SlideShare uma empresa Scribd logo

Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF

Amazon Web Services
Amazon Web Services

This document discusses authentication and authorization for mobile and web applications using Amazon Cognito and AWS AppSync. It provides an overview of Amazon Cognito for user identity management, including user pools for authentication, custom user flows using Lambda hooks, and integration with AWS AppSync. It then describes authorization methods when using AWS AppSync, including using JSON Web Tokens from Cognito user pools and Cognito identity pools. The document demonstrates how to implement authentication and authorization between a mobile app and AWS AppSync using Amazon Cognito for user management and authorization.

1 de 36
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync Brice Pellé (@BricePelle) Enterprise Support Lead, AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc. • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation Amazon Cognito Overview Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign- In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one-time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pool Tokens Overview Access Token • JSON Web Token • Used to authorize requests including Cognito APIs • Includes o OAuth scopes o Cognito groups • Expires in 1 hour Identity Token • JSON Web Token • Can be used for authentication • Includes user profile information o Attributes o Cognito groups • Expires in 1 hour Refresh Token • Opaque blob • Used to get new Id and Access tokens without re-authenticating • Expiration configurable from 1 day to 10 years
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Integration with AWS AppSync
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Several methods of authentication
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 1. Authenticate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 2. JWT tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 3. Call AWS AppSync API
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 4. Validate Identity token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 5. Invoke Resolvers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM AWS AppSync
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 1. Authenticate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 2. JWT Tokens
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 3. Request AWS creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 4. Validate ID token
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 5. Temp AWS creds
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 6. Call AppSync API
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 7. Check IAM policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 8. Invoke resolvers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>", "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>” ] } ] } IAM Policy Detail
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls • User’s identity information is available at the resolver { "sub": "uuid", "issuer": "string", "username": "string", "claims": { ... }, "sourceIp": ["x.x.x.x"], "defaultAuthStrategy": "string" } { "accountId": "string", "cognitoIdentityPoolId": "string", "cognitoIdentityId": "string", "sourceIp": ["string"], "username": "string", "userArn": "string" } Amazon Cognito User Pools Amazon Cognito Identity Pools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Implementing Authentication Amplify for Authentication
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Authentication Amazon Cognito ü Create & configure new Amazon Cognito resources for user authentication ü Interact with Amazon Cognito using Auth class from client Library ü Pre-configured components available for React, React Native, Angular, & Ionic
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Secure, always! • Leverage Amazon Cognito • Built with best security practices • Iterate quickly with Amplify • With toolchain • Provision serverless backend resources • Use Auth module to easily interact • Wrap app in authenticator to require sign-in • Uses customizable pre-built UI components amplify import awsmobile from './aws-exports' import Amplify, { Auth } from 'aws-amplify' import { withAuthenticator } from 'aws- amplify-react’ ... Amplify.configure(awsmobile) ... class App extends Component { async componentDidMount() { session = await Auth.currentSession() this.setState({ session }) } } export default withAuthenticator(App)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AppSync with Amplify • 4 easy steps to configure AppSync 1. Import Modules 2. Configure Client 3. Advanced Settings a. Complex data handling b. Union and interface handling 4. Wrap app in HOCs a. Make client available to provider b. Load app data from storage c. Launch app when data ready d. Require authentication import AWSAppSyncClient from 'aws-appsync' import { Rehydrated } from 'aws-appsync-react’ import awsmobile from './aws-exports' const client = new AWSAppSyncClient({ url: awsmobile.aws_appsync_graphqlEndpoint, region: awsmobile.aws_appsync_region, auth: { type: awsmobile.aws_appsync_authenticationType, jwtToken: async () =>(await Auth.currentSession()) .getIdToken().getJwtToken() }, complexObjectsCredentials: () => Auth.currentCredentials(), cacheOptions: { fragmentMatcher } }) const WithProvider = () => ( <ApolloProvider client={client}> <Rehydrated> <App /> </Rehydrated> </ApolloProvider> ) export default withAuthenticator(WithProvider) a b c d a b
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank you!

