[ad_1]
With Amazon Cognito, you’ll be able to implement buyer id and entry administration (CIAM) into your internet and cellular purposes. You possibly can add person authentication and entry management to your purposes in minutes.
On this submit, I introduce you to the brand new entry token customization function for Amazon Cognito person swimming pools and present you tips on how to use it. Entry token customization is included within the superior security measures (ASF) of Amazon Cognito. Notice that ASF is topic to extra pricing as described on the Amazon Cognito pricing web page.
What’s entry token customization?
When a person indicators in to your app, Amazon Cognito verifies their sign-in info, and if the person is authenticated efficiently, returns the ID, entry, and refresh tokens. The entry token, which makes use of the JSON Internet Token (JWT) format following the RFC7519 customary, comprises claims within the token payload that determine the principal being authenticated, and session attributes reminiscent of authentication time and token expiration time. Extra importantly, the entry token additionally comprises authorization attributes within the type of person group memberships and OAuth scopes. Your purposes or API useful resource servers can consider the token claims to authorize particular actions on behalf of customers.
With entry token customization, you’ll be able to add application-specific claims to the usual entry token after which make fine-grained authorization selections to supply a differentiated end-user expertise. You possibly can refine the unique scope claims to additional limit entry to your assets and implement the least privileged entry. You may as well enrich entry tokens with claims from different sources, reminiscent of person subscription info saved in an Amazon DynamoDB desk. Your software can use this enriched declare to find out the extent of entry and content material out there to the person. This reduces the necessity to construct a customized resolution to search for attributes in your software’s code, thereby lowering software complexity, enhancing efficiency, and smoothing the mixing expertise with downstream purposes.
How do I take advantage of the entry token customization function?
Amazon Cognito works with AWS Lambda features to change your person pool’s authentication habits and end-user expertise. On this part, you’ll learn to configure a pre token era Lambda set off perform and invoke it through the Amazon Cognito authentication course of. I’ll additionally present you an instance perform that can assist you write your personal Lambda perform.
Lambda set off circulate
Throughout a person authentication, you’ll be able to select to have Amazon Cognito invoke a pre token era set off to complement and customise your tokens.
Determine 1: Pre token era set off circulate
Determine 1 illustrates the pre token era set off circulate. This circulate has the next steps:
An finish person indicators in to your app and authenticates with an Amazon Cognito person pool.
After the person completes the authentication, Amazon Cognito invokes the pre token era Lambda set off, and sends occasion information to your Lambda perform, reminiscent of userAttributes and scopes, in a pre token era set off occasion.
Your Lambda perform code processes token enrichment logic, and returns a response occasion to Amazon Cognito to point the claims that you just wish to add or suppress.
Amazon Cognito vends a custom-made JWT to your software.
The pre token era set off circulate helps OAuth 2.0 grant varieties, such because the authorization code grant circulate and implicit grant circulate, and in addition helps person authentication via the AWS SDK.
Allow entry token customization
Your Amazon Cognito person pool delivers two totally different variations of the pre token era set off occasion to your Lambda perform. Set off occasion model 1 consists of userAttributes, groupConfiguration, and clientMetadata within the occasion request, which you should utilize to customise ID token claims. Set off occasion model 2 provides scope within the occasion request, which you should utilize to customise scopes within the entry token along with customizing different claims.
On this part, I’ll present you tips on how to replace your person pool to set off occasion model 2 and allow entry token customization.
To allow entry token customization
Open the Cognito person pool console, after which select Person swimming pools.
Select the goal person pool for token customization.
On the Person pool properties tab, within the Lambda triggers part, select Add Lambda set off.
Determine 2: Add Lambda set off
Within the Lambda triggers part, do the next:
For Set off sort, choose Authentication.
For Authentication, choose Pre token era set off.
For Set off occasion model, choose Fundamental options + entry token customization – Really useful. If this feature isn’t out there to you, just remember to have enabled superior security measures. It’s essential to have superior security measures enabled to entry this feature.
Determine 3: Choose Lambda set off
Choose your Lambda perform and assign it as the pre token era set off. Then select Add Lambda set off.
Determine 4: Add Lambda set off
Instance pre token era set off
Now that you’ve got enabled entry token customization, I’ll stroll you thru a code instance of the pre token era Lambda set off, and the model 2 set off occasion. This code instance examines the set off occasion request, and provides a brand new customized declare and a customized OAuth scope within the response for Amazon Cognito to customise the entry token to swimsuit varied authorization scheme.
Right here is an instance model 2 set off occasion. The occasion request comprises the person attributes from the Amazon Cognito person pool, the unique scope claims, and the unique group configurations. It has two customized attributes—membership and site—that are collected through the person registration course of and saved within the Cognito person pool.
