Reputation: 93
Authorization per feature (AWS+Angular+Serverless)
I'm developing an application using Angular + Serverless (AWS).
I'm a newbie in AWS and I'm trying to understand how to implement authentication and authorization. I understood that AWS has the Cognito User Pool (user directory) and Cognito Identity Provider (for authentication) but I don't know how to configure them to my use case.
I'd like to implement a fine-grained authorization mechanism. In this authorization mechanism, I shall have permissions, each per feature (e.g. show users, add user, update user, delete user, etc.), and roles (e.g. free, premium, admin, etc.) that contain a collection of permissions.
Every user shall be assigned to a role and gets the permissions of that role. In the Angular app, I'd like to see these permissions to enable or not the corresponding feature (e.g. if the user has permission to add user, show the add button).
In this way, I can change dynamically the permissions of a role and this reflects automatically to what the user can do without any change in the Angular app.
I'm used to implementing this with Spring Security where each feature is a role (e.g. ROLE_ADD_USER) and they are grouped in role groups (e.g. GROUP_ADMIN). In this way, the user is assigned to a role group and during login, I return, in addition to the access token, all roles (permissions) of the user.
Can someone help me to figure out how to implement this using AWS Cognito and IAM?
Upvotes: 0
Views: 191
Answers (1)
Reputation: 2889
Authorization needs to be implemented server-side.
Your serverless app will need to check for each request, whether the user is authorized or not. Any authorization features in your angular app only provide "security through obscurity". When your angular app connects to your serverless backend, it does so through a http request. It is theoretically relatively trivial to capture such a request and change it. Nothing you do in your Angular app can protect you from this, which is why you need to verify every single request.
The only functionality you should implement in your angular app is showing or hiding UI Elements depending on the users group and permissions. Keep in mind though that this is only to make the app more accessible and does not increase security; anyone can easily modify the app's code in their browser to show UI Elements that are meant to be hidden.
Make sure your server is secure and all requests are authorized in the backend.
You can find out more about the options of securing your serverless app here: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-controlling-access-to-apis.html
Upvotes: 1
Related Questions
- Serverless Framework AWS Fine-Grained Access Control
- Serverless framework AWS cross-account custom authorizer
- Securing AWS Cognito User Pool and Client ID on a static web page
- Serverless authorizer as AWS user pool
- Role based authorization using AWS Cognito for a front end app
- AWS Serverless Template Configurations with Custom Authorization and Rest API
- Serverless Framework with server-side authentication and Cognito
- Implement Role Based Access Control using AWS Cognito with Serverless
- best practice for authentication and token in angular 4/5
- AWS Serverless Protect API Paths for different User Roles