Recomendados

Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Amazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Amazon Web Services
 

Recomendados

Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
Amazon Web Services
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Amazon Web Services
 
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Amazon Web Services
 
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Amazon Web Services
 
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
Amazon Web Services
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Amazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
Amazon Web Services
 
AWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideAWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical Guide
Robert Senktas
 
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Amazon Web Services
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Fortify your API's
Fortify your API'sFortify your API's
Fortify your API's
Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Amazon Web Services
 
Building Native Apps On Mobile Hub
Building Native Apps On Mobile HubBuilding Native Apps On Mobile Hub
Building Native Apps On Mobile Hub
Amazon Web Services
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jean-François LOMBARDO
 
Authentication Server
Authentication ServerAuthentication Server
Authentication Server
Abhishek Chikane
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
Business Track
Business Track Business Track
Business Track
Amazon Web Services
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Amazon Web Services
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon Cognito
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Amazon Web Services
 
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
Amazon Web Services
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
Amazon Web Services
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jean-François LOMBARDO
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 

Mais procurados (20)

Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webina...
 
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Ser...
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
 
Add User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon CognitoAdd User Sign in and Management to your Apps with Amazon Cognito
Add User Sign in and Management to your Apps with Amazon Cognito
 
AWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical GuideAWS Cognito User Pool - Practical Guide
AWS Cognito User Pool - Practical Guide
 
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
Raleigh DevDay 2017: Driving User Engagement and App Success with AWS Pinpoin...
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Fortify your API's
Fortify your API'sFortify your API's
Fortify your API's
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Building Native Apps On Mobile Hub
Building Native Apps On Mobile HubBuilding Native Apps On Mobile Hub
Building Native Apps On Mobile Hub
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 
Authentication Server
Authentication ServerAuthentication Server
Authentication Server
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Business Track
Business Track Business Track
Business Track
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 

Semelhante a Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF

User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Web Services
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Amazon Web Services
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Amazon Web Services Korea
 
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Amazon Web Services
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
Amazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 

Semelhante a Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF (20)

Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
Implement User Onboarding, Sign-Up, and Sign-In for Mobile and Web Applicatio...
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon Cognito
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
User Identity and Authentication
User Identity and AuthenticationUser Identity and Authentication
User Identity and Authentication
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
Serverless OAuth: Authorizing Third-Party Applications to Your Serverless API...
 
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...
 
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
 
AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS AWS Webinar Series - Build web-based and native mobile applications on AWS
AWS Webinar Series - Build web-based and native mobile applications on AWS
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
 
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions on AWS ...
 
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your M...
 
Getting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar SeriesGetting Started with Cognito User Pools - September Webinar Series
Getting Started with Cognito User Pools - September Webinar Series
 
