Table of Contents
Auth0
Integrating of Cognito with Auth0 https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
Secure AWS API Gateway Endpoints Using Custom Authorizers
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers#how-api-gateway-custom-authorizers-work
You can use the custom authorizer to implement different types of authorization strategies, including JWT verification, to return IAM policies authorizing the request. If the policy returned is invalid or if the permissions are denied, the API call fails.
For a valid policy, API caches the returned policy, associating it with the incoming token and using it for the current and subsequent requests. You can configure the amount of time for which the policy is cached. The default value is 300 seconds, and the maximum length of caching is 3600 seconds (you can also set the value to 0 to disable caching).
How to Set Up AWS for Delegated Authentication:
https://auth0.com/docs/aws-api-setup
API authorization
https://auth0.com/docs/api-auth
Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
https://aws.amazon.com/blogs/compute/secure-api-access-with-amazon-cognito-federated-identities-amazon-cognito-user-pools-and-amazon-api-gateway/
Call APIs from Highly Trusted Applications
https://auth0.com/docs/api-auth/grant/password
Amazon API Gateway Tutorial Introduction
https://auth0.com/docs/integrations/aws-api-gateway/delegation
Configure IAM and Auth0 for SAML Integration with the API Gateway
https://auth0.com/docs/integrations/aws-api-gateway/delegation/part-2#1-configure-iam-and-auth0-for-saml-integration-with-the-api-gateway
Secure AWS API Gateway Endpoints Using Custom Authorizers
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers
Auth0 Access Token Format
https://auth0.com/docs/protocols/oauth2
By default, Auth0 generates Access Tokens, for API Authorization scenarios, in JSON Web Token (JWT) format. JWTs contain three parts: a header, a payload, and a signature:
- The header contains metadata about the type of token and the cryptographic algorithms used to secure its contents.
- The payload contains a set of claims, which are statements about the permissions that should be allowed, and other information like the intended audience and the expiration time.
- The signature is used to validate that the token is trustworthy and has not been tampered with.
Scopes
The permissions represented by the Access Token, in OAuth 2.0 terms are known as scopes. When an application authenticates with Auth0, it specifies the scopes it wants. If those scopes are authorized by the user, then the Access Token will represent these authorized scopes.
Authorization Grant Types
https://auth0.com/docs/protocols/oauth2#authorization-grant-types
| Authorization Code (Regular Web App Login Flow) | Regular Web Apps are here the web apps, having client/server components. Used by Web Apps executing on a server too, not only in browser. The end user owns the resource. Here the authorization token is stored on the server, bypassing the users browser. The authorization code + clientID + Client Secret (client is here the backend alias server) are used for authentication. They are exchanged for the access (bearer) token. Everything happens on the backend side here. |
| Implicit (Single-Page Login Flow) | used by JavaScript-centric apps (Single Page Applications) executing on the user's browser. The end user owns the resource. The access (bearer) token is used for authentication, stored in the browser. |
| Resource Owner Password Credentials | Used by trusted apps. The end user still owns the resource. End users username/password in plain text are used for authentication. |
| Client Credentials (Machine to machine) | used for machine to machine communication, when the client (like cron job) owns is the resource. The ClientID / Client Secret are used for authentication. |
Choosing the grant flow: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
ID Token
| Token audience | The aud claim identifies the recipients that the JWT is intended for. The value must match the Client ID of your Auth0 Application. |
Auth0 Applications
An Auth0 Application represents your application in Auth0. You first need to define the Application in Auth0 to then be able to add authentication to it.
Your application can be
- a native app that executes on a mobile device,
- a single page app that executes on a browser, or
- a regular web app that executes on a server.
- a Machine to Machine Applications: Used for server to server applications like command-line tools, daemons, IoT devices, or services running on your backend. Typically you would use this option if you have a service that requires access to an API.
The key point is that applications are primarily meant for human interaction, as opposed to APIs, which provide data to applications through a standardized messaging system.
The Auth0 Application - has a Client ID
Auth0 API
Its just the way of Auth0 to maintain the audience https://curity.io/resources/architect/claims/scopes-vs-claims/ and the expiration of tokens, given to reach out for the audience.
Examples
Lambdas and react https://auth0.com/blog/building-serverless-apps-with-aws-lambda/
Single page app
AWS Cognito integration with Auth0
Auth0 - create a Single page application
Create the Single page application, as described in here: https://auth0.com/docs/applications/spa
- remember the clientId
- remember the domain
AWS IAM - add Auth0 as an Open ID Connect identity provider
| Auth0 application attribute | maps to |
|---|---|
| Auth0 clientId | AWS IAM Audience |
| Auth0 domain (dev.auth0.com) | AWS IAM Provider URL |
Follow Tutorial: https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
- When adding the provider URL - Prepend by https://. Dont add the backslash at the end.
AWS Cognito - create an identity pool
Follow Tutorial: https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps#create-a-cognito-identity-pool
Auth0 - generate the identity token
Go to your Auth0 single page application. Download a “Quick Start” JavaScript-app.
The auth0-variables like AUTH0_CLIENT_ID and AUTH0_DOMAIN will already be set, according to your auth0-applicaitons values. See the file auth0-variables.js of your Quick Start JavaScript-app.
Use the debug point in browser to find out the identity token.
- remember the identity token, you retrieved from auth0
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1ESXpNVFE1UWpSRk5VTkNSa0kxT0RkRk1FUTJPVUUzUTBORU16STNPRGd6UXpsQ05EQTNOZyJ9.eyJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtYnQtMDA4LmV1LmF1dGgwLmNvbS8iLCJzddIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFow3333QkFQIiwiYXVkIkoiSTdRaU04c2p6dk1zUERHbnNRMnJKdVN5MVRGQ2V0NGkiLCJpYXQiOjE1NDUzODY3OTUsImV4cCI6MTU0NTQyMjc5NSwiYXRfaGFzaCI6ImpUWGlPcGktbzM2SDhNTzk3a1FzdEEiLCJub25jZSI6IXBVZWNQVDZoNUFPRXE0cXljRlIwQUtiIn0.pv41yqbOH0xSFClQYssVZ4PTriFzVYLXxaCaWhxrDnuiUyFZOCyGJA9NqeOHigFJX2LkvYkddF4piYyAHMjIae8759jh3PQvqo11Eqb52AuRcx52N89zINxp6woMIIQpaAT72ln9qof_E9Im24WKiD9F0VhexMo2zouRoMJIDyTOa5B_ieln2FIIqLBP-RdEYtKUOBwvnwf4fJlgjn2DnJstrkIypN8xQ1P0b9uUtn-KYRaS3vEpll27gLPVTEVZgPcGCDrcg3fNU9f5MjT9-kEAeENGkmS1OoIF1Q0zf_fhltnB38ScLGCQnipOZQXzvvpnISAoQ45ane-eYCWnQ
AWS Cognito - use the token in a JavaScript application
Follow tutorial: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html
Use the identity token from auth0, to generate the “AWS.CognitoIdentityCredentials” object, using the AWS JavaScript SDK.
Here is the example of retrieving the AWS.CognitoIdentityCredentials by using a concrete identity token.
