AWS re:Invent 2017: [REPEAT] Serverless Authentication and Authorization: Identity M (SRV403-R)
HTML-код
- Опубликовано: 30 июл 2024
- Many serverless applications need a way to manage end user identities and support sign-ups and sign-ins. Join this session to learn real-world design patterns for implementing authentication and authorization for your serverless application-such as how to integrate with social identity providers (such as Google and Facebook) and existing corporate directories. We cover how to use Amazon Cognito identity pools and user pools with API Gateway, Lambda, and IAM.
![AWS re:Invent 2019: [REPEAT 3] Serverless architectural patterns and best practices (ARC307-R3)](http://i.ytimg.com/vi/9IYpGTS7Jy0/mqdefault.jpg)
![AWS re:Invent 2019: [REPEAT 3] Serverless architectural patterns and best practices (ARC307-R3)](/img/tr.png)
![AWS re:Invent 2017: [REPEAT] Which Database to Use When? (DAT310-R)](http://i.ytimg.com/vi/KWOSGVtHWqA/mqdefault.jpg)
The app that we referenced during the talk: github.com/awslabs/aws-serverless-auth-reference-app
Here's a sample single-page web-app written in Angular using Cognito and running on S3 (completely serverless):
github.com/awslabs/aws-cognito-angular-quickstart
Serverless Photo Recognition using most of the services we talked about, in addition to Amazon Rekognition:
github.com/awslabs/serverless-photo-recognition
Blog post:
aws.amazon.com/blogs/ai/use-amazon-rekognition-to-build-an-end-to-end-serverless-photo-recognition-system/
Hello, we are using Cognito Federated Identities for Facebook and Google auth and Cognito Userpools for username/password flows. Our back-end is a serverless API with API Gateway. To protect it we wanted to use aws_iam authorizer but we reached a problem. To refresh aws keys with Cognito Federated Identities we have to supply the original Facebook/Google/Cognito tokens which also expire in a short period of time. How would a user coming from Facebook for example refresh his/hers AWS keys given from Cognito federated identities? In the end we decided to issue our own JWT tokens with refresh tokens via DynamoDB + custom lambda authorizers which validate those tokens, so all users go trough the same refresh flow apposed to using each identity provider refresh mechanism in the front end.
Take a look at this documentation: docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
I like how you numbered this 403
Good catch :)
Thank you both. Great presentation and very helpful!
Why is it that AWS passes the ID token to retrieve credentials from Federated Identities? Specifically at 9:50. Isn't Access Token the ideal token to use in this case, since it twas specifically meant for providing access to APIs?
Hi, first thanks for this overview. I have a question: User Pool -> Federation cost money based on MAU and Federated Identity is free no matter what MAU you have?
Awesome! content and the best one to get started with cognito.
Glad to hear it :)
Can you please share the application source code?
Mohammad Selim Miah at the end of video