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
AWS Security Week: Cloud-Scale Authentication & Advanced Authorization with A...
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync Brice Pellé (@BricePelle) Enterprise Support Lead, AWS
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc. • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Federation Amazon Cognito Overview Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory Hosted UI AWS Credentials Standard Tokens
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito: Identity Management Scenarios Business to Consumer Business to Business Business to Employee IoT Scenarios Enterprise DirectoryEnterprise Directory SAML Enterprise Directory SAML AWS IoT
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign- In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one-time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pools - Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Custom User Flows Using Lambda Hooks Category Lambda hook Example scenarios Custom authentication flow Define auth challenge Determines the next challenge in a custom auth flow Create auth challenge Creates a challenge in a custom auth flow Verify auth challenge response Determines whether a response is correct in a custom auth flow Authentication events Pre-authentication Custom validation to accept or deny the sign-in request Post-authentication Event logging for custom analytics Pre-token generation Customize claims in the Id token Sign up Pre-sign-up Custom validation to accept or deny the sign-up request Post-confirmation Custom welcome messages or event logging for custom analytics Migration Migrate users and retain existing passwords Messages Custom message Advanced customization and localization of messages
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Cognito User Pool Tokens Overview Access Token • JSON Web Token • Used to authorize requests including Cognito APIs • Includes o OAuth scopes o Cognito groups • Expires in 1 hour Identity Token • JSON Web Token • Can be used for authentication • Includes user profile information o Attributes o Cognito groups • Expires in 1 hour Refresh Token • Opaque blob • Used to get new Id and Access tokens without re-authenticating • Expiration configurable from 1 day to 10 years
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Integration with AWS AppSync
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Several methods of authentication
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 1. Authenticate
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 2. JWT tokens
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 3. Call AWS AppSync API
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 4. Validate Identity token
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB 5. Invoke Resolvers
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS AppSync: Authorization with Cognito Amazon Cognito User Pools Amazon Cognito Identity Pools AWS IAM authorization JWT Identity Token
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM AWS AppSync
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 1. Authenticate
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 2. JWT Tokens
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 3. Request AWS creds
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 4. Validate ID token
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 5. Temp AWS creds
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 6. Call AppSync API
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 7. Check IAM policy
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Mobile app AWS AppSync Amazon Cognito User Pools Lambda function Cognito User Pools Authorizers Amazon ElasticSearch Amazon DynamoDB Amazon Cognito Identity Pools AWS IAM 8. Invoke resolvers
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["appsync:GraphQL"], "Resource": [ "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>", "arn:aws:appsync:us-west- 2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>” ] } ] } IAM Policy Detail
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls • User’s identity information is available at the resolver { "sub": "uuid", "issuer": "string", "username": "string", "claims": { ... }, "sourceIp": ["x.x.x.x"], "defaultAuthStrategy": "string" } { "accountId": "string", "cognitoIdentityPoolId": "string", "cognitoIdentityId": "string", "sourceIp": ["string"], "username": "string", "userArn": "string" } Amazon Cognito User Pools Amazon Cognito Identity Pools
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Fine Grained Access Controls
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Implementing Authentication Amplify for Authentication
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Authentication Amazon Cognito ü Create & configure new Amazon Cognito resources for user authentication ü Interact with Amazon Cognito using Auth class from client Library ü Pre-configured components available for React, React Native, Angular, & Ionic
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Secure, always! • Leverage Amazon Cognito • Built with best security practices • Iterate quickly with Amplify • With toolchain • Provision serverless backend resources • Use Auth module to easily interact • Wrap app in authenticator to require sign-in • Uses customizable pre-built UI components amplify import awsmobile from './aws-exports' import Amplify, { Auth } from 'aws-amplify' import { withAuthenticator } from 'aws- amplify-react’ ... Amplify.configure(awsmobile) ... class App extends Component { async componentDidMount() { session = await Auth.currentSession() this.setState({ session }) } } export default withAuthenticator(App)
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AppSync with Amplify • 4 easy steps to configure AppSync 1. Import Modules 2. Configure Client 3. Advanced Settings a. Complex data handling b. Union and interface handling 4. Wrap app in HOCs a. Make client available to provider b. Load app data from storage c. Launch app when data ready d. Require authentication import AWSAppSyncClient from 'aws-appsync' import { Rehydrated } from 'aws-appsync-react’ import awsmobile from './aws-exports' const client = new AWSAppSyncClient({ url: awsmobile.aws_appsync_graphqlEndpoint, region: awsmobile.aws_appsync_region, auth: { type: awsmobile.aws_appsync_authenticationType, jwtToken: async () =>(await Auth.currentSession()) .getIdToken().getJwtToken() }, complexObjectsCredentials: () => Auth.currentCredentials(), cacheOptions: { fragmentMatcher } }) const WithProvider = () => ( <ApolloProvider client={client}> <Rehydrated> <App /> </Rehydrated> </ApolloProvider> ) export default withAuthenticator(WithProvider) a b c d a b
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank you!