Reputation: 623
Access Key to Replace Authentication for AWS
We are developing a web application in AWS which stores its users in Cognito. As part of this, we are required to have an integration with an existing desktop application, where the administrator of a client can create a read-only user for the website for data sent from the desktop app.
Because of this read-only user requirement, there has to be a user associated with the authentication for each instance of the desktop app installation. This is no problem, as we are happy that all local users of the desktop application have their data logged to the same place in the web application. The tricky part is that we are not able to have the username and password as common knowledge for the end-users of the desktop app.
It has been suggested that we could use token-based access to allow the desktop app to access our API, but these are all time limited and we would not be able to have the user re-authenticate each day. However, another suggestion is to create our own "key" which contains the username and password of the Cognito user in such a way that the application will be able to use it, such as encrypting the username and password with the decryption key available to the desktop app so that it can authenticate as that user itself without the end users having access to the account details.
I would like to know if there is currently any best practice way of handling a requirement like this that is better than what we currently have available.
To summarise:
- We have an AWS API with Cognito Authentication
- We have a desktop application which needs to access the API
- We cannot have users know the details of the account being used to access the API
- We need a way to provide a key that will allow the desktop application to authenticate itself against the API in such a way that the token will not need to be refreshed over time
Thanks for any help.
Upvotes: 0
Views: 91
Answers (1)
Reputation: 3035
Unfortunately this requirement:
"We need a way to provide a key that will allow the desktop application to authenticate itself against the API in such a way that the token will not need to be refreshed over time"
is not going to be possible with Cognito. Assuming you are using Cognito user pools, the id and access tokens obtained on authentication are only valid for 1 hour, then they have to be refreshed using the refresh token. The refresh token can be configured to be valid for a really long time (years even) so you could setup a flow where:
- The app authenticates itself against Cognito once
- Gets a refresh token that is valid for a really long time
- Throws away the original encrypted username/password
- Uses the refresh token to get a new id/access token every hour
You would have to store the refresh token on the client somewhere though. And probably have a support mechanism where this process could be restarted on the client in case the refresh token is lost.
If you are using Cognito user pools, you are going to have to do token refreshes. Same is true if you are using Cognito identity pools - the AWS credentials provided by the identity pool are only valid for 1 hour, then they have to be refreshed.
Upvotes: 1
Related Questions
- Change password using AWS.CognitoIdentityServiceProvider
- AWS Cognito InitiateAuth with/without Access Key and Secret Access Key
- AWS cognito authorization
- Specifying User Access Control with Amazon Cognito
- How can I add cognito username/password to authenticate ALB?
- AWS Cognito authentication without password for backend server-server call
- AWS Cognito - authenticate as a user
- AWS Cognito single use access token
- How to achieve certificate based authentication with AWS Cognito?
- Using Cognito AccessKeyId / SecretAccessKey to access AWS services