{
“model”: “2”,
“triggerSource”: “TokenGeneration_HostedAuth”,
“area”: “us-east-1”,
“userPoolId”: “us-east-1_01EXAMPLE”,
“userName”: “mytestuser”,
“callerContext”: {
“awsSdkVersion”: “aws-sdk-unknown-unknown”,
“clientId”: “1example23456789”
},
“request”: {
“userAttributes”: {
“sub”: “a1b2c3d4-5678-90ab-cdef-EXAMPLE11111”,
“cognito:user_status”: “CONFIRMED”,
“e mail”: “my-test-user@instance.com”,
“email_verified”: “true”,
“customized:membership”: “Premium”,
“customized:location”: “USA”
},
“groupConfiguration”: {
“groupsToOverride”: [],
“iamRolesToOverride”: [],
“preferredRole”: null
},
“scopes”: [
“openid”,
“profile”,
“email”
]
},
“response”: {
“claimsAndScopeOverrideDetails”: null
}
}
Within the following code instance, I reworked the person’s location attribute and membership attribute so as to add a customized declare and a customized scope. I used the claimsToAddOrOverride area to create a brand new customized declare known as demo:membershipLevel with a membership worth of Premium from the occasion request. I additionally constructed a brand new scope with the worth of membership:USA.Premium via the scopesToAdd declare, and added the brand new declare and scope within the occasion response.
export const handler = perform(occasion, context) {
// Retrieve person attribute from occasion request
const userAttributes = occasion.request.userAttributes;
// Add scope to occasion response
occasion.response = {
“claimsAndScopeOverrideDetails”: {
“idTokenGeneration”: {},
“accessTokenGeneration”: {
“claimsToAddOrOverride”: {
“demo:membershipLevel”: userAttributes[‘custom:membership’]
},
“scopesToAdd”: [“membership:” + userAttributes[‘custom:location’] + “.” + userAttributes[‘custom:membership’]]
}
}
};
// Return to Amazon Cognito
context.completed(null, occasion);
};
With the previous code, the Lambda set off sends the next response again to Amazon Cognito to point the customization that was wanted for the entry tokens.
“response”: {
“claimsAndScopeOverrideDetails”: {
“idTokenGeneration”: {},
“accessTokenGeneration”: {
“claimsToAddOrOverride”: {
“demo:membershipLevel”: “Premium”
},
“scopesToAdd”: [
“membership:USA.Premium”
]
}
}
}
Then Amazon Cognito points tokens with these customizations at runtime:
{
“sub”: “a1b2c3d4-5678-90ab-cdef-EXAMPLE11111”,
“iss”: “https://cognito-idp.us-east-1.amazonaws.com/us-east-1_01EXAMPLE”,
“model”: 2,
“client_id”: “1example23456789”,
“event_id”: “01faa385-562d-4730-8c3b-458e5c8f537b”,
“token_use”: “entry”,
“demo:membershipLevel”: “Premium”,
“scope”: “openid profile e mail membership:USA.Premium”,
“auth_time”: 1702270800,
“exp”: 1702271100,
“iat”: 1702270800,
“jti”: “d903dcdf-8c73-45e3-bf44-51bf7c395e06”,
“username”: “mytestuser”
}
Your software can then use the newly-minted, customized scope and declare to authorize customers and supply them with a personalised expertise.
Issues and greatest practices
There are 4 common concerns and greatest practices you could observe:
Some claims and scopes aren’t customizable. For instance, you’ll be able to’t customise claims reminiscent of auth_time, iss, and sub, or scopes reminiscent of aws.cognito.signin.person.admin. For the total record of excluded claims and scopes, see the Excluded claims and scopes.
Work backwards from authorization. Whenever you customise entry tokens, it’s best to begin together with your present authorization schema after which resolve whether or not to customise the scopes or claims, or each. Normal OAuth primarily based authorization eventualities, reminiscent of Amazon API Gateway authorizers, usually use customized scopes to supply entry. Nonetheless, when you’ve got complicated or fine-grained authorization necessities, then it’s best to think about using each scopes and customized claims to go extra contextual information to the appliance or to a policy-based entry management service reminiscent of Amazon Verified Permission.
Set up governance in token customization. You must have a constant firm engineering coverage to supply nomenclature steerage for scopes and claims. A syntax customary promotes globally distinctive variables and avoids a reputation collision throughout totally different software groups. For instance, Software X at AnyCompany can select to call their scope as ac.appx.claim_name, the place ac represents AnyCompany as a worldwide identifier and appx.claim_name represents Software X’s customized declare.
Concentrate on limits. As a result of tokens are handed via varied networks and methods, you want to pay attention to potential token measurement limitations in your methods. You must preserve scope and declare names as quick as attainable, whereas nonetheless being descriptive.
Conclusion
On this submit, you discovered tips on how to combine a pre token era Lambda set off together with your Amazon Cognito person pool to customise entry tokens. You should utilize the entry token customization function to supply differentiated companies to your finish customers primarily based on claims and OAuth scopes. For extra info, see pre token era Lambda set off within the Amazon Cognito Developer Information.
When you’ve got suggestions about this submit, submit feedback within the Feedback part under. When you’ve got questions on this submit, contact AWS Assist.
Need extra AWS Safety information? Comply with us on Twitter.
Edward Solar
Edward is a Safety Specialist Options Architect targeted on id and entry administration. He loves serving to prospects all through their cloud transformation journey with structure design, safety greatest practices, migration, and price optimizations. Outdoors of labor, Edward enjoys climbing, {golfing}, and cheering for his alma mater, the Georgia Bulldogs.
[ad_2]
Source link
