authorization

Nov. 30, 2017
16 likes 17,191 views

Download to read offline

Many serverless applications need a way to manage end user identities and support sign-ups and sign-ins. Join this session to learn real-world design patterns for implementing authentication and authorization for your serverless application—such as how to integrate with social identity providers (such as Google and Facebook) and existing corporate directories. We cover how to use Amazon Cognito identity pools and user pools with API Gateway, Lambda, and IAM.

Many serverless applications need a way to manage end user identities and support sign-ups and sign-ins. Join this session to learn real-world design patterns for implementing authentication and authorization for your serverless application—such as how to integrate with social identity providers (such as Google and Facebook) and existing corporate directories. We cover how to use Amazon Cognito identity pools and user pools with API Gateway, Lambda, and IAM.

Advertisement

Recommended

NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Amazon Web Services
3.2k views
36 slides
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Amazon Web Services
2k views
23 slides
WPS205_Is AWS GovCloud Right for your Regulated Workload
Amazon Web Services
501 views
28 slides
GPSTEC302_Anti-Patterns- Learning through Failure
Amazon Web Services
428 views
72 slides
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
3.5k views
41 slides
SRV332_Building Serverless Real-Time Data Processing (Now with Unicorns!).pdf
Amazon Web Services
384 views
23 slides
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
Amazon Web Services
5k views
50 slides
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
731 views
34 slides
Advertisement

More Related Content

Slideshows for you (20)

User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
1.8k views
SRV213-Thirty Serverless Architectures in 30 Minutes
Amazon Web Services
1.2k views
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
Amazon Web Services
1.1k views
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
544 views
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
Amazon Web Services
3.1k views
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
734 views
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
Amazon Web Services
446 views
GPSBUS206_Best Practices for Building a Partner Database Practice on AWS
Amazon Web Services
432 views
How Netflix Tunes Amazon EC2 Instances for Performance - CMP325 - re:Invent 2017
Amazon Web Services
2.3k views
The AWS Philosophy of Security - SID322 - re:Invent 2017
Amazon Web Services
3k views
GPSBUS223-Starting Out with the AWS Partner Network
Amazon Web Services
781 views
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
Amazon Web Services
907 views
MCL205_Introduction to Deep Learning
Amazon Web Services
486 views
AI & Deep Learning At Amazon
Amazon Web Services
1.6k views
NEW LAUNCH! Build your own live streaming and on-demand video service with AW...
Amazon Web Services
414 views
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
Amazon Web Services
504 views
NEW LAUNCH! AWS PrivateLink Deep Dive - NET310 - re:Invent 2017
Amazon Web Services
2k views
WIN205-Building a Better .NET Bot with AWS Services
Amazon Web Services
530 views
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Amazon Web Services
2.3k views
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
2.6k views
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
1.8k views
22 slides
SRV213-Thirty Serverless Architectures in 30 Minutes
Amazon Web Services
1.2k views
20 slides
NET203_Using Amazon VPC Flow Logs to Do Predictive Security Analytics
Amazon Web Services
1.1k views
54 slides
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
544 views
31 slides
ENT210-How to Get from Zero to Hundreds of AWS-Certified Engineers
Amazon Web Services
3.1k views
32 slides
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
734 views
100 slides

Similar to SRV403_Serverless Authentication and Authorization (20)

