Workshop: How to Architect User

Authentication and Authorization in Your

Apps

Vladimir Budilov, Technical Account Manager

6/21/2016

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session?

High-level overview of AWS Mobile Services

Deep dive into Amazon Cognito, specifically Cognito
User Pools
Walkthrough of a ready-to-use Angular 2 app powered by
Cognito
How to store & manage users without creating a line of
server-side code (no plumbing needed!)
The QuickStart App
Demo time!

http://cognito.budilov.com
Build and Scale Your Apps on AWS
Authenticate users Store and share media
Amazon Cognito Amazon S3
(Identity)

Server-side logic Deliver media

Lambda Amazon CloudFront

Synchronize data Send push notifications

AWS Mobile SDKs
Amazon Cognito Amazon SNS
(Sync) Mobile Push

Analyze User Behavior Store data

Amazon Mobile
Amazon DynamoDB
Analytics

Track Retention Test your app

Amazon Mobile
Analytics Device Farm
What is Amazon DynamoDB?

Managed NoSQL database service

Consistent, low latency performance
(single digit ms) at any scale
Predictable provisioned throughput
High durability and availability (3x
replication)
DynamoDB
What is Amazon S3?

Cloud storage
Static website hosting
11 9s of Durability
4 9s of Availability
CloudFront Integration
Undifferentiated Heavy Lifting of Authentication

Create and secure a database

Create the UI
Create the server-side code
Create the IdP access token verification logic
Consolidate IdP credentials
Generate and manage a custom secure token
Manage the token lifespan
Manage the user lifecycle
Amazon Cognito
Whats Amazon Cognito?
Amazon Cognito Identity Amazon Cognito Sync

Your User Pool Federated Identities Data Synchronization

k/v data

Your own auth Guest

Add sign-up and sign- Manage authenticated Synchronize users data

in with a fully and guest users across devices and
managed user access to your AWS platforms via the cloud
directory resources
Amazon Cognito Federated Identities

Authenticate Users with third-party IdPs

Authenticate with Cognito User Pool
Anonymous Identities
Federation of Identities
OpenID Connect Token Generation
Control access from your app to other AWS Services
Amazon Cognito Sync

Store Customer Data in the Cloud

Synchronize Data
Cognito Events Trigger AWS Lambda Functions
Cognito Streams Send Data to Amazon Kinesis
Amazon Cognito User Pools

Easy User Management Managed User Directory Enhanced Security Features

Add sign-up and sign-in Launch a simple, secure, Verify phone numbers and
easily to your mobile and low-cost, and fully managed email addresses and offer
web apps service to create and multi-factor authentication
maintain a user directory
that scales to 100s of
millions of users
Comprehensive User Scenarios

User sign-up and sign- Users sign-up using email, phone number or user name and password.
in Users can then sign-in.

Email or phone number Users verify their email address or phone number prior to activating an account
Verification

Forgot Password Users can change their password if they forget it

User Profile Retrieve and update user profiles, including custom attributes

If enabled, users complete Multi-Factor Authentication (MFA) with a confirmation

SMS-based MFA
code via SMS as part of sign-in and forgot password flows
Customization using Lambda hooks

Lambda Hook Example Scenarios

Custom validation to accept or deny the

Pre user sign-up
sign-up request
Advanced customization and localization of
Custom message
verification messages
Custom validation to accept or deny the
Pre user sign-in
sign-in request

Post user sign-in Event logging for custom analytics

Custom welcome messages or event

Post user confirmation
logging for custom analytics
Comprehensive Administrator Scenarios

Create and manage

Create, configure and delete multiple User Pools in their AWS account
User Pools

Manage users in a
List, search and perform actions on specific user(s) in the User Pool
User Pool

Select Email and

Configure verifications of users email addresses and phone numbers (via SMS)
Phone Verification

Customize with Lambda

Create functions in AWS Lambda to customize workflows
Triggers

Setup Password Control password requirements like minimum length, uppercase, and inclusion of
Policies special characters

Define Attributes Select required attributes and Define custom user attributes
Secure Sign-in Made Easy

Token-based
Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards
Authentication

Secure Remote
Uses Secure Remote Password (SRP) for secure password handling end to end
Password Protocol

SMS-based Multi-factor Enables your end users to use the text messaging functionality of a mobile
Authentication phone as an extra layer of security
Authentication flow
Code Time!
Authentication Flow
Amazon Cognito
User Pools Lets walk through
S3
this step by step

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Amazon Cognito Step 0: User invokes the website hosted
User Pools on S3
S3
Amazon S3 can be used as a highly
available website hosting platform

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Step 1: User signs up for an account with
our Amazon Cognito User Pool, providing
Amazon Cognito their email & password (+ any custom
User Pools attributes).
S3
Amazon Cognito can automatically verify
the users email address and/or phone
number if required.
Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Amazon Cognito Step 2: At some point in the
User Pools future, the user wants to sign in.
S3 We can now authenticate the
user.

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Optional: If MFA is enabled
Amazon Cognito
User Pools (either for this user, or all users),
S3
Amazon Cognito will SMS a one
time authentication code to the
user.

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Amazon Cognito
User Pools Optional: If Lambda Hooks are
S3 setup, then they will be invoked

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Step 3: After a successful
Amazon Cognito
User Pools authentication, Amazon Cognito
S3
responds with a signed JSON
Web Token (JWT) containing the
users details.

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Step 4: Once youre
Amazon Cognito
User Pools authenticated, you want to
S3
retrieve your scoped AWS
credentials to access other
services.

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Authentication Flow
Amazon Cognito
User Pools Step 5: You are now ready to
S3 call DynamoDB.

Lambda Hooks

Mobile apps Amazon Cognito

Identities

Amazon
DynamoDB
Going serverless
This is a more
Amazon Cognito
User Pools
complete solution
S3 that you can achieve
without managing
Lambda Hooks servers

Amazon Cognito
Mobile apps Identities

Auth /v1 Lambda Function

Monitoring
Throttling

Logging
Cache

Amazon
DynamoDB
/v2 Lambda
Amazon API Gateway
Function
Getting started with the
QuickStart app
Tech Stack

Required Tools
aws cli
npm
bower
angular-cli
Frameworks
AWS JavaScript SDK & Amazon Cognito Libraries
Angular 2 (Ionic) RC2
TypeScript
Bootstrap
Get The QuickStart App
# Clone it from github
git clone --depth 1 git@github.com:awslabs/aws-cognito-angular2-quickstart.git

# Install the NPM and Bower packages

npm install
bower install

# Run the app in dev mode

npm start

# Build the project and sync the output with the S3 bucket
ng build
cd dist
aws s3 sync . s3://your-unique-bucket-name/

# Test it out
curl I http://your-unique-bucket-name.s3-website-us-east-1.amazonaws.com/
Code Time!
Tokens
Types

ID Token
JWT
OpenID Identity Information (name, phone_number, etc)
Access Token
JWT
No Identity Information
Used for further authorizations
Refresh Token
String
Refresh Amazon Cognito Identity session
ID Token

Header
kid used to locate the public key
alg RS256
Payload
user attributes (user identity information)
iss the issuer
sub UUID of the authenticated user
token_use the purpose of the token
Signature
Based on header and payload
Access Token

Header
kid different from ID token since different keys used
alg RS256
Payload
username (e.g. vladimir@budilov.com)
Signature
Based on header and payload
Unpacking a Token
Thank You!
Questions? Comments? Suggestions?
Dont Forget Evaluations!