Reputation: 71
OpenId / OAuth 2 Flows - Scenarios with AWS Cognito
I’d like to ask a little help from my friends.
It is essentially about openId/oauth flows, I am a little confused about flow types.
Currently I am working on a modernization project and I need to establish a new authentication / authorization flow for legacy and new components.
My doubts are regarding to what implementation should I do and which I should use from authorization server, ie:
Flow 1 and Flow 3
User will supply login credentials to a Web MVC application and it should authenticate in cognito, return a token. (1a / 1b) (3a / 3b) In subsequents interactions with BFF 1 / 2 and other microservices, I will pass the same token, right? What is the right way to validate this token in the backend? (4)
Flow 2
Some external users are able to access systems using APIs using basic credentials (login/password). In the modernization scenario, what should be indicated to them? Client Id / Client Secret ? Or is it ok to use login / password to get a token?
Very thanks for help
Upvotes: 0
Views: 599
Answers (1)
Reputation: 3865
None of those flows are OAuth2 and strictly speaking, nothing about your diagrams relates to OpenID.
In subsequents interactions with BFF 1 / 2 and other microservices, I will pass the same token, right?
Yes, you can use the access token or id token to authorize future requests.
What is the right way to validate this token in the backend?
The tokens generated by cognito are all asymmetrically signed JWTs. You can verify the signature using any JOSE/JWT library. https://jwt.io/ has a good list at the bottom of the page. Cognito doesn't currently support token introspection so your resources are not able to pass the token to cognito for verification as your diagram shows.
Some external users are able to access systems using APIs using basic credentials (login/password). In the modernization scenario, what should be indicated to them? Client Id / Client Secret ? Or is it ok to use login / password to get a token?
This should be a client credential grant. However, Cognito's implementation is pretty sloppy and doesn't support rotating secrets. Additionally if you are relying on ID tokens then those are not supported by this grant type. Password grant is technically supported by cognito but would allow any user to authenticate with username and password through the client. The best option might be to create a custom auth challenge and handle your authentication through that.
Upvotes: 1
Related Questions
- Is this auth flow possible with Amazon Cognito Identity and User Pool
- Can I use AWS cognito to provide a open id connect endpoint?
- AWS Cognito with OpenID Connect IDP
- How to implement Client Credential Flow with Azure AD as Identity provider for Cognito
- Sanity check: OAuth 2 client_credential server-to-server vs. username/pwd
- Amazon Cognito Oauth2 Native App : Best practice
- cognito OAuth2 flow
- OpenID authentication in AWS API gateway
- AWS Cognito User authentication flow need suggestions and advices
- REST API oauth2 type authentication using AWS Cognito