Serverless Authentication and Authorisation for Your APIs on AWS
Amazon Web Services
3k views
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
Amazon Web Services
11.8k views
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Amazon Web Services
1.6k views
Serverless Authentication and Authorisation
Amazon Web Services
1.2k views
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Amazon Web Services
3.2k views
Amazon Rekognition & Amazon Polly
Amazon Web Services
386 views
Launching applications the Amazon Way
Amazon Web Services
124 views
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Amazon Web Services
2.7k views
AWS Security Best Practices
Aleksandr Maklakov
282 views
AWS Startup Day Kyiv: AWS Security Best Practices
Amazon Web Services
929 views
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Amazon Web Services
393 views
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
3.1k views
CON320_Monitoring, Logging and Debugging Containerized Services
Amazon Web Services
686 views
DEV203_Launch Applications the Amazon Way
Amazon Web Services
455 views
Leveraging a Cloud Policy Framework - From Zero to Well Governed - ENT318 - r...
Amazon Web Services
401 views
re:Invent CON320 Tracing and Debugging for Containerized Services
Calvin French-Owen
110 views
Soup to Nuts: Identity Federation for AWS
Amazon Web Services
920 views
20190521 AWS Black Belt Online Seminar Amazon Simple Email Service (Amazon SES)
Amazon Web Services Japan
40.8k views
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
Amazon Web Services
3.7k views
Authentication & Authorization for Connected Mobile & Web Applications using ...
Amazon Web Services
894 views
Serverless Authentication and Authorisation for Your APIs on AWS
Amazon Web Services
3k views
93 slides
AWS re:Invent 2016: Serverless Authentication and Authorization: Identity Man...
Amazon Web Services
11.8k views
103 slides
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Amazon Web Services
1.6k views
24 slides
Serverless Authentication and Authorisation
Amazon Web Services
1.2k views
39 slides
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Amazon Web Services
3.2k views
81 slides
Amazon Rekognition & Amazon Polly
Amazon Web Services
386 views
31 slides
Advertisement

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
25.5k views
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
5.5k views
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
4k views
Costruire Applicazioni Moderne con AWS
Amazon Web Services
2.7k views
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
1.8k views
Open banking as a service
Amazon Web Services
6.3k views
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
3.3k views
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
2.6k views
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
1.6k views
Computer Vision con AWS
Amazon Web Services
3k views
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
1.3k views
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
1.9k views
API moderne real-time per applicazioni mobili e web
Amazon Web Services
1.4k views
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
1.5k views
Tools for building your MVP on AWS
Amazon Web Services
2.3k views
How to Build a Winning Pitch Deck
Amazon Web Services
1.3k views
Building a web application without servers
Amazon Web Services
1.3k views
Fundraising Essentials
Amazon Web Services
863 views
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
644 views
Introduzione a Amazon Elastic Container Service
Amazon Web Services
2.5k views
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
25.5k views
46 slides
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
5.5k views
44 slides
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
4k views
62 slides
Costruire Applicazioni Moderne con AWS
Amazon Web Services
2.7k views
61 slides
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
1.8k views
21 slides
Open banking as a service
Amazon Web Services
6.3k views
14 slides

