(mbl401) social logins for mobile apps with amazon cognito | aws re:invent 2014
DESCRIPTION
Streamline your mobile app sign-up experience with Amazon Cognito. In this session, we demonstrate how to use Cognito to build secure mobile apps without storing keys in them. Learn how to apply policies to existing Facebook, Google, or Amazon identities to secure access to AWS resources, such as personnel files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.TRANSCRIPT
MBL310 MBL311
web identity federation
Manage authenticated
and guest users across
identity providers
Guest
Identity Management
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Securely access AWS
services from mobile
devices and platforms
Secure AWS Access
Guest Your own
Auth
MBL301
• Identity Pool: Pool of app users. Can be
shared across apps.
• Identity: An individual user. Consistent
across identity providers. Can be a guest
user.
• Login: Identifier in a login provider
AWS Account
Dataset
IdentityIdentityIdentity
DatasetLogin
Identity
Pool
1:60
1:n
0:n
Sign up for an AWS account and login to the AWS Management
Console
Download and integrate the AWS Mobile SDK
Create an identity pool for authenticated and unauthenticated
users in the AWS Management Console
Login
AssumeRoleWithWebIdentity
Login
AssumeRoleWithWebIdentity
All this is handled by the credentials provider.
Cognito
STS
– Identity Provider Access
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust Cognito
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust identities from our pool
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust unauthenticated identitities
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
Grants access to Analytics and Cognito Sync
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
May seem too permissive, but Cognito Sync prevents
identities accessing others data.
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
Will be replaced by the identity ID
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
Will be replaced by the identity ID
Your own UsernameAnd Password
Your own user authentication system
Several apps prefer to have their own username
and password instead of public identity providers
for authentication.
Manage mappings easily
Cognito manages the mappings across login
systems (public or private) using a unique Cognito
ID
Easily integrate with existing systems
Implement GetOpenIdTokeForDeveloperIdentity()
using our server-side SDKs like Java, Python,
Ruby etc.
Lo
gin
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
Lo
gin
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
This is handled by the credentials provider.
Lo
gin
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
How does this feed to
credentials provider?
acce
ss_
toke
n
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
acce
ss_
toke
nGetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
This can be handled
by custom
AWSIdentityProvider
• AWS Mobile Homehttp://aws.amazon.com/mobile
• AWS Mobile Bloghttp://mobile.awsblog.com
• Twitter@awsformobile
• Forumshttp://forums.aws.amazon.com
• StackOverflowhttp://stackoverflow.com/tags/amazon-cognito
• GitHubhttp://github.com/aws/
http://github.com/awslabs/
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals