Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Who are you? OIDC Authentication with AWS Cogni...

Wekoslav Stefanovski
October 20, 2023
0
11

Who are you? OIDC Authentication with AWS Cognito - The good, the bad and the ugly

Each and every application needs users and therefore, they need to verify the identity of those users. Increasingly, and with good reason, that functionality is outsourced to a third-party provider, with AWS Cognito being one of the most used examples. This talk will cover some of the most common patterns of authentications used with Cognito, and how you can actually manage modern authentication for your product.

Wekoslav Stefanovski

October 20, 2023
Tweet

More Decks by Wekoslav Stefanovski

See All by Wekoslav Stefanovski
How to Mess up JWTs: A Practioner's Guide
sweko
0
67
How to mess up with JWT's - a practitioner's guide
sweko
0
85
Make you a redux for fun and profit
sweko
0
81
Why JavaScript when you can see sharp?
sweko
0
100

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
4
180
Gamification - CAS2011
davidbonilla
80
5.1k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Writing Fast Ruby
sferik
628
61k
The Invisible Side of Design
smashingmag
298
50k
Designing for Performance
lara
604
68k
Bash Introduction
62gerente
609
210k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The Language of Interfaces
destraynor
155
24k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.2k

Transcript

  1. Who are you? OIDC Authentication with AWS Cognito - The

    good, the bad and the ugly Wekoslav Stefanovski - @swekster

  2. >whoami • Head of Development in Sourcico Macedonia • Coding

    professionally since last century • I love programming, I love programmers • Long and fruitful love relationship with all kinds of servers • Long and fruitful love/hate relationship with clouds • Prodigiously lazy, so few slides (some live coding though) @swekster

  3. >agenda • History of authentication • Overview of OIDC •

    Rant about JWT’s • What is Cognito • The good • The bad • The ugly @swekster

  4. >auth-history • No passwords, no problems • Plain text •

    Harebrained home grown “encryption” • What’s this salt thing? • OPP Approach @swekster

  5. >password --store=cloud • You don’t need to secure the passwords

    • Best practices out of the box • Extensibility is build-in • MFA • SSO • OpenID/OAuth @swekster

  6. >auth-oidc • Use somebody else to authenticate the user •

    Contract between a site (service provider) and some bigger site (identity provider) • Can be a better user experience • Privacy concerns (but that’s dead anyway) • Lot’s of JWT @swekster

  7. >jwt-verify --rant=true • JWT’s ARE NOT MAGIC !!!1! • Header.Payload.Signature

    • No automatic verification • No manual revocation • A tool for better experience and security @swekster

  8. >cognito • Amazon’s version of authentication provider • The users

    are kept inside user pools • Easy to set up • Lots of options @swekster

  9. >cognito --property=good • Custom attributes • JWT’s • Great API

    (either through Amplify or directly) • Great CLI • Easy Flow hooks @swekster

  10. >cognito --property=bad • Lots of options are create-only • Unable

    to sort on custom attributes • Unable to customize tokens • Missing support for some password reset flows @swekster

  11. >cognito --property=ugly • The Console UI was barely functional, now

    it’s somewhat better • Auto generated resource id’s (nightmare for Terraform) • Ugly and hard-to-customize preset UI • No support for refresh token rotation @swekster

  12. >swekster-setup • Cognito for password and profile management • Backend

    service for administration • SSO through Cognito with service orchestration • Redis Cache for ease of access • SES for emails with templates • Separate authorization service @swekster

  13. Contact Info • Email: [email protected] • Twitter: @swekster • Youtube:

    https://www.youtube.com/@swekster • Linked In: https://www.linkedin.com/in/swekster/ @swekster