SRV403_Serverless Authentication and Authorization

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Serverless Authentication and Authorization J u s t i n P i r t l e a n d V l a d i m i r B u d i l o v , S e n i o r S o l u t i o n s A r c h i t e c t s N o v e m b e r 2 8 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from the session • Assumes high-level familiarity with Serverless API architectures (API Gateway, Lambda) • Learn how to implement identity management for your serverless apps, using • Amazon Cognito User Pools • Amazon Cognito Federated Identities • Amazon API Gateway • AWS Lambda • AWS Identity and Access Management (IAM)
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder Hybrid mobile app • Runs in web browser, Android, Apple iOS devices • Built using Ionic 3 Framework • Angular 4 / TypeScript • AWS SDKs for JavaScript Do try this at home • Mobile app + API are open-sourced (Apache 2.0 license) • https://github.com/awslabs/ aws-serverless-auth-reference-app
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Managing Identities
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Sign-up Sign-up and Sign-in 2. Sign-in
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a 2. Sign-in 1. Sign-up
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Never store passwords in plaintext! • Vulnerable to rogue employees • A hacked DB results in all passwords being compromised Username Email Password beverly123 beverly123@example.com Password$123 pilotjane pilotjane@example.com a##eroplan3 sudhir1977 sudhir197@example.com mmd414997a Sign-up and Sign-in 2. Sign-in 1. Sign-up
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d 2. Sign-in 1. Sign-up
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • MD5/SHA1 collisions • Rainbow Tables • Dictionary attacks, brute-force (GPUs can compute billions of hashes/sec) Username Email Hashed Password beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883 sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d Sign-up and Sign-in 2. Sign-in 1. Sign-up
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email Salted Hash beverly123 beverly123@example.com 1e66f9358530620b2bcae79dada717c… pilotjane pilotjane@example.com 88fccd9cf82377d11d2fede177457d47… sudhir1977 sudhir197@example.com 08a5981de4fecf04b1359a179962a48... 2. Sign-in 1. Sign-up • Incorporate app-specific salt + random user-specific salt • Use algorithm with configurable # of iterations (e.g. bcrypt, PBKDF2), to slow down brute force attacks
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up • Secure Remote Password (SRP) Protocol • Verifier-based protocol • Passwords never travel over the wire • Resistant to several attack vectors • Perfect Forward Secrecy
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up Security Requirements ☐ Secure password handling
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up Security Requirements ☐ Secure password handling ☐ Multi-Factor Authentication ☐ Enforce password policies ☐ Encrypt all data server-side ☐ Support custom authentication flows ☐ Scalable to 100s of millions of users
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Username Email SRP Verifier function beverly123 beverly123@example.com <password-specific verifier> pilotjane pilotjane@example.com <password-specific verifier> sudhir1977 sudhir197@example.com <password-specific verifier> 2. Sign-in 1. Sign-up User Flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Security Requirements ☐ Secure password handling ☐ Multi-Factor Authentication ☐ Enforce password policies ☐ Encrypt all data server-side ☐ Support custom authentication flows ☐ Scalable to 100s of millions of users
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in 2. Sign-in 1. Sign-up User Flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Security Requirements ☐ Secure password handling ☐ Multi-Factor Authentication ☐ Enforce password policies ☐ Encrypt all data server-side ☐ Support custom authentication flows ☐ Scalable to 100s of millions of users Amazon Cognito User Pools
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Amazon Cognito User Pools
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Amazon Cognito User Pools
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Amazon Cognito User Pools
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Amazon Cognito User Pools
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Amazon Cognito User Pools
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Authenticate (via SRP) Amazon Cognito User Pools
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Authenticate (via SRP) JWT Tokens Amazon Cognito User Pools
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Amazon Cognito User Pools
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Authenticate (via SRP) Amazon Cognito User Pools
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Authenticate (via SRP) Define Authentication Challenge Amazon Cognito User Pools
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Define Authentication Challenge Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP) Amazon Cognito User Pools
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Define Authentication Challenge Verify Authentication Challenge Response Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP) Challenge response Amazon Cognito User Pools
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Register Verification SMS / Email Confirm registration Successful registration Define Authentication Challenge Verify Authentication Challenge Response Custom challenge (CAPTCHA, custom 2FA) Authenticate (via SRP) Challenge response JWT Tokens Amazon Cognito User Pools
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Pre Sign-Up Validation Post Confirmation Custom logic Define Authentication Challenge Verify Authentication Challenge Response Pre Authentication Validation Post Authentication custom logic Register Verification SMS / Email Confirm registration Successful registration Authenticate (via SRP) Custom challenge (CAPTCHA, custom 2FA) Challenge response JWT Tokens Amazon Cognito User Pools
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Authenticate (via SRP) JWT Tokens Amazon Cognito User Pools
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sign-up and Sign-in Authenticate (via SRP) JWT Tokens Amazon Cognito User Pools
