Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to achieve identity authentication and authorization on the AWS cloud with Authing. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to identity Authentication and Cognito Service

In the process of Web or App development, user authentication and permissions processing is a very important module, including user registration, login authentication and management of the corresponding permissions. In addition to user name and password login, login through third-party social accounts is also a very important requirement, which is mainly Google, Facebook or Apple login abroad, while Wechat and Weibo login is mainly used in China.

Authentication and authorization are relatively complex to implement, so Cognito services are available on the AWS cloud to help developers access user registration / login and access control functions faster and more securely. Cognito service allows enterprises to focus more on their core business, focusing on innovation and revenue generation, rather than paying too much attention to the underlying technical details related to identity authentication and authorization.

Cognito service composition:

Cognito User Pool

The user pool, the user directory that provides registration and login options for the application. With the user pool, users can log in to Web or App through Cognito. Users can also log in through social identity providers such as Google, Facebook, Amazon, or Apple, as well as SAML identity providers.

Cognito Identity Pool

Identity pools, or federated identities, can create unique identities for users and federate them with identity providers. With identity pools, users can obtain temporary AWS credentials with limited permissions to access other AWS services. Identity pools can include users in Cognito User Pool, users authenticated by external identity providers such as Google/Facebook, or OpenID Connect/SAML-based identity providers.

Cognito application scenarios:

At present, Cognito is widely used in customer-created Web or App, as well as in many AWS Solutions. Currently, there are two main usage scenarios:

API Gateway can integrate Cognito User Pool for user authentication and authorization, which is convenient to protect API.

Combine Cognito Identity Pool to securely obtain AWS temporary credentials on Web or mobile, and then access other AWS services.

The alternative of Cognito User Pool in the domestic region

At present, Cognito Identity Pool has been launched in the domestic region of AWS, but Cognito User Pool has not been online yet. So in this blog we will explore how to find an alternative to Cognito User Pool at this stage. Our basic idea is to find an authentication service based on OpenID Connect protocol, which can be a third-party SaaS (such as Authing,Auth0, etc.) or self-built (such as open source-based Keycloark software, etc.). Since Authing is a domestic partner of AWS, we will discuss how to use Authing as an alternative to Cognito User Pool, describe the relevant technical principles, and introduce how to deploy it, taking a common website as an example.

1. Architecture design

The overall structure of the demo website is as follows:

S3 is used for static website hosting, and Cloudfront is used for static content acceleration and HTTPS certificate mounting.

Login authentication and obtain tokens through Authing as an alternative to User Pool.

Access the REST API provided by API Gateway.

Obtain temporary AWS credentials through Cognito Identity Pool and access AWS resources (here take the Polly service as an example).

The demo website is currently deployed in the AWS domestic region with the following links:

Https://authing.demo.cbuilder.tech/

You can view the access effect after simple user registration.

Login authentication and get tokens through Authing

Authing authenticates users based on OIDC and OAuth 2.0 and grants users access to the corresponding applications. The usage scenario is shown in the figure above.

In the first step, the user requests a login through the Authing user pool and, after successful authentication, gets the code from the server.

Next, the application requests token with code through the identity pool.

Finally, users can use token to request access to various application resources.

The figure above shows that OIDC Authorization Code Flow is used to obtain Token, and users can also obtain Token through OIDC Implicit Flow. This example uses Implicit Flow, and you can refer to this link for a comparison of the two processes.

Access the protected REST API provided by API Gateway

After Authing login authentication, you can obtain a token (that is, id token). You can access the protected REST API by sending the HTTP request with a token in the header.

Secure access to AWS services through integration with Identity Pool

After Authing login authentication, you can obtain a token (that is, id token). Access to AWS resources securely by integrating with Identity Pool to obtain temporary credentials

two。 Plan deployment

The front-end and back-end code of the demo website has been posted on Github:

Https://github.com/linjungz/aws-authing-demo

Can be deployed and tested with reference to the relevant code

2.1 Authing account opening and OIDC application configuration

First of all, you need to create an OIDC application in Authing. For more information, please refer to the help documentation related to Authing. This demo environment uses Implicit Flow and uses RS256 algorithm for id token signature. You can refer to the following settings for callback URL, authorization mode, return type and so on:

2.2 deployment of API Gateway and Lambda through SAM

Because id token uses the RS256 algorithm for encryption, the appropriate key needs to be set in Lambda Authorizer for token authentication. For more information, please refer to the relevant comments in the sample code app.js.

The API Gateway and related Lambda in the demo environment have been described in an AWS SAM template (template.yaml), which can be automatically deployed directly through SAM:

$sam build$ sam deploy-configuration for integration of guided2.3 Authing and Identity Pool

Configure OIDC Provider

Provider URL: the issuer corresponding to the Authing application. For example, the issuer used in this example is: https://aws-oidc-demo-implicitflow.authing.cn/oauth/oidc.

Audience: the App ID corresponding to the Authing application.

After a successful creation, it is as follows:

For more information on configuration, please see the relevant official documentation of AWS.

Configure Cognito Identity Pool

Specify Authing as the Authenticated Provider:

At the same time, Cognito Identity Pool will create two IAM Role (for authenticated users and anonymous users), which need to set permissions for authenticated users' IAM Role. The example website uses Polly service, so you need to add permission to access Polly.

2.4 deploy a static website as a front-end demonstration

The front-end demo page can be uploaded to S3 bucket and the S3 static website hosting feature can be enabled. Note that you need to add Cloudfront and HTTPS certificate in front of it, or you can choose to deploy it on an EC2.

As you can see from the above sample code, by integrating Authing with AWS-related services, you can quickly establish a managed user pool and securely invoke AWS-related resources (such as API Gateway, S3, IoT, AI, etc.) to achieve functions similar to Cognito User Pool services.

On how to combine Authing to achieve identity authentication and authorization on the AWS cloud is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.