Mais conteúdo relacionado Semelhante a Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF (20) Mais de Amazon Web Services (20) Authentication & Authorization for Connected Mobile & Web Applications using Amazon Cognito & AWS AppSync: Mobile Week SF1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Authentication & Authorization for Connected Mobile & Web
Applications using Amazon Cognito & AWS AppSync
Brice Pellé (@BricePelle)
Enterprise Support Lead, AWS
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Supporting standards, such as OAuth2.0, OpenID connect, SAML, etc.
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Federation
Amazon Cognito Overview
Web and Mobile
Apps
Amazon
Cognito
Developers focus on what
is special about their app
Cognito handles auth
and identity
Managed User Directory
Hosted UI
AWS Credentials
Standard Tokens
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Cognito: Identity Management Scenarios
Business to Consumer Business to Business
Business to Employee IoT Scenarios
Enterprise
DirectoryEnterprise
Directory
SAML
Enterprise
Directory
SAML
AWS IoT
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cognito User Pools - Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and Sign-
In
Require users to verify their email address or phone number prior to activating their
account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-time
password challenge
Allow users to sign up and sign in using an email, phone number, or username (and
password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor
Authentication
Require users to complete a second factor of authentication by inputting a security
code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0
standards for user authentication in your backend
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cognito User Pools - Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain types
of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission of
Attribute Data
Select which attributes must be provided by the user prior to completion of the
sign-up process
Search Users
Search users based on a full match or a prefix match of their attributes through
the console or Admin API
Manage Users
Conduct admin actions, such as reset user password, confirm user, enable MFA,
delete user, and global sign-out
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Custom User Flows Using Lambda Hooks
Category Lambda hook Example scenarios
Custom
authentication flow
Define auth challenge Determines the next challenge in a custom auth flow
Create auth challenge Creates a challenge in a custom auth flow
Verify auth challenge response Determines whether a response is correct in a custom auth flow
Authentication
events
Pre-authentication Custom validation to accept or deny the sign-in request
Post-authentication Event logging for custom analytics
Pre-token generation Customize claims in the Id token
Sign up
Pre-sign-up Custom validation to accept or deny the sign-up request
Post-confirmation Custom welcome messages or event logging for custom analytics
Migration Migrate users and retain existing passwords
Messages Custom message Advanced customization and localization of messages
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cognito User Pool Tokens Overview
Access Token
• JSON Web Token
• Used to authorize
requests including
Cognito APIs
• Includes
o OAuth scopes
o Cognito groups
• Expires in 1 hour
Identity Token
• JSON Web Token
• Can be used for
authentication
• Includes user profile
information
o Attributes
o Cognito groups
• Expires in 1 hour
Refresh Token
• Opaque blob
• Used to get new Id and
Access tokens without
re-authenticating
• Expiration configurable
from 1 day to 10 years
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Integration with AWS AppSync
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Several methods of authentication
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS AppSync: Authorization with Cognito
Amazon Cognito
User Pools
Amazon Cognito
Identity Pools
AWS IAM authorization
JWT Identity Token
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS AppSync: Authorization with Cognito
Amazon Cognito
User Pools
Amazon Cognito
Identity Pools
AWS IAM authorization
JWT Identity Token
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
1. Authenticate
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
2. JWT tokens
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
3. Call AWS AppSync API
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
4. Validate Identity token
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
5. Invoke Resolvers
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS AppSync: Authorization with Cognito
Amazon Cognito
User Pools
Amazon Cognito
Identity Pools
AWS IAM authorization
JWT Identity Token
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
AWS
AppSync
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
1. Authenticate
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
2. JWT Tokens
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
3. Request AWS creds
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
4. Validate ID token
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
5. Temp AWS creds
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
6. Call AppSync API
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
7. Check IAM policy
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mobile app
AWS
AppSync
Amazon Cognito
User Pools
Lambda
function
Cognito User Pools Authorizers
Amazon
ElasticSearch
Amazon
DynamoDB
Amazon Cognito
Identity Pools
AWS IAM
8. Invoke resolvers
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["appsync:GraphQL"],
"Resource": [
"arn:aws:appsync:us-west-
2:123456789012:apis/YourGraphQLApiId/types/Query/fields/<Field-1>",
"arn:aws:appsync:us-west-
2:123456789012:apis/YourGraphQLApiId/types/Mutation/fields/<Field-1>”
]
}
]
}
IAM Policy Detail
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Fine Grained Access Controls
• User’s identity information is available at the resolver
{
"sub": "uuid",
"issuer": "string",
"username": "string",
"claims": { ... },
"sourceIp": ["x.x.x.x"],
"defaultAuthStrategy": "string"
}
{
"accountId": "string",
"cognitoIdentityPoolId": "string",
"cognitoIdentityId": "string",
"sourceIp": ["string"],
"username": "string",
"userArn": "string"
}
Amazon Cognito User Pools Amazon Cognito Identity Pools
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Fine Grained Access Controls
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Implementing Authentication
Amplify for Authentication
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Authentication
Amazon Cognito
ü Create & configure new Amazon Cognito resources for user
authentication
ü Interact with Amazon Cognito using Auth class from client
Library
ü Pre-configured components available for React, React Native,
Angular, & Ionic
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Secure, always!
• Leverage Amazon Cognito
• Built with best security practices
• Iterate quickly with Amplify
• With toolchain
• Provision serverless backend resources
• Use Auth module to easily interact
• Wrap app in authenticator to require sign-in
• Uses customizable pre-built UI components
amplify
import awsmobile from './aws-exports'
import Amplify, { Auth } from 'aws-amplify'
import { withAuthenticator } from 'aws-
amplify-react’
...
Amplify.configure(awsmobile)
...
class App extends Component {
async componentDidMount() {
session = await Auth.currentSession()
this.setState({ session })
}
}
export default withAuthenticator(App)
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AppSync with Amplify
• 4 easy steps to configure AppSync
1. Import Modules
2. Configure Client
3. Advanced Settings
a. Complex data handling
b. Union and interface handling
4. Wrap app in HOCs
a. Make client available to provider
b. Load app data from storage
c. Launch app when data ready
d. Require authentication
import AWSAppSyncClient from 'aws-appsync'
import { Rehydrated } from 'aws-appsync-react’
import awsmobile from './aws-exports'
const client = new AWSAppSyncClient({
url: awsmobile.aws_appsync_graphqlEndpoint,
region: awsmobile.aws_appsync_region,
auth: {
type: awsmobile.aws_appsync_authenticationType,
jwtToken: async () =>(await Auth.currentSession())
.getIdToken().getJwtToken()
},
complexObjectsCredentials: () =>
Auth.currentCredentials(),
cacheOptions: { fragmentMatcher }
})
const WithProvider = () => (
<ApolloProvider client={client}>
<Rehydrated>
<App />
</Rehydrated>
</ApolloProvider>
)
export default withAuthenticator(WithProvider)
a
b
c
d
a
b
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Thank you!