integrate social login into mobile apps (sec401) | aws re:invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Integrate Social Login

Into Mobile Apps

Bob Kinney, AWS Mobile

November 15, 2013

Agenda

• AWS Mobile

• Why are we here?

• Web identity federation

• Other options

AWS Mobile

AWS IAM

Social Login

Amazon S3

File Storage Amazon DynamoDB

Online Data

Amazon SNS

Mobile Push

AWS Mobile

• http://aws.amazon.com/mobile – AWS Mobile SDKs (iOS and Android)

– Amazon SNS Mobile Push

– Geo library for Amazon DynamoDB

– S3TransferManager

…plus more added all the time

Why are we here?

ACCESS_KEY = "AK….."

SECRET_KEY = "….."

signed requests

Why are we here?

Why are we here?

• Get credentials onto device

• Limit lifetime, enforce rotation

• Limit access to users’ resources

web identity federation

What is Web Identity Federation?

Mobile Photo Share

DEMO

Mobile Photo Share – Architecture

Amazon S3

AWS IAM

Amazon DynamoDB

Web Identity Federation

Geo Library for Amazon DynamoDB

S3 Transfer Manager

Geo

AWS Mobile SDKs MBL402

Web Identity Auth Flow

AWS Cloud

Mobile Client

AWS STS

Amazon S3 Bucket

Getting Started with

Web Identity Federation

• AWS Mobile SDKs

• Application with identity provider

• AWS IAM role for web identity federation

• SDK to authenticate with identity provider

Login with Amazon

http://login.amazon.com/

Setting Up Application Through

Login with Amazon

DEMO

Getting Started with

Web Identity Federation

• AWS Mobile SDKs

• Application with identity provider

• AWS IAM role for web identity federation

• SDK to authenticate with identity provider

AWS IAM Roles

• Mechanism for delivering temporary credentials

• Has two policies – Trust (who can assume role)

– Access (what resources the role can access)

• Three types of roles – AWS service roles

– Cross-account access

– Web identity federation

Role for Web Identity Federation

• Trust policy – What provider do we trust?

– What application with that provider do we trust?

• Access policy – What resources should the user have access to?

Creating an IAM Role

DEMO

Getting Started with

Web Identity Federation

• AWS Mobile SDKs

• Application with identity provider

• AWS IAM role for web identity federation

• SDK to authenticate with identity provider

Adding Login with Amazon SDK

• Download SDK from http://login.amazon.com/

• Add files to project

• Integrate into app – APIKey

– AWS IAM role ARN

Adding Login with Amazon SDK

DEMO

Getting Started with

Web Identity Federation

• AWS Mobile SDKs

• Application with identity provider

• AWS IAM role for web identity federation

• SDK to authenticate with identity provider

Web Identity Auth Flow

AWS Cloud

Mobile Client

AWS STS

Amazon S3 Bucket

Breaking Permissions

DEMO

Access Policy {

"Effect":"Allow",

"Action":["s3:*"],

"Resource":"*"

}

{

"Effect": "Allow",

"Action": ["dynamodb:*"],

"Resource": "*"

}

{

"Effect": "Allow",

"Action": ["sns:*"],

"Resource": "*"

}

Access Policy Restriction {

"Effect":"Allow",

"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",

"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],

"Resource":"arn:aws:s3:::BUCKET_NAME/*"

}

{

"Effect":"Allow",

"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],

"Resource":"arn:aws:s3:::BUCKET_NAME"

}

{

"Effect": "Allow",

"Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"],

"Resource" : "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME”

}

{

"Effect": "Allow",

"Action": "sns:CreatePlatformEndpoint",

"Resource": "arn:aws:sns:REGION:123456789:app/PLATFORM/APP_NAME"

}

Access Policy Restriction {

"Effect":"Allow",

"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",

"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],

"Resource":"arn:aws:s3:::BUCKET_NAME/BobKinney/*"

}

{

"Effect":"Allow",

"Action":"s3:ListBucket",

"Resource":"arn:aws:s3:::BUCKET_NAME",

"Condition":{"StringLike":{"s3:prefix":"BobKinney/"}}

}

{

"Effect":"Allow",

"Action":["s3:ListBucketMultipartUploads"],

"Resource":"arn:aws:s3:::BUCKET_NAME"

}

Policy Variables for

Web Identity Federation • Facebook

– graph.facebook.com:app_id

– graph.facebook.com:id

• Login with Amazon – www.amazon.com:app_id

– www.amazon.com:user_id

• Google – accounts.google.com:aud

– accounts.google.com:sub

Access Policy – Personal Photos <!-- Write/Read/Delete individual items -->

{

"Effect":"Allow",

"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",

"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],

"Resource":"arn:aws:s3:::BUCKET_NAME/${www.amazon.com:user_id}/*"

}

<!-- List these items -->

{

"Effect":"Allow",

"Action":"s3:ListBucket",

"Resource":"arn:aws:s3:::BUCKET_NAME",

"Condition":{"StringLike":{"s3:prefix":"${www.amazon.com:user_id}/"}}

}

<!-- Multipart Operations -->

{

"Effect":"Allow",

"Action":"s3:ListBucketMultipartUploads",

"Resource":"arn:aws:s3:::BUCKET_NAME"

}

Access Policy – Public Photos <!-- Read all public photos -->

{

"Effect":"Allow",

"Action":"s3:GetObject",

"Resource":"arn:aws:s3:::BUCKET_NAME/public/*"

}

<!-- Write/Delete our public photos -->

{

"Effect":"Allow",

"Action":["s3:PutObject","s3:DeleteObject",

"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],

"Resource":"arn:aws:s3:::BUCKET_NAME/public/${www.amazon.com:user_id}/*"

}

<!-- List these items -->

{

"Effect":"Allow",

"Action":"s3:ListBucket",

"Resource":"BUCKET_NAME",

"Condition":{"StringLike":{"s3:prefix":"public/"}}

}

Access Policy – Amazon DynamoDB

<!– DynamoDB policy -->

{ "Effect" : "Allow",

"Action" : [ "dynamodb:GetItem", "dynamodb:Query" ],

"Resource" : "arn:aws:dynamodb:REGION:12345678:table/Favorites",

"Condition" : {

"ForAllValues:StringEquals" : {

"dynamodb:LeadingKeys" : "${www.amazon.com:user_id}"

}

}

}

Correcting Permissions

DEMO

Web Identity Federation – Summary

• Three supported providers – Facebook, Google, and Amazon

• Uses IAM roles to provide access restrictions

• Uses IAM policy variables to allow for per-user

customized access

What about other logins?

• User doesn’t have Facebook, Google, or

Amazon account

• Want to support a private pool of users

(Identity) Token Vending Machine (TVM)

Identity TVM Auth Flow

Register User

Login

Private Key (Encrypted)

Get Token

Token

TVM Server

Amazon

DynamoDB

Amazon S3

Amazon SNS

AWS STS

Policies with Identity TVM

TVM App App

AWS IAM User Policy

Root Credentials

AWS STS Policy

Identity TVM Code

• Server code available on GitHub – https://github.com/awslabs/aws-tvm-identity

• Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples

– https://github.com/awslabs/aws-sdk-android-samples

• Provided as sample – Use and modify as necessary

What About Anonymous Access?

anonymous TVM

Anonymous TVM Auth Flow

Register Device

Get Token

Token

TVM Server

Amazon

DynamoDB

Amazon S3

Amazon SNS

AWS STS

Policies with Anonymous TVM

Anonymous == Read-Only

Anonymous Access

DEMO

Anonymous TVM Code

• Server code available on GitHub – https://github.com/awslabs/aws-tvm-anonymous

• Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples

– https://github.com/awslabs/aws-sdk-android-samples

• Provided as sample – Use and modify as necessary

Conclusions

• User has a Facebook, Google, or Amazon

account web identity federation

• User has another account identity TVM

• User has no account anonymous TVM

Next Steps

Mobile Photo Share https://github.com/awslabs/reinvent2013-mobile-photo-share

– iOS Application

– Backend application • identity TVM

• anonymous TVM

• geo server

Web Identity Federation Playground

AWS Mobile SDKs

• SDKs and Samples – http://aws.amazon.com/mobile

– https://github.com/awslabs/aws-sdk-ios-samples

– https://github.com/awslabs/aws-sdk-android-samples

• Assistance – https://forums.aws.amazon.com/forum.jspa?forumID=88

– http://stackoverflow.com/questions/tagged/amazon-web-services

Connect

• Booth & Office Hours Thursday 4:30 – 5:30 pm

Friday 9:00 – 10:00 am

• AWS Mobile Blog

http://mobile.awsblog.com

• Twitter

@awsformobile

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

SEC401

Additional Resources

• Web Identity Federation – https://web-identity-federation-playground.s3.amazonaws.com/index.html

– http://aws.amazon.com/articles/4617974389850313

– http://mobile.awsblog.com/post/Tx1P67OUG61P9CB/

– http://mobile.awsblog.com/post/Tx15RSS024YGKUL/

– https://github.com/awslabs/aws-mobile-sample-wif

– http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html

• TVM – http://aws.amazon.com/articles/4611615499399490

– http://aws.amazon.com/code/8872061742402990

– http://aws.amazon.com/code/7351543942956566