aws

Serverless computing on AWS #2 Security

by
published on

Two things to remember about developing public facing web applications:

  1. Never develop your own user authentication system
  2. Never develop your own user authentication system

Fortunately, Amazon provide Cognito, a secure, scalable, standards-based authentication service that integrates with popular social identity providers: Google, Facebook and Amazon (obviously).

Steps for creating an authentication system for your web application:

Create a Cognito User Pool

  1. Select how you want your users to login (I opted to use the email address instead of username)
    Cognito User Pool Attributes
  2. You can add standard attributes, or create custom ones. Attributes are useful for storing non-volatile data about your users. 
  3. Next setup password policy and whether you want your users to sign themselves up - very neat feature!
    Cognito password strength
  4. The next screen allow you to setup Multi-factor authentication and the attributes you'd like to verify: phone number, email address, both or none
  5. To make Cognito your own you can modify the email verification and invitation messages in the next step
  6. Next you can setup Tags. Tags is a feature that spans all Amazon services. It allows you to group services together for reporting purposes. You could for example tag all production services by adding a tag called "Environment" and giving it the value "Production"
  7. Amazon Cognito will remember your devices if you want it to. You can optionally disable MFA for remembered devices. 
  8. The App Clients step is important. This is where you setup a unique ID for your client application. Your application will use this and the generated secret key to interact with Cognito. You can create multiple application clients for each User Pool. 
    Cognito application clients
  9. The penultimate (optional) step for setting up a Cognito User Pool is creating triggers. These can be used to fire Lambda functions (more about these later) when a user authentication step is initiated, or concluded. 
  10. Finally, you can choose whether or not to integrate your Cognito Pool with Amazon Pinpoint Analytics Service.  

Setup Federated Identity Providers

You'll need to follow the instructions for each Federated Identity Provider in order to allow your application to make use of social identities.

I used Login with Amazon. To set it up you'll need to create an Amazon Developer account and register your application on their portal. 

Once you've setup your application on the Amazon Developer Portal, setup the Cognito end in Federation > Identity Providers screen:

Cognito Identity Providers

Setup App Client Settings

With you Identity Provider(s) created you'll now be able to setup your App Client settings.

LoginWithAmazon is available above because you created the Identity Provider previously.

Your application redirects to the Cognito application when authentication details are missing, or have expired. Once the user is authenticated control will be redirected back to the application. It's important that you include the URL endpoints that Cognito is allowed to redirect to. 

Domain setup

Cognito will host your login screens on its domain *.amazoncognito.com. If you'd prefer to host Cognito on your own domain, you'll need to be able to administer the domain. You can register a domain with Amazon's own Route53, or another registrar. You'll also need to be able to register a certificate for the domain in the AWS Certificate Manager

What's next?

In the next posts we'll look at building the serverless application and setting up continuous deployment. 

Comments