I have an API that is currently secured by Identity server 3.
We are moving to AWS Cognito to login.
When a user signs up, I need to call our current API to make sure their username is in our database. How do I do this with a lambda function?
And how can I secure our API (which is hosted on our server), with the Cognito auth?
You can use pre-sign up lambda trigger on Cognito for check db.
Related
My current stack is like this:
User creates an account via AWS Cognito
A post confirmation lambda is triggered which then adds further user details to a database
My database uses the sub id generated by cognito as the userId so they are the same. I also copy the email address as the Username in my database. My intention is to use Cognito for Authentication and my own database for the functionality of my app.
However if the user wishes to update their email address I need to amend this in both cognito and my database. My first attempt made a call to cognito in my lambda using admin_update_user_attributes but soon realised it was blocked from making external calls to the internet, so i created a nat gateway which worked but it simply costs way too much!
My second idea was to go through cognito, having my front end make the call and then have cognito trigger a lambda to update my database but I don't think this is possible.
Is there a configuration or something I'm missing to be able to access AWS cognito via a lambda through the API gateway as they are both AWS services.
I dont want to make two seperate calls via my frontend as this creates a risk of one being completed but not the other.
Thanks
A NAT gateway will be needed if you have your Lambda function in a VPC as there are no Cognito VPC endpoints at this time.
List of currently supported AWS services with endpoints.
If you are using a DB like Dynamo, the Lambda function does not need to be in a VPC so you could achieve the usecase you mentioned above.
Another option could be to do the Cognito update asynchronously, so your Lambda could potentially use VPC endpoints to put an object in SQS and then have a Lambda poller (outside VPC) to poll the messages and update Cognito. Or achieve a similar usecase by making use of private API Gateways.
These are just potential ideas which I have not done myself.
I am building and testing Lambda functions on my local pc. The Lambda's are exposed through SAM using the "sam local start-api" command and called through Javascript.
I have now set up a user pool on AWS Cognito (in the cloud). My app is correctly authenticating against the user pool. However, I would like now to pass user information to my Lambdas when I invoke them on my local pc. What I want to achieve is:
My JS web app sends a request with authorization header to my locally hosted Lambdas.
My Lambda accesses the claims through $context.authorizer.claims
And most importantely: The Lambda code should not be specific to my dev environment. I should be able to deploy my Lambdas to the cloud without changing the code.
Question: Is it possible to provide/inject the user claims into the context of a Lambda request on my local dev environment?
My mobile app needs to make secure API calls to on-premise backend services which is not exposed to internet but accessed only by mobile client. How can we secure the backend calls via AWS cloud?
Thanks in Advance
AWS does not have an out-of-the-box solution for what you are looking for. Amazon Cognito's Identity component was designed to secure access to AWS API's, not a developer's. You will have to build your authentication and authorization service for your mobile clients.
Another AWS technology that you may want to consider in your design is Amazon Virtual Private Cloud (VPC), which would allow you to bridge your on-premise network into the AWS cloud. From their you would have to properly secure systems and APIs.
Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.
Amazon Cognito supports OPENID auth and OATH. Is it possible to use LDAP instead to authenticate the user?
You can support any authentication system with Cognito, but you will need to use a slightly different authentication flow than existing public providers. Instead of calling Cognito directly from the device you will need to construct your own backend that will handle the authentication then call Cognito to establish the trust of your identity.
Please see the following for more details:
Amazon Cognito : Announcing Developer Authenticated Identities
Understanding Amazon Cognito Authentication Part 2: Developer Authenticated Identities
I have been looking into whether it is possible to use Shibboleth/SAML with Amazon Web Services.
I'm finding very little information on this. As far as I can tell, it is possible to install Shibboleth/SAML on an EC2 server as a Service Provider.
What I am not so sure on is whether it is possible to tie all of AWS to Shibboleth - and how this would work.
My knowledge of all three are vaguely fuzzy - I've been doing a great deal of reading, but I'm not really familiar with this technology at all.
If I understand you correctly, what you are trying to do is use identity federation to grant a user temporary security credentials to perform AWS api calls. You would like your users to authenticate to your own identity provider (Shibboleth in this case), and be granted access to AWS services based on that authentication.
A good example of this that you can use as a framework is in this AWS sample code.
In a nutshell:
You need a proxy that the users connect to, passing in their authentication credentials. You would then verify them by authenticating to Shibboleth, AD, LDAP or whatever.
You need a Token Vending Machine that your proxy would then call to get a valid AWS secret key using GetFederationTokenRequest.
Your client would then use the token given to it to make the AWS api calls.
The concepts of federated identity include terms like STS, SP, and IdP, if you are looking for a starting place to research the topic more.