SlideShare a Scribd company logo

Authentication & Authorization for Mobile & Web Apps

Amazon Web Services
Amazon Web Services

Authentication and Authorization for Connected Mobile & Web Applications using Amazon Cognito and AWS AppSync One of the key challenges for mobile applications is managing users and their identities in order to support monetization strategies, provide differentiated services, and manage fine grained access and data controls. In this session, you’ll learn how Amazon Cognito provides user sign-up and sign-in as part of your onboarding workflow and advanced capabilities for data access/feature management and security. Level: Intermediate Speaker: Brice Pelle - Enterprise Support Lead, AWS

1 of 36
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync Brice Pellé (@BricePelle) Enterprise Support Lead, AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc. • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation Amazon Cognito Overview Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign- In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one-time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pool Tokens Overview Access Token • JSON Web Token • Used to authorize requests including Cognito APIs • Includes o OAuth scopes o Cognito groups • Expires in 1 hour Identity Token • JSON Web Token • Can be used for authentication • Includes user profile information o Attributes o Cognito groups • Expires in 1 hour Refresh Token • Opaque blob • Used to get new Id and Access tokens without re-authenticating • Expiration configurable from 1 day to 10 years
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Integration with AWS AppSync
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Several methods of authentication
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 1. Authenticate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 2. JWT tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 3. Call AWS AppSync API
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 4. Validate Identity token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 5. Invoke Resolvers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM AWS AppSync
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 1. Authenticate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 2. JWT Tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 3. Request AWS creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 4. Validate ID token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 5. Temp AWS creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 6. Call AppSync API
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 7. Check IAM policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 8. Invoke resolvers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>", "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>” ] } ] } IAM Policy Detail
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls • User’s identity information is available at the resolver { "sub": "uuid", "issuer": "string", "username": "string", "claims": { ... }, "sourceIp": ["x.x.x.x"], "defaultAuthStrategy": "string" } { "accountId": "string", "cognitoIdentityPoolId": "string", "cognitoIdentityId": "string", "sourceIp": ["string"], "username": "string", "userArn": "string" } Amazon Cognito User Pools Amazon Cognito Identity Pools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Implementing Authentication Amplify for Authentication
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Authentication Amazon Cognito ü Create & configure new Amazon Cognito resources for user authentication ü Interact with Amazon Cognito using Auth class from client Library ü Pre-configured components available for React, React Native, Angular, & Ionic
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Secure, always! • Leverage Amazon Cognito • Built with best security practices • Iterate quickly with Amplify • With toolchain • Provision serverless backend resources • Use Auth module to easily interact • Wrap app in authenticator to require sign-in • Uses customizable pre-built UI components amplify import awsmobile from './aws-exports' import Amplify, { Auth } from 'aws-amplify' import { withAuthenticator } from 'aws- amplify-react’ ... Amplify.configure(awsmobile) ... class App extends Component { async componentDidMount() { session = await Auth.currentSession() this.setState({ session }) } } export default withAuthenticator(App)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AppSync with Amplify • 4 easy steps to configure AppSync 1. Import Modules 2. Configure Client 3. Advanced Settings a. Complex data handling b. Union and interface handling 4. Wrap app in HOCs a. Make client available to provider b. Load app data from storage c. Launch app when data ready d. Require authentication import AWSAppSyncClient from 'aws-appsync' import { Rehydrated } from 'aws-appsync-react’ import awsmobile from './aws-exports' const client = new AWSAppSyncClient({ url: awsmobile.aws_appsync_graphqlEndpoint, region: awsmobile.aws_appsync_region, auth: { type: awsmobile.aws_appsync_authenticationType, jwtToken: async () =>(await Auth.currentSession()) .getIdToken().getJwtToken() }, complexObjectsCredentials: () => Auth.currentCredentials(), cacheOptions: { fragmentMatcher } }) const WithProvider = () => ( <ApolloProvider client={client}> <Rehydrated> <App /> </Rehydrated> </ApolloProvider> ) export default withAuthenticator(WithProvider) a b c d a b
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank you!

Recommended

Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon CognitoAmazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...Amazon Web Services
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 

Recommended

Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon CognitoAmazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...
Getting Started with Serverless Architectures with Microservices_AWSPSSummit_...Amazon Web Services
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayMark Bate
 
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...Amazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Amazon Web Services
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoAmazon Web Services
 

More Related Content

What's hot

How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...Amazon Web Services
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Amazon Web Services
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayMark Bate
 
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...Amazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 

What's hot (20)

How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019 Implementing your landing zone - FND210 - AWS re:Inforce 2019
Implementing your landing zone - FND210 - AWS re:Inforce 2019
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 

Similar to Authentication & Authorization for Mobile & Web Apps

Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Amazon Web Services
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoAmazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
User Identity and Authentication
User Identity and AuthenticationUser Identity and Authentication
User Identity and AuthenticationAmazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...Amazon Web Services
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...Amazon Web Services
 
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...Amazon Web Services
 

Similar to Authentication & Authorization for Mobile & Web Apps (20)

Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon Cognito
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
 
User Identity and Authentication
User Identity and AuthenticationUser Identity and Authentication
User Identity and Authentication
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
 
AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
 
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
 
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Authentication & Authorization for Mobile & Web Apps

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync Brice Pellé (@BricePelle) Enterprise Support Lead, AWS
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc. • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation Amazon Cognito Overview Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign- In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one-time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pool Tokens Overview Access Token • JSON Web Token • Used to authorize requests including Cognito APIs • Includes o OAuth scopes o Cognito groups • Expires in 1 hour Identity Token • JSON Web Token • Can be used for authentication • Includes user profile information o Attributes o Cognito groups • Expires in 1 hour Refresh Token • Opaque blob • Used to get new Id and Access tokens without re-authenticating • Expiration configurable from 1 day to 10 years
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Integration with AWS AppSync
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Several methods of authentication
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 1. Authenticate
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 2. JWT tokens
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 3. Call AWS AppSync API
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 4. Validate Identity token
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 5. Invoke Resolvers
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM AWS AppSync
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 1. Authenticate
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 2. JWT Tokens
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 3. Request AWS creds
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 4. Validate ID token
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 5. Temp AWS creds
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 6. Call AppSync API
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 7. Check IAM policy
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 8. Invoke resolvers
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>", "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>” ] } ] } IAM Policy Detail
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls • User’s identity information is available at the resolver { "sub": "uuid", "issuer": "string", "username": "string", "claims": { ... }, "sourceIp": ["x.x.x.x"], "defaultAuthStrategy": "string" } { "accountId": "string", "cognitoIdentityPoolId": "string", "cognitoIdentityId": "string", "sourceIp": ["string"], "username": "string", "userArn": "string" } Amazon Cognito User Pools Amazon Cognito Identity Pools
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Implementing Authentication Amplify for Authentication
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Authentication Amazon Cognito ü Create & configure new Amazon Cognito resources for user authentication ü Interact with Amazon Cognito using Auth class from client Library ü Pre-configured components available for React, React Native, Angular, & Ionic
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Secure, always! • Leverage Amazon Cognito • Built with best security practices • Iterate quickly with Amplify • With toolchain • Provision serverless backend resources • Use Auth module to easily interact • Wrap app in authenticator to require sign-in • Uses customizable pre-built UI components amplify import awsmobile from './aws-exports' import Amplify, { Auth } from 'aws-amplify' import { withAuthenticator } from 'aws- amplify-react’ ... Amplify.configure(awsmobile) ... class App extends Component { async componentDidMount() { session = await Auth.currentSession() this.setState({ session }) } } export default withAuthenticator(App)
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AppSync with Amplify • 4 easy steps to configure AppSync 1. Import Modules 2. Configure Client 3. Advanced Settings a. Complex data handling b. Union and interface handling 4. Wrap app in HOCs a. Make client available to provider b. Load app data from storage c. Launch app when data ready d. Require authentication import AWSAppSyncClient from 'aws-appsync' import { Rehydrated } from 'aws-appsync-react’ import awsmobile from './aws-exports' const client = new AWSAppSyncClient({ url: awsmobile.aws_appsync_graphqlEndpoint, region: awsmobile.aws_appsync_region, auth: { type: awsmobile.aws_appsync_authenticationType, jwtToken: async () =>(await Auth.currentSession()) .getIdToken().getJwtToken() }, complexObjectsCredentials: () => Auth.currentCredentials(), cacheOptions: { fragmentMatcher } }) const WithProvider = () => ( <ApolloProvider client={client}> <Rehydrated> <App /> </Rehydrated> </ApolloProvider> ) export default withAuthenticator(WithProvider) a b c d a b
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank you!