Who are you? OIDC Authentication with AWS Cognito - The good, the bad and the ugly

Who are you? OIDC Authentication with AWS Cognito - The
good, the bad and the ugly Wekoslav Stefanovski - @swekster

>whoami • Head of Development in Sourcico Macedonia • Coding
professionally since last century • I love programming, I love programmers • Long and fruitful love relationship with all kinds of servers • Long and fruitful love/hate relationship with clouds • Prodigiously lazy, so few slides (some live coding though) @swekster

>agenda • History of authentication • Overview of OIDC •
Rant about JWT’s • What is Cognito • The good • The bad • The ugly @swekster

>auth-history • No passwords, no problems • Plain text •
Harebrained home grown “encryption” • What’s this salt thing? • OPP Approach @swekster

>password --store=cloud • You don’t need to secure the passwords
• Best practices out of the box • Extensibility is build-in • MFA • SSO • OpenID/OAuth @swekster

>auth-oidc • Use somebody else to authenticate the user •
Contract between a site (service provider) and some bigger site (identity provider) • Can be a better user experience • Privacy concerns (but that’s dead anyway) • Lot’s of JWT @swekster

>jwt-verify --rant=true • JWT’s ARE NOT MAGIC !!!1! • Header.Payload.Signature
• No automatic verification • No manual revocation • A tool for better experience and security @swekster

>cognito • Amazon’s version of authentication provider • The users
are kept inside user pools • Easy to set up • Lots of options @swekster

>cognito --property=good • Custom attributes • JWT’s • Great API
(either through Amplify or directly) • Great CLI • Easy Flow hooks @swekster

>cognito --property=bad • Lots of options are create-only • Unable
to sort on custom attributes • Unable to customize tokens • Missing support for some password reset flows @swekster

>cognito --property=ugly • The Console UI was barely functional, now
it’s somewhat better • Auto generated resource id’s (nightmare for Terraform) • Ugly and hard-to-customize preset UI • No support for refresh token rotation @swekster

>swekster-setup • Cognito for password and profile management • Backend
service for administration • SSO through Cognito with service orchestration • Redis Cache for ease of access • SES for emails with templates • Separate authorization service @swekster

Contact Info • Email: [email protected] • Twitter: @swekster • Youtube:
https://www.youtube.com/@swekster • Linked In: https://www.linkedin.com/in/swekster/ @swekster

Who are you? OIDC Authentication with AWS Cognito - The good, the bad and the ugly

Who are you? OIDC Authentication with AWS Cognito - The good, the bad and the ugly

Wekoslav Stefanovski

More Decks by Wekoslav Stefanovski

Featured

Transcript

Who are you? OIDC Authentication with AWS Cognito - The

>whoami • Head of Development in Sourcico Macedonia • Coding

>agenda • History of authentication • Overview of OIDC •

>auth-history • No passwords, no problems • Plain text •

>password --store=cloud • You don’t need to secure the passwords

>auth-oidc • Use somebody else to authenticate the user •

>jwt-verify --rant=true • JWT’s ARE NOT MAGIC !!!1! • Header.Payload.Signature

>cognito • Amazon’s version of authentication provider • The users

>cognito --property=good • Custom attributes • JWT’s • Great API

>cognito --property=bad • Lots of options are create-only • Unable

>cognito --property=ugly • The Console UI was barely functional, now

>swekster-setup • Cognito for password and profile management • Backend

Contact Info • Email: [email protected] • Twitter: @swekster • Youtube: