Authentication in apps hosted on AWS

Recently I have been testing various options for implementing authentication and authorization in apps. As much as possible, I wanted to implement them in cloud-native ways.

Here is a quick summary of my experiments. For those of you interested in the code, here is the github repo for a VueJS app implementing authentication (using Corporate SSO and social authentication using Facebook, Google) using AWS Cognito User Pool — https://github.com/styrus05/aws-cognito-authentication-in-vue-app.git

1. Application with a server-side component

You can configure AWS application load balancer to use authentication action on Listener tab. You can either use AWS Cognito as Authenticator or an identity provider which supports Open ID Connect (e.g. one login, Auth0, Okta, etc.).

You can add path-based rules in the ALB listener to only enforce authentication on certain path (e.g. /login, /account, etc). After successful authentication ALB will provide a Json Web Token (JWT) which your application code can parse to get the user details (name, email, group membership, etc.) and implement authorisation. The token can also be used for accessing protected APIs.

Where can you use this option?
Applications deployed on EC2 instance
Applications deployed as a container on ECS

2. Single Page Application

• Use Amplify to add authentication flow to your app. It is pretty straight forward to implement but it suitable ONLY when you use Cognito as identity provider.
• If you intend to use an external IDP (e.g. Shibboleth, Google, Facebook) — you can implement a custom authentication flow using Authorization Code Flow with PKCE. Implementation and token management is bit tricky. Here is a sample VueJS project on my GitHub repo — https://github.com/styrus05/aws-cognito-authentication-in-vue-app.git

Where can you use this option?
Authentication in mobile apps
Web application built as Single Page Application using VueJS, Ionic, React, Angular or Java Script.

3. Protecting static content

To protect static media content served via Cloudfront CDN of AWS, you can either use Signed Cookie or Signed URL.

In summary, here is how it all gets stitched together:

1. Create a server-side component (it can be a Lambda function as well), protect it by your authentication mechanism. This component will be responsible for generating Signed URL or Cookie.
2. For authenticated users, execute the server-side code to generate signed URL or signed cookies. Use signed cookie if you need to keep the URL of the resource same (e.g. in case of video streaming).
3. Setup Cloudfront to restrict access to the content

Now everytime your user accesses a secure content served through Cloudfront they will be need to be in an authenticated session.

Where can you use this option?
You can use this option when building a paid media content service (like Netflix, Shutterstock, etc.) where you want to make the paid content (image, video, pdf, etc.) available at the edge via Cloudfront, but only to the users who have paid for the service.