Authentication
Last updated
Last updated
It's advisable to know general concepts around OAuth2.0 and OIDC before you start doing anything with Authentication or Authorization or Amazon Cognito in general.
Here is an excellent article by Kim Maida (former Auth0) on Authentication and Authorization concepts. She managed to explain all the related concepts in easy to follow explanation. Highly recommend giving it a quick check.
In our application, we will start with the basic Cognito setup. Users will be able to signup/sign-in from the Web page directly and access other AWS services using the Identity Pool role.
Later we will integrate the Hosted UI and Social Sign-in using Google to showcase how we can leverage the OIDC and OAuth2 concepts.
OpenID Connect
OAuth2
JWT
SAML
OIDC is an identity layer for authenticating users with an authorization server. OIDC declares a fixed format for ID tokens, which is known as JSON Web Token or JWT (jot).
OAuth 2, a successor to OAuth 1 is an Authorization protocol. OAuth2 is meant for delegated authorization, for example:
Granting access to use Tweet APIs on behalf of the Twitter user.
LinkedIn is asking to link Google so that he can show you how many of your contacts are already using LinkedIn and whom you can invite.
OAuth2 returns Access Token that can be used to access the target APIs and Refresh Tokens that can be used to generate the new Access Tokens without the user interaction.
JWT or jot tokens are composed of three URL-safe string segments concatenated with periods.
Header segment
Payload segment
Crypto segment
The header segment is a JSON object containing a signing algorithm and token type.
The payload segment contains the JSON object with data claims, which are statements about the user and the authentication event.
The final segment is the crypto segment or signature. JWTs are signed so they can't be modified in transit. When an authorization server issues a token, it signs it using a key.
