Life after AWS Security, Identity, & Compliance Security, Identity, & Compliance.

You built an awesome app and you want to add user authentication and authorization. Your users should be able to log in either with username/password or with their social accounts (Facebook, Twitter, and so on) then you can take a look on Auth0.

Auth0:

  • Auth0 provides authentication and authorization as a service.
  • You can connect any application (written in any language or on any stack) to Auth0 and define the identity providers you want to use (how you want your users to log in).
  • Each time a user tries to authenticate, Auth0 will verify their identity and send the required information back to your app.
  • But, it is more expensive.
  • In the past, it was often necessary to embed credentials into an application and then develop complex systems to ensure that users only had access to their own data.
  • For example, an application might need a key to obtain a token to access an API, a username and password to retrieve a user’s account from that API, and yet another set of credentials to call a service to read and write data.
  • For this, the developer has to deal with heavy coding for the security and authentication. Amazon Cognito addresses these difficulties and allows developers to concentrate more on application development let’s see how.

AWS Cognito:

  • Amazon Cognito is an amazon web service product that controls user authentication and access for mobile applications on internet connection devices.
  • Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.
  • Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
  • This service saves and synchronizes end-user data, which enables an application developer to focus on writing code instead of building and managing the back-end infrastructure.
  • Cognito is used to create an identity pool which is just a bunch of users that can be created that have credentials.

Creating an User pool in AWS Console:

  • In AWS Console search for Cognito and click on that service, you will redirect to the AWS Cognito page as follows:
  • Click on Manage your User Pools , so that you are able to see the already created userpools or you can create a new user pool.
  • Click on Create a user pool and enter the pool name and click on step through settings. You will get page as follows:
  • One of the thing we want to make sure is uncheck the email, I think in long run it’s good to check it so that when you signup you have an email, for some reason. If they forget their password you can go in and make sure that they can reset it, but for demo purpose we don’t need it while you are creating the user pool, because they are not modifiable, I think most of these you cannot change after you have created this pool.
  • Here I am restricting password should contain minimum length as ‘6’ .
  • If you want you can specify any requirement and I don’t specified any requirements to these for now, but if you probably should in a real production environment require these things.
  • Unselect the email check box and click on Next step button.
  • In triggers, Pre sign-up lambda function and that allows you to take action before they signup.
  • It needs to automatically confirm that user is a Valid user.
  • You have created a demo user pool and for that you can add users manually have some attributes, policies. You can modify some of these properties at some time.
  • You can do Federation Facebook Google Amazon etc .
  • We need some clients.
  • To create demo clients, go to your user pool and click on App clients.
  • Now you have to create the pre-sign up lambda that allows us to automatically validate when a user signs up new user record via lambda function.
  • To create lambda function you have go to the lambda service in the Amazon console.
  • I have created the lambda function with name PreSignUp and assigned role(Lambda permissions) to it.

PreSignUp:

  • It automatically confirms the user signed up so, you donot have to take any actions and lets save and test it to access to create , parameter as username, password .
  • Once you run the test, you can see the execution details, it takes the request and append the auto confirm to it or cognito to say the user just signed up you are done but, you have to look in the cognito.
  • You can download this lambda code from below link: http://bleepingbots.com/awsresource/presignup.py
  • In trigger, Pre SignUp lambda is added in the Pre sign-up.
  • It automatically confirms anybody who signup in the cognito and its a trigger of the identity pool.

SignIn:

  • Next, create SignIn to allow clients to signup or authenticate a username,password.
  • It allows lambda function to access the cognito resource and take action against it.
  • You can generate tokens for the users in this lambda function.
  • You can download this lambda code from below link: http://bleepingbots.com/awsresource/signin.py