{"id":1775,"date":"2020-09-18T11:55:48","date_gmt":"2020-09-18T09:55:48","guid":{"rendered":"https:\/\/blog.besharp.it\/?p=1775"},"modified":"2022-09-07T12:30:20","modified_gmt":"2022-09-07T10:30:20","slug":"setting-up-machine-to-machine-authentication-with-amazon-cognito","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/setting-up-machine-to-machine-authentication-with-amazon-cognito\/","title":{"rendered":"Setting up a machine-to-machine authentication system with Amazon Cognito"},"content":{"rendered":"\n
\n
More and more applications, both mobile and web, rely on managed services such as Amazon Cognito for user authentication and authorization. Cognito allows you to rapidly develop secure applications adhering to recognized security standards for authentication and authorization of end-users.\n<\/p>\n\n\n\n
Leveraging a fully managed service allows developers to stop worrying about the authentication flow and the user pool management, leaving them free to focus on what matters: the business logic of their products.\n<\/p>\n\n\n\n
However quite often we would like to federate with our application third-party service or another microservice.\n<\/p>\n\n\n\n
While Cognito is mainly used for user authentication flows, it can also be used to create a machine to machine authentication system.\n<\/p>\n\n\n\n
In this article we’ll describe how Cognito can be used to authenticate a client system that needs access to a set of sensitive APIs exposed by a service.\n\n<\/p>\n\n\n\n
However before deep diving into the description of the solution, it could be useful to describe the services involved.<\/p>\n\n\n\n
What is Amazon Cognito?<\/h2>\n\n\n\n
When you need to implement an authorization and authentication system on AWS, Amazon Cognito is your best choice.<\/p>\n\n\n\n
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily, it scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.<\/p>\n\n\n\n
Furthermore Cognito also supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO\/IEC 27001, ISO\/IEC 27017, ISO\/IEC 27018, and ISO 9001 compliant.\n<\/p>\n\n\n\n
Let\u2019s move on to describe the main concepts of Cognito.<\/p>\n\n\n\n
Users are managed through two types of pools, which are at the heart of Amazon Cognito\u2019s operation: User Pools and Identity Pools.\n<\/p>\n\n\n\n
User Pool<\/h2>\n\n\n\n
A user pool is essentially a user directory that allows you to securely store your users\u2019 profile attributes. This is a convenient way to completely off-load user profile management, security, and availability. Among the operations which can be off-loaded, there is certainly the secure storage of user data, the verification of telephone numbers and\/or e-mail addresses, the management of the login system APIs, and the flow of registration, login, logout, and password reset.\n<\/p>\n\n\n\n
In addition, to using the Amazon Cognito-specific user APIs to authenticate users, Amazon Cognito user pools also support the OAuth 2.0 authentication protocol to authenticate users or applications.\n<\/p>\n\n\n\n
User pools are a fundamental component of any authentication system based on Amazon Cognito, and we will leverage this component to build our machine to machine authentication system.\n<\/p>\n\n\n\n
Identity Pool<\/h2>\n\n\n\n
We are not going to use Identity Pools for this specific scenario, but it could be useful to describe them briefly.\n<\/p>\n\n\n\n
Identity pools are used by Cognito Identity to keep the application\u2019s federated identities organized. An identity pool associates federated identities from external identity providers with a unique specific user identifier. Identity pools do not store user profiles, but only their unique ids, which are generated and managed by Cognito. Cognito Identity pools assign users a set of temporary IAM credentials with limited privileges. Users or client applications can use those credentials to access AWS resources. Authorizations rules for each user are controlled through customizable AWS IAM roles and policies. It is also possible to define rules to match Users with the desired role. <\/p>\n\n\n\n
Now that we\u2019ve defined all the fundamental concepts we can move on to the central part of our article.<\/p>\n\n\n\n
System to system Authentication Flow<\/h2>\n\n\n\n
Let’s start by defining the authentication flow that we will configure in the next steps.<\/p>\n<\/div><\/div>\n\n\n