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.us-east-1.amazonaws.com /us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. JWT token eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVB OVNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJz dWIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYz YzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2 ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91 c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNz IjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5h bWF6b25hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5Iiwi Y29nbml0bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0 Nzg0NTI2NjAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0Ijox NDc4NDQ5MDYwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFp bCI6InRyYW5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8y mjH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMH tjdfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ 18_yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs 4CukmoYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.us-east-1.amazonaws.com /us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Application so far… Amazon Cognito User Pools AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 3. Get Identity ID Federating access to AWS resources
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 4. Identity ID Federating access to AWS resources
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 5. GetCredentials (ID JWT Token) Federating access to AWS resources
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) 8. Temporary AWS credentials Federating access to AWS resources
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CacheMobile app Amazon S3 Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Security Token Service (STS) Federating access to AWS resources
  49. 49. “What AWS permissions will those users have?” “How do I give different users different AWS permissions?”
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Unauthenticated users: • Default role Authenticated users • Default role Fine-grained Role-Based Access Control
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Unauthenticated users: • Default role Authenticated users • Default role • Choose role from rule • Choose role from token Fine-grained Role-Based Access Control
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine-grained RBAC (role from rule)
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine-grained RBAC (role from rule)
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine-grained RBAC (role from token)
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fine-grained RBAC (role from token) Admins Precedence: 0 FinanceDept Precedence: 2 EngineeringDept Precedence: 2 LegalDept Precedence: 2
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Admins Precedence: 0 FinanceDept Precedence: 2 EngineeringDept Precedence: 2 LegalDept Precedence: 2 IAM Role Fine-grained RBAC (role from token) IAM Role IAM Role
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DEMO
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API (Microservice) Application so far… Amazon Cognito User Pools AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Authorizing Serverless APIs
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API Admin only Admin only Admin only Admin only POST /locations GET /locations GET /locations/{locationId} DELETE /locations/{locationId} GET /locations/{locationId}/resources POST /locations/{locationId}/resources DELETE /locations/{locationId}/resources/{resourceId} GET /locations/{locationId}/resources/{resourceId}/bookings GET /users/{userId}/bookings POST /users/{userId}/bookings DELETE /users/{userId}/bookings/{bookingId}
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function Cognito User Pools Authorizers
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function Cognito User Pools Authorizers
  66. 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function Cognito User Pools Authorizers
  67. 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Cognito User Pools Authorizers
  68. 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 4. Validate Identity token Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Cognito User Pools Authorizers
  69. 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 5. Invoke API Call Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Cognito User Pools Authorizers
  70. 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 6. Access AWS Resources Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Cognito User Pools Authorizers
  71. 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  72. 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  73. 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  74. 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  75. 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 3. Request AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  76. 76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 4. Validate Id token Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  77. 77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 5. Temp AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  78. 78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  79. 79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management IAM-based authorization
  80. 80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app 8. Invoke Lambda Lambda function AmazonAPI Gateway Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management Amazon DynamoDB IAM-based authorization
  81. 81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*" }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] } IAM Policy Detail
  82. 82. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  83. 83. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  84. 84. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  85. 85. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app AmazonAPI Gateway AWS Identity & Access Management Custom Authorizers Lambda function Amazon DynamoDB
  86. 86. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app AmazonAPI Gateway AWS Identity & Access Management Custom Authorizers Lambda function Amazon DynamoDB
  87. 87. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app AmazonAPI Gateway 4. Check policy cache AWS Identity & Access Management Custom Authorizer Lambda function Custom Authorizers Lambda function Amazon DynamoDB
