AWS Cognito Authentication without client SDK

Question

TL;DR How do I provide access for authenticated/unauthenticated users to my movie search API via AWS Cognito without embedding Cognito SDK to the client-side?

AWS Cognito documentation states that you have to deploy client SDK into your application. I want to avoid embedding my API implementation externally to a specific provider. For instance, maybe in the future I will use Google Firebase or any other IdP. Therefore, I don't want to have a deep integration on the client side with Cognito. What is the recommended way to isolate AWS Cognito (or any IdP) from the client-side?

Answer 1

One option would be to:

1. Deploy as an http(s) proxy your API in APIGateway.

2. Add a APIGateway resource policy to allow operations from an IAM role

3. Create a Cognito User Pool with authenticated users that assume that IAM role

4. Add the APIGateway as a resource server to the Cognito User Pool

5. Allow users to sign in via the aws cli and obtain an access token

6. Use the access token in calls to the APIGateway endpoint

Answer 2

You can hide the Cognito service behind a backend both for authenticated/unauthenticated users. This comes with several challenges.

• For authentication, if you use Cognito UserPools or any Public identify provider, you will need to validate the tokens issued by them also behind the backend service.
• For unauthenticated identities, you need to track it using a manual mechanism and send that information to the backend to initiate an unauthenticated user.
• You won't be able to access AWS Services directly from browser, for purposes such as Uploading files to S3 (Will require AWS SDK) & etc (Which is one of the key advantages with AWS Cognito Federated Identities).