SlideShare a Scribd company logo

amazon-cognito-auth-in-minutes

V
Vladimir Budilov

This document summarizes a workshop on architecting user authentication and authorization in apps using AWS services. The workshop covers Amazon Cognito for user management, authentication, and data synchronization across devices. It provides an overview of Cognito User Pools and Federated Identities, demonstrates an authentication workflow using the services, and discusses how to get started with a sample Angular app.

1 of 41
Downloaded 74 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
amazon-cognito-auth-in-minutes
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vladimir Budilov, Technical Account Manager 6/21/2016 Workshop: How to Architect User Authentication and Authorization in Your Apps
What to expect from this session? • High-level overview of AWS Mobile Services • Deep dive into Amazon Cognito, specifically Cognito User Pools • Walkthrough of a ready-to-use Angular 2 app powered by Cognito • How to store & manage users without creating a line of server-side code (no plumbing needed!)
The QuickStart App
Demo time! http://cognito.budilov.com
AWS Mobile SDKs Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Track Retention Amazon Mobile Analytics Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Build and Scale Your Apps on AWS Amazon Mobile Analytics
What is Amazon DynamoDB? • Managed NoSQL database service • Consistent, low latency performance (single digit ms) at any scale • Predictable provisioned throughput • High durability and availability (3x replication) DynamoDB
What is Amazon S3? • Cloud storage • Static website hosting • 11 9’s of Durability • 4 9’s of Availability • CloudFront Integration
Undifferentiated Heavy Lifting of Authentication • Create and secure a database • Create the UI • Create the server-side code • Create the IdP access token verification logic • Consolidate IdP credentials • Generate and manage a custom secure token • Manage the token lifespan • Manage the user lifecycle
Amazon Cognito
Manage authenticated and guest users’ access to your AWS resources Federated Identities Synchronize user’s data across devices and platforms via the cloud Data Synchronization Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Sync k/v data What’s Amazon Cognito?
Amazon Cognito Federated Identities • Authenticate Users with third-party IdPs • Authenticate with Cognito User Pool • Anonymous Identities • Federation of Identities • OpenID Connect Token Generation • Control access from your app to other AWS Services
Amazon Cognito Sync • Store Customer Data in the Cloud • Synchronize Data • Cognito Events Trigger AWS Lambda Functions • Cognito Streams Send Data to Amazon Kinesis
Amazon Cognito User Pools Add sign-up and sign-in easily to your mobile and web apps Easy User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory
Comprehensive User Scenarios Email or phone number Verification Forgot Password User sign-up and sign- in Users verify their email address or phone number prior to activating an account Users can change their password if they forget it Users sign-up using email, phone number or user name and password. Users can then sign-in. User Profile Retrieve and update user profiles, including custom attributes SMS-based MFA If enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows
Customization using Lambda hooks Lambda Hook Example Scenarios Pre user sign-up Custom validation to accept or deny the sign-up request Custom message Advanced customization and localization of verification messages Pre user sign-in Custom validation to accept or deny the sign-in request Post user sign-in Event logging for custom analytics Post user confirmation Custom welcome messages or event logging for custom analytics
Comprehensive Administrator Scenarios Manage users in a User Pool Select Email and Phone Verification Customize with Lambda Triggers Setup Password Policies Create and manage User Pools List, search and perform actions on specific user(s) in the User Pool Configure verifications of users’ email addresses and phone numbers (via SMS) Create functions in AWS Lambda to customize workflows Control password requirements like minimum length, uppercase, and inclusion of special characters Create, configure and delete multiple User Pools in their AWS account Define Attributes Select required attributes and Define custom user attributes
Secure Sign-in Made Easy Token-based Authentication Secure Remote Password Protocol SMS-based Multi-factor Authentication Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards Uses Secure Remote Password (SRP) for secure password handling end to end Enables your end users to use the text messaging functionality of a mobile phone as an extra layer of security
Authentication flow
Code Time!
Authentication Flow Amazon Cognito User Pools Amazon DynamoDB Mobile apps Lets walk through this step by step…S3 Lambda Hooks Amazon Cognito Identities
Authentication Flow Amazon Cognito User Pools Amazon DynamoDB Mobile apps Step 0: User invokes the website hosted on S3 Amazon S3 can be used as a highly available website hosting platform Lambda Hooks Amazon Cognito Identities S3
Authentication Flow Amazon Cognito User Pools Mobile apps Step 1: User signs up for an account with our Amazon Cognito User Pool, providing their email & password (+ any custom attributes). Amazon Cognito can automatically verify the user’s email address and/or phone number if required. S3 Amazon DynamoDB Lambda Hooks Amazon Cognito Identities
Authentication Flow Amazon Cognito User Pools Mobile apps Step 2: At some point in the future, the user wants to sign in. We can now authenticate the user. Amazon DynamoDB Lambda Hooks Amazon Cognito Identities S3
Authentication Flow Amazon Cognito User Pools Mobile apps Optional: If MFA is enabled (either for this user, or all users), Amazon Cognito will SMS a one time authentication code to the user. Amazon DynamoDB Lambda Hooks Amazon Cognito Identities S3
Authentication Flow Amazon Cognito User Pools Mobile apps Optional: If Lambda Hooks are setup, then they will be invoked Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
Authentication Flow Amazon Cognito User Pools Mobile apps Step 3: After a successful authentication, Amazon Cognito responds with a signed JSON Web Token (JWT) containing the user’s details. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
Authentication Flow Amazon Cognito User Pools Mobile apps Step 4: Once you’re authenticated, you want to retrieve your scoped AWS credentials to access other services. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
Authentication Flow Amazon Cognito User Pools Mobile apps Step 5: You are now ready to call DynamoDB. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
Going serverless Amazon Cognito User Pools Amazon API Gateway Lambda Hooks /v1 Lambda Function /v2… Lambda Function Amazon DynamoDB Throttling Cache Logging Monitoring Auth Mobile apps This is a more complete solution that you can achieve without managing servers… S3 Amazon Cognito Identities
Getting started with the QuickStart app
Tech Stack • Required Tools • aws cli • npm • bower • angular-cli • Frameworks • AWS JavaScript SDK & Amazon Cognito Libraries • Angular 2 (Ionic) RC2 • TypeScript • Bootstrap
Get The QuickStart App # Clone it from github git clone --depth 1 git@github.com:awslabs/aws-cognito-angular2-quickstart.git # Install the NPM and Bower packages npm install bower install # Run the app in dev mode npm start # Build the project and sync the output with the S3 bucket ng build cd dist aws s3 sync . s3://your-unique-bucket-name/ # Test it out curl –I http://your-unique-bucket-name.s3-website-us-east-1.amazonaws.com/
Code Time!
Tokens
Types • ID Token • JWT • OpenID Identity Information (name, phone_number, etc) • Access Token • JWT • No Identity Information • Used for further authorizations • Refresh Token • String • Refresh Amazon Cognito Identity session
ID Token • Header • kid – used to locate the public key • alg – RS256 • Payload • user attributes (user identity information) • iss – the issuer • sub – UUID of the authenticated user • token_use – the purpose of the token • Signature • Based on header and payload
Access Token • Header • kid – different from ID token since different keys used • alg – RS256 • Payload • username – (e.g. vladimir@budilov.com) • Signature • Based on header and payload
Unpacking a Token
Thank You! Questions? Comments? Suggestions?
Don’t Forget Evaluations!

More Related Content

PPTX
Amazon CloudFront
Satish Agrawal
 
PDF
Security Analyst Workshop - 20200212
Florian Roth
 
PPTX
AWS Cloud trail
zekeLabs Technologies
 
PPTX
AWS IAM and security
Erik Paulsson
 
PPTX
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
PPTX
World-Class Incident Response Management
Keith Smith
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
PDF
AWS Lambda
Scott Leberknight
 
Amazon CloudFront
Satish Agrawal
 
Security Analyst Workshop - 20200212
Florian Roth
 
AWS Cloud trail
zekeLabs Technologies
 
AWS IAM and security
Erik Paulsson
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
World-Class Incident Response Management
Keith Smith
 
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
AWS Lambda
Scott Leberknight
 

What's hot (20)

PPTX
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
PPTX
Cyber Security roadmap.pptx
SandeepK707540
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PPTX
Azure role based access control (rbac)
Srikanth Kappagantula
 
PPTX
story points v2
Jane Yip
 
PDF
Introduction to Azure Resource Manager
Lukasz Kaluzny
 
PPTX
Honeynet
ACADEMIA DE ARTES MARCIALES MIXTAS TITANES
 
PDF
Scrum
Jade Pecorella
 
PPT
Definition Of Done
Wei Zhu
 
PDF
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
PDF
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
PPTX
Creating reusable pieces in Logic Apps
BizTalk360
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPTX
SIEM (Security Information and Event Management)
Osama Ellahi
 
PPTX
Agile KPIs
Gaetano Mazzanti
 
PDF
50 Shades of Sigma
Florian Roth
 
PDF
Azure Sentinel Tips
Mario Worwell
 
ODP
Introduction to Amazon Web Services
James Armes
 
PPTX
Secure coding practices
Mohammed Danish Amber
 
PDF
Extreme SAFe - Turning Up the Flow in PI Execution
Em Campbell-Pretty
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
Cyber Security roadmap.pptx
SandeepK707540
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Azure role based access control (rbac)
Srikanth Kappagantula
 
story points v2
Jane Yip
 
Introduction to Azure Resource Manager
Lukasz Kaluzny
 
Honeynet
ACADEMIA DE ARTES MARCIALES MIXTAS TITANES
 
Scrum
Jade Pecorella
 
Definition Of Done
Wei Zhu
 
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Creating reusable pieces in Logic Apps
BizTalk360
 
Identity and Access Management (IAM)
Identacor
 
SIEM (Security Information and Event Management)
Osama Ellahi
 
Agile KPIs
Gaetano Mazzanti
 
50 Shades of Sigma
Florian Roth
 
Azure Sentinel Tips
Mario Worwell
 
Introduction to Amazon Web Services
James Armes
 
Secure coding practices
Mohammed Danish Amber
 
Extreme SAFe - Turning Up the Flow in PI Execution
Em Campbell-Pretty
 
Ad

Viewers also liked (14)

PDF
Connect2016 Shipping Domino
Factor-y S.r.l.
 
PPTX
Serverless Microservices - Real life story of a Web App that uses AngularJS, ...
Mitoc Group
 
PPTX
Amazon Cognito
SANGGI CHOI
 
PPTX
Build Web Applications using Microservices on Node.js and Serverless AWS
Mitoc Group
 
PPTX
The advantage of developing with TypeScript
Corley S.r.l.
 
PDF
Connect2016 - 1172 Shipping domino
Matteo Bisi
 
PDF
確定申告 Androidアプリ
freee株式会社
 
PDF
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Luong Trung Thanh
 
PDF
FintechとID・サービス連携のエコシステム - OpenID Summit 2015
OpenID Foundation Japan
 
PDF
Trust Frameworkと法人番号について - OpenID Summit 2015
OpenID Foundation Japan
 
KEY
King Tut Stella 6A
Mr. Hurst
 
PPTX
Cognito User Pool
Takeru Ujinawa
 
PDF
[会計freee] 2.スタートガイド
freee株式会社
 
PDF
他社会計ソフトからの仕訳インポート1
Money Forward, Inc.
 
Connect2016 Shipping Domino
Factor-y S.r.l.
 
Serverless Microservices - Real life story of a Web App that uses AngularJS, ...
Mitoc Group
 
Amazon Cognito
SANGGI CHOI
 
Build Web Applications using Microservices on Node.js and Serverless AWS
Mitoc Group
 
The advantage of developing with TypeScript
Corley S.r.l.
 
Connect2016 - 1172 Shipping domino
Matteo Bisi
 
確定申告 Androidアプリ
freee株式会社
 
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Luong Trung Thanh
 
FintechとID・サービス連携のエコシステム - OpenID Summit 2015
OpenID Foundation Japan
 
Trust Frameworkと法人番号について - OpenID Summit 2015
OpenID Foundation Japan
 
King Tut Stella 6A
Mr. Hurst
 
Cognito User Pool
Takeru Ujinawa
 
[会計freee] 2.スタートガイド
freee株式会社
 
他社会計ソフトからの仕訳インポート1
Money Forward, Inc.
 
Ad

Similar to amazon-cognito-auth-in-minutes (20)

PPTX
Building Cloud-powered Mobile Apps
Danilo Poccia
 
PDF
Building Cloud-powered Mobile Apps
Danilo Poccia
 
PPTX
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
PDF
Scaling your Mobile App Development in the Cloud - DevNexus
Tara Walker
 
PDF
Serverless Meetup - Authentication for Serverless Applications [Jul 2020]
Dhaval Nagar
 
PDF
Amazon Cognito Principles.pdf
hayhadiabbas
 
PPTX
Building Cloud-Powered Mobile Apps
Danilo Poccia
 
PPTX
Amazon Cognito: A Primer on Authentication and Authorization
Knoldus Inc.
 
PDF
Serverless Meetup - Getting started with AWS Cognito [Jul 2020]
Dhaval Nagar
 
PDF
Build high performing mobile apps, faster with AWS
Shiva Narayanaswamy
 
PDF
Social & Mobile Apps journey through the cloud
Ian Massingham
 
PDF
AWS Innovate 2016: Build Mobile Apps using AWS SDKs and Mobile Hub- Oliver Klein
Amazon Web Services Korea
 
PDF
Build a mobile app serverless with AWS Lambda
TheFamily
 
PDF
AWS에서 자바스크립트 활용 - 서비스와 개발 도구 - AWS Summit Seoul 2017
Amazon Web Services Korea
 
PPTX
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB
 
PDF
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PPTX
Joel Schuweiler_AWS IAM Identity Center (Single Sign On).pptx
AWS Chicago
 
PPTX
Lamdba micro service using Amazon Api Gateway
Mike Becker
 
PDF
Amazon API Gateway and AWS Lambda: Better Together
Danilo Poccia
 
PDF
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
Corley S.r.l.
 