// Using a concrete token - alternative to the anonymous access
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:411f0dd3-8b7f-4328-a283-50caebd2de1c',
Logins: {
'dev.auth0.com': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1ESXpNVFE1UWpSRk5VTkNSa0kxT0RkRk1FUTJPVUUzUTBORU16STNPRGd6UXpsQ05EQTNOZyJ9.eyJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtYnQtMDA4LmV1LmF1dGgwLmNvbS8iLCJzddIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFow3333QkFQIiwiYXVkIkoiSTdRaU04c2p6dk1zUERHbnNRMnJKdVN5MVRGQ2V0NGkiLCJpYXQiOjE1NDUzODY3OTUsImV4cCI6MTU0NTQyMjc5NSwiYXRfaGFzaCI6ImpUWGlPcGktbzM2SDhNTzk3a1FzdEEiLCJub25jZSI6IXBVZWNQVDZoNUFPRXE0cXljRlIwQUtiIn0.pv41yqbOH0xSFClQYssVZ4PTriFzVYLXxaCaWhxrDnuiUyFZOCyGJA9NqeOHigFJX2LkvYkddF4piYyAHMjIae8759jh3PQvqo11Eqb52AuRcx52N89zINxp6woMIIQpaAT72ln9qof_E9Im24WKiD9F0VhexMo2zouRoMJIDyTOa5B_ieln2FIIqLBP-RdEYtKUOBwvnwf4fJlgjn2DnJstrkIypN8xQ1P0b9uUtn-KYRaS3vEpll27gLPVTEVZgPcGCDrcg3fNU9f5MjT9-kEAeENGkmS1OoIF1Q0zf_fhltnB38ScLGCQnipOZQXzvvpnISAoQ45ane-eYCWnQ'
}
});
<script>
// Initialize the Amazon Cognito credentials provider
AWS.config.region = 'eu-west-1';
// Using a concrete token - alternative to the anonymous access
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:411f0dd3-8b7f-4328-a283-50caebd2de1c',
Logins: {
'dev.auth0.com': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1ESXpNVFE1UWpSRk5VTkNSa0kxT0RkRk1FUTJPVUUzUTBORU16STNPRGd6UXpsQ05EQTNOZyJ9.eyJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtYnQtMDA4LmV1LmF1dGgwLmNvbS8iLCJzddIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFow3333QkFQIiwiYXVkIkoiSTdRaU04c2p6dk1zUERHbnNRMnJKdVN5MVRGQ2V0NGkiLCJpYXQiOjE1NDUzODY3OTUsImV4cCI6MTU0NTQyMjc5NSwiYXRfaGFzaCI6ImpUWGlPcGktbzM2SDhNTzk3a1FzdEEiLCJub25jZSI6IXBVZWNQVDZoNUFPRXE0cXljRlIwQUtiIn0.pv41yqbOH0xSFClQYssVZ4PTriFzVYLXxaCaWhxrDnuiUyFZOCyGJA9NqeOHigFJX2LkvYkddF4piYyAHMjIae8759jh3PQvqo11Eqb52AuRcx52N89zINxp6woMIIQpaAT72ln9qof_E9Im24WKiD9F0VhexMo2zouRoMJIDyTOa5B_ieln2FIIqLBP-RdEYtKUOBwvnwf4fJlgjn2DnJstrkIypN8xQ1P0b9uUtn-KYRaS3vEpll27gLPVTEVZgPcGCDrcg3fNU9f5MjT9-kEAeENGkmS1OoIF1Q0zf_fhltnB38ScLGCQnipOZQXzvvpnISAoQ45ane-eYCWnQ'
}
});
// Function invoked by button click
function speakText() {
// Create synthesizeSpeech params JSON
var speechParams = {
OutputFormat: "mp3",
SampleRate: "16000",
Text: "",
TextType: "text",
VoiceId: "Matthew"
};
speechParams.Text = document.getElementById("textEntry").value;
console.log(AWS.config.credentials.accessKeyId);
console.log(AWS.config.credentials.secretAccessKey);
// Create the Polly service object and presigner object
var polly = new AWS.Polly({ apiVersion: '2016-06-10' });
var signer = new AWS.Polly.Presigner(speechParams, polly)
// Create presigned URL of synthesized speech file
signer.getSynthesizeSpeechUrl(speechParams, function (error, url) {
if (error) {
document.getElementById('result').innerHTML = error;
} else {
audioSource.src = url;
document.getElementById('result').innerHTML = url;
}
});
}
</script>
The Demo application which is
- using Auth0 authentication
- accessing AWS services
is hosted here https://github.com/skipidar/awsViaAuth0.npm