B2B Authentication Solution for APIs using AWS Cognito UserPools

Have you ever came across the need to implement a B2B authentication solution in AWS for your API?

I have seen most of the people goes with API Keys for Authentication. This is a bad practice since API Keys are there for difference purposes such as Usage Planning, Throttling, Monitoring & etc.

I came across the same situation some time ago and evaluated AWS Cognito UserPools for B2B authentication. Since AWS Cognito UserPools designed for B2C authentication, it wasn’t straight forward at all.

Step 1: Build a simple Developer Portal

Using AWS Serverless Stack, implement a simple Developer Portal allowing a Developer to Register an API Clients and Admin User where a the user will be created in the AWS Cognito User Pool using the Cognito Identity Admin Auth SDK. After creating the User, generate a Refresh token and save it, linked to the User in DynamoDB. This Refresh Token will act as the long term credentials used by the API Client to generate temporal credentials (ID Tokens) that can be used to consume the required API.

Since Refresh Tokens are revokable, Admin User created in Cognito can login to the Developer Portal and revoke its access and generate a new one.
Note: For additional security you can use AWS Key Management Service (KMS) to encrypt and store the Refresh Token in DynamoDB.

Step 2. Store and use Refresh Token in Consumer Application Backend

After generating a Refresh Token, store it in your API Consumer Backend and use it to generate temporal ID Tokens to consume the required API.

Note: Since ID Tokens have a finite time period before they expire, it is required to implement a token refresh endpoint, that is also needs to be implemented by the Developer Portal API (In Step 1)

Step 3. Consuming the API

Using the ID Token, your API Consumer can now invoke the required API Backend where, the ID Token JWT can be validated using standard JWT verification libraries.

If you are implementing the API using AWS Serverless Stack, you can use a Custom Authorizer Lambda function to verify the ID Token.