Building Cloud-powered Mobile Apps
Danilo Poccia
 
Building Cloud-powered Mobile Apps
Danilo Poccia
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
AWS User Group Kochi
 
Scaling your Mobile App Development in the Cloud - DevNexus
Tara Walker
 
Serverless Meetup - Authentication for Serverless Applications [Jul 2020]
Dhaval Nagar
 
Amazon Cognito Principles.pdf
hayhadiabbas
 
Building Cloud-Powered Mobile Apps
Danilo Poccia
 
Amazon Cognito: A Primer on Authentication and Authorization
Knoldus Inc.
 
Serverless Meetup - Getting started with AWS Cognito [Jul 2020]
Dhaval Nagar
 
Build high performing mobile apps, faster with AWS
Shiva Narayanaswamy
 
Social & Mobile Apps journey through the cloud
Ian Massingham
 
AWS Innovate 2016: Build Mobile Apps using AWS SDKs and Mobile Hub- Oliver Klein
Amazon Web Services Korea
 
Build a mobile app serverless with AWS Lambda
TheFamily
 
AWS에서 자바스크립트 활용 - 서비스와 개발 도구 - AWS Summit Seoul 2017
Amazon Web Services Korea
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Joel Schuweiler_AWS IAM Identity Center (Single Sign On).pptx
AWS Chicago
 
Lamdba micro service using Amazon Api Gateway
Mike Becker
 
Amazon API Gateway and AWS Lambda: Better Together
Danilo Poccia
 
JavaScript & Cloud: the AWS JS SDK and how to work with cloud resources
Corley S.r.l.
 

