Authentication

It's advisable to know general concepts around OAuth2.0 and OIDC before you start doing anything with Authentication or Authorization or Amazon Cognito in general.

Here is an excellent article by Kim Maida (former Auth0) on Authentication and Authorization concepts. She managed to explain all the related concepts in easy to follow explanation. Highly recommend giving it a quick check.

LogoAuthorization and Authentication For EveryoneDEV Community

Introduction

In our application, we will start with the basic Cognito setup. Users will be able to signup/sign-in from the Web page directly and access other AWS services using the Identity Pool role.

Later we will integrate the Hosted UI and Social Sign-in using Google to showcase how we can leverage the OIDC and OAuth2 concepts.

Basic Concepts

  • OpenID Connect

  • OAuth2

  • JWT

  • SAML

OpenID Connect

OIDC is an identity layer for authenticating users with an authorization server. OIDC declares a fixed format for ID tokens, which is known as JSON Web Token or JWT (jot).

OAuth 2.0

OAuth 2, a successor to OAuth 1 is an Authorization protocol. OAuth2 is meant for delegated authorization, for example:

  • Granting access to use Tweet APIs on behalf of the Twitter user.

  • LinkedIn is asking to link Google so that he can show you how many of your contacts are already using LinkedIn and whom you can invite.

OAuth2 returns Access Token that can be used to access the target APIs and Refresh Tokens that can be used to generate the new Access Tokens without the user interaction.

JWT or JSON Web Tokens

JWT or jot tokens are composed of three URL-safe string segments concatenated with periods.

  • Header segment

  • Payload segment

  • Crypto segment

The header segment is a JSON object containing a signing algorithm and token type.

{
  "alg": "RS256",
  "typ": "JWT"
}

The payload segment contains the JSON object with data claims, which are statements about the user and the authentication event.

{
  "sub": "112233",
  "name": "Dhaval Nagar",
  "admin": true,
  "iat": 1516239022
}

The final segment is the crypto segment or signature. JWTs are signed so they can't be modified in transit. When an authorization server issues a token, it signs it using a key.

PreviousPrerequisitesNