demystifying amazon cognito - apidays australiaau.apidays.io/slides/wolfe-cognito.pdf · amazon...
TRANSCRIPT
Amazon Cognito
• Identity as a service
• Designed for Web and Mobile applications
• Tightly integrated into the AWS “serverless" ecosystem
• Rich API
Identity As a Service?• Sign Up
• Verify your Email or Mobile No
• Sign In
• Supports MFA
• Password Change and Recovery
• Server side encryption of ALL data
• Save User Settings
• No Servers where harmed during setup..
Configuring Cognito
• Configure an internal pool of users
• Associate that pool with the identity service
• Assign some IAM policies
• Include the SDK in your application
What Next?• AssumeRoleWithWebIdentity
• Retrieve standard AWS credentials using your cognito identity.
• Lets you access the AWS API directly from the client.
• This is an interesting and somewhat scary proposition.
• Serverless…
Obligatory Reading
• IAM, AWS Identity and Access Management
• AWS SDK, Amazon Webservices Software Development Kit
• JWT, JSON Web Tokens (RFC 7519)
Demo
• https://cognito-vue-bootstrap.wolfe.id.au/
• Self service demonstration!
• Code is at https://github.com/wolfeidau/cognito-vue-bootstrap
Secure Remote Password protocol (SRP)
• An eavesdropper or man in the middle cannot obtain the password
• password-authenticated key agreement (PAKE) protocol
• Uses Challenge and response
• Does not require a trusted third party
• Version 3 is described in RFC 2945
Why SRP?
• Is the network your users are connected to compromised?
• Government Actors
• Corporate Security Devices…
• Why not go that extra mile to protect users?!
JWT
• JSON Web Tokens industry standard RFC 7519
• Signed Tokens by the issuer
• Encoded using Base64
• Contains the claims and a small amount of identity information
Why JWT?
• More context for clients and services
• Includes scopes / expires / issuer
• JSON makes it easy to parse
• Digital signature
• Standards based
HMAC Signatures
• Hash-based message authentication code (HMAC)
• Calculate a message authentication code involving a hash function in combination with a secret key
• Used to verify the integrity and authenticity of a a message
Contrived Example
"Authorization: AWS " + AWSAccessKeyId + ":" + base64(hmac-sha1(VERB + "\n" + CONTENT-MD5 + "\n" + CONTENT-TYPE + "\n" + DATE + "\n" + CanonicalizedAmzHeaders + "\n" + CanonicalizedResource))
Resulting HTTP Request
PUT /quotes/nelson HTTP/1.0 Authorization: AWS 44CF9590006BF252F707:jZNOcbfWmD/A/f3hSvVzXZjM2HU= Content-Md5: c8fdb181845a4ca6b8fec737b3581d76 Content-Type: text/html Date: Thu, 17 Nov 2005 18:49:58 GMT X-Amz-Meta-Author: [email protected] X-Amz-Magic: abracadabra
AWS Signature Version 4
• Uses a HMAC Signature for each Web request
• Requires client to have:
• A synchronised clock
• A Client Identifier
• A Secret Key
How it works• You create a canonical request.
• You use the canonical request and some other information to create a string to sign.
• You use your AWS secret access key to derive a signing key, then use that and the string to create a signature.
• You add the resulting signature to the HTTP request in a header
Takeaways• Amazon Cognito is great if you are already working
in AWS
• When building APIs always keep an eye on what Amazon is doing
• Wherever possible use standards
• Security should always be front and centre when building APIs