  88. 88. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mobile app AmazonAPI Gateway 5.Validatetoken AWS Identity & Access Management Custom Authorizer Lambda function Custom Authorizers Lambda function Amazon DynamoDB
  89. 89. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app AmazonAPI Gateway 6.Generateandreturn userIAMpolicy AWS Identity & Access Management Custom Authorizers Lambda function Amazon DynamoDB
  90. 90. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app AmazonAPI Gateway AWS Identity & Access Management Custom Authorizers Lambda function Amazon DynamoDB
  91. 91. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Mobile app AmazonAPI Gateway 8. Invoke AWS Identity & Access Management Custom Authorizers Lambda function Amazon DynamoDB
  92. 92. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Authorizer Lambda function Sample Code var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy());
  93. 93. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  94. 94. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DEMO
  95. 95. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API (Microservice) Architecture so far… Amazon Cognito User Pools 3rd Party Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  96. 96. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3rd Party Federation
  97. 97. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. App Integration and Federation Built-in, Customizable User Interface for Sign up / Sign in OAuth 2.0 SupportFederation with Facebook, Login with Amazon, Google, and SAML2 providers 1 2 3
  98. 98. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrating with Social IdPs
  99. 99. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2. Sign-in with 3rd party IdP Integrating with Social IdPs
  100. 100. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito User Pools 2. Sign-in with 3rd party IdP Integrating with Social IdPs
  101. 101. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Integrating with Enterprise IdPs
  102. 102. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2. Sign-in with 3rd party IdP Integrating with Enterprise IdPs SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
  103. 103. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito User Pools 2. Sign-in with 3rd party IdP Integrating with Enterprise IdPs SAML Endpoint e.g. ADFS or Shibboleth Corporate Directory e.g. Active Directory or OpenLDAP
  104. 104. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DEMO
  105. 105. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migrating to Cognito User Pools
  106. 106. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #1: Bulk import (1) Create CSV - Doesn’t contain passwords - Max 100,000 users at a time cognito:mfa_enabled cognito:username phone_number phone_number_verified email email_verified name given_name family_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale address updated_at
  107. 107. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #1: Bulk import (1) Create CSV - Doesn’t contain passwords - Max 100,000 users at a time (2) Run the import job $ aws cognito-idp create-user-import-job $ curl -v -T ”path/to/csvfile" -H "x-amz- server-side-encryption:aws:kms" "PRE_SIGNED_URL” $ aws cognito-idp start-user-import-job cognito:mfa_enabled cognito:username phone_number phone_number_verified email email_verified name given_name family_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale address updated_at
  108. 108. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #1: Bulk import (1) Create CSV - Doesn’t contain passwords - Max 100,000 users at a time (2) Run the import job (3) Users change passwords on initial login cognito:mfa_enabled cognito:username phone_number phone_number_verified email email_verified name given_name family_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale address updated_at
  109. 109. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #2: One-at-a-time This approach migrates users one at a time as they sign-in to your app: (1) First, try authenticating against Cognito User Pools
  110. 110. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #2: One-at-a-time This approach migrates users one at a time as they sign-in to your app: (1) First, try authenticating against Cognito User Pools (2) If that fails because of “User Not Found”, authenticate against the former IdP
  111. 111. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Migration approach #2: One-at-a-time This approach migrates users one at a time as they sign-in to your app: (1) First, try authenticating against Cognito User Pools (2) If that fails because of “User Not Found”, authenticate against the former IdP (3) If authentication with former IdP is successful, then create user in the Cognito User Pool with the same username/password
  112. 112. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wrap up
  113. 113. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API (Microservice) SpaceFinder mobile app Amazon Cognito User Pools 3rd Party Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  114. 114. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SpaceFinder API (Microservice) SpaceFinder web app Amazon Cognito User Pools 3rd Party Identity Provider AWS resources (e.g. Amazon S3) Amazon Cognito Federated Identities
  115. 115. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Do try this at home • Mobile app + API are open-sourced (Apache 2.0 license) https://github.com/awslabs/ aws-serverless-auth-reference-app SpaceFinder
  116. 116. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Related Sessions • MBL305 – Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applications with Amazon Cognito • SID332 – Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito • SID343 – User Management and App Authentication with Amazon Cognito • SRV425 – Serverless OAuth: Authorizing 3rd-party Applications to your Serverless API
  117. 117. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remember to complete your evaluations
  118. 118. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Do try this at home • Mobile app + API are open-sourced (Apache 2.0 license) https://github.com/awslabs/ aws-serverless-auth-reference-app SpaceFinder
  119. 119. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! C L I C K T O A D D T E X T C L I C K T O A D D T E X T

×