amazon-cognito-auth-in-minutes

  • 2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Vladimir Budilov, Technical Account Manager 6/21/2016 Workshop: How to Architect User Authentication and Authorization in Your Apps
  • 3. What to expect from this session? • High-level overview of AWS Mobile Services • Deep dive into Amazon Cognito, specifically Cognito User Pools • Walkthrough of a ready-to-use Angular 2 app powered by Cognito • How to store & manage users without creating a line of server-side code (no plumbing needed!)
  • 6. AWS Mobile SDKs Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Track Retention Amazon Mobile Analytics Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Build and Scale Your Apps on AWS Amazon Mobile Analytics
  • 7. What is Amazon DynamoDB? • Managed NoSQL database service • Consistent, low latency performance (single digit ms) at any scale • Predictable provisioned throughput • High durability and availability (3x replication) DynamoDB
  • 8. What is Amazon S3? • Cloud storage • Static website hosting • 11 9’s of Durability • 4 9’s of Availability • CloudFront Integration
  • 9. Undifferentiated Heavy Lifting of Authentication • Create and secure a database • Create the UI • Create the server-side code • Create the IdP access token verification logic • Consolidate IdP credentials • Generate and manage a custom secure token • Manage the token lifespan • Manage the user lifecycle
  • 11. Manage authenticated and guest users’ access to your AWS resources Federated Identities Synchronize user’s data across devices and platforms via the cloud Data Synchronization Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Sync k/v data What’s Amazon Cognito?
  • 12. Amazon Cognito Federated Identities • Authenticate Users with third-party IdPs • Authenticate with Cognito User Pool • Anonymous Identities • Federation of Identities • OpenID Connect Token Generation • Control access from your app to other AWS Services
  • 13. Amazon Cognito Sync • Store Customer Data in the Cloud • Synchronize Data • Cognito Events Trigger AWS Lambda Functions • Cognito Streams Send Data to Amazon Kinesis
  • 14. Amazon Cognito User Pools Add sign-up and sign-in easily to your mobile and web apps Easy User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory
  • 15. Comprehensive User Scenarios Email or phone number Verification Forgot Password User sign-up and sign- in Users verify their email address or phone number prior to activating an account Users can change their password if they forget it Users sign-up using email, phone number or user name and password. Users can then sign-in. User Profile Retrieve and update user profiles, including custom attributes SMS-based MFA If enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows
  • 16. Customization using Lambda hooks Lambda Hook Example Scenarios Pre user sign-up Custom validation to accept or deny the sign-up request Custom message Advanced customization and localization of verification messages Pre user sign-in Custom validation to accept or deny the sign-in request Post user sign-in Event logging for custom analytics Post user confirmation Custom welcome messages or event logging for custom analytics
  • 17. Comprehensive Administrator Scenarios Manage users in a User Pool Select Email and Phone Verification Customize with Lambda Triggers Setup Password Policies Create and manage User Pools List, search and perform actions on specific user(s) in the User Pool Configure verifications of users’ email addresses and phone numbers (via SMS) Create functions in AWS Lambda to customize workflows Control password requirements like minimum length, uppercase, and inclusion of special characters Create, configure and delete multiple User Pools in their AWS account Define Attributes Select required attributes and Define custom user attributes
  • 18. Secure Sign-in Made Easy Token-based Authentication Secure Remote Password Protocol SMS-based Multi-factor Authentication Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards Uses Secure Remote Password (SRP) for secure password handling end to end Enables your end users to use the text messaging functionality of a mobile phone as an extra layer of security
  • 21. Authentication Flow Amazon Cognito User Pools Amazon DynamoDB Mobile apps Lets walk through this step by step…S3 Lambda Hooks Amazon Cognito Identities
  • 22. Authentication Flow Amazon Cognito User Pools Amazon DynamoDB Mobile apps Step 0: User invokes the website hosted on S3 Amazon S3 can be used as a highly available website hosting platform Lambda Hooks Amazon Cognito Identities S3
  • 23. Authentication Flow Amazon Cognito User Pools Mobile apps Step 1: User signs up for an account with our Amazon Cognito User Pool, providing their email & password (+ any custom attributes). Amazon Cognito can automatically verify the user’s email address and/or phone number if required. S3 Amazon DynamoDB Lambda Hooks Amazon Cognito Identities
  • 24. Authentication Flow Amazon Cognito User Pools Mobile apps Step 2: At some point in the future, the user wants to sign in. We can now authenticate the user. Amazon DynamoDB Lambda Hooks Amazon Cognito Identities S3
  • 25. Authentication Flow Amazon Cognito User Pools Mobile apps Optional: If MFA is enabled (either for this user, or all users), Amazon Cognito will SMS a one time authentication code to the user. Amazon DynamoDB Lambda Hooks Amazon Cognito Identities S3
  • 26. Authentication Flow Amazon Cognito User Pools Mobile apps Optional: If Lambda Hooks are setup, then they will be invoked Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
  • 27. Authentication Flow Amazon Cognito User Pools Mobile apps Step 3: After a successful authentication, Amazon Cognito responds with a signed JSON Web Token (JWT) containing the user’s details. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
  • 28. Authentication Flow Amazon Cognito User Pools Mobile apps Step 4: Once you’re authenticated, you want to retrieve your scoped AWS credentials to access other services. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
  • 29. Authentication Flow Amazon Cognito User Pools Mobile apps Step 5: You are now ready to call DynamoDB. Amazon DynamoDB Lambda Hooks S3 Amazon Cognito Identities
  • 30. Going serverless Amazon Cognito User Pools Amazon API Gateway Lambda Hooks /v1 Lambda Function /v2… Lambda Function Amazon DynamoDB Throttling Cache Logging Monitoring Auth Mobile apps This is a more complete solution that you can achieve without managing servers… S3 Amazon Cognito Identities
  • 31. Getting started with the QuickStart app
  • 32. Tech Stack • Required Tools • aws cli • npm • bower • angular-cli • Frameworks • AWS JavaScript SDK & Amazon Cognito Libraries • Angular 2 (Ionic) RC2 • TypeScript • Bootstrap
  • 33. Get The QuickStart App # Clone it from github git clone --depth 1 git@github.com:awslabs/aws-cognito-angular2-quickstart.git # Install the NPM and Bower packages npm install bower install # Run the app in dev mode npm start # Build the project and sync the output with the S3 bucket ng build cd dist aws s3 sync . s3://your-unique-bucket-name/ # Test it out curl –I http://your-unique-bucket-name.s3-website-us-east-1.amazonaws.com/
  • 36. Types • ID Token • JWT • OpenID Identity Information (name, phone_number, etc) • Access Token • JWT • No Identity Information • Used for further authorizations • Refresh Token • String • Refresh Amazon Cognito Identity session
  • 37. ID Token • Header • kid – used to locate the public key • alg – RS256 • Payload • user attributes (user identity information) • iss – the issuer • sub – UUID of the authenticated user • token_use – the purpose of the token • Signature • Based on header and payload
  • 38. Access Token • Header • kid – different from ID token since different keys used • alg – RS256 • Payload • username – (e.g. vladimir@budilov.com) • Signature • Based on header and payload