Authenticating web users is not really different on IoT than with any other Sigv4 service(You know…all of them). The main reason it’s ‘hard’ is because the fundamental concept of websockets doesn’t fit into the structure of the SDKs very well, so they write this crappy documentation with sigv4 code. My next blog post was supposed to be about monkeypatching the AWS JS SDK to sign websocket URLs easily, but there are some fundamental things that don’t work(e.g. SDK always signs session token, but IoT doesn’t allow this). In my work I use sigv4 from the client(via Cognito Identity) and IoT works great….with a little bit of signing code.
I’m actually considering having my backend simply return the signed URL for that particular session, so then(at least in my limited case) the enduser doesn’t need credentials at all
With API Gateway Websockets I suppose you could have a better authentication story, but I don’t see this as enough of a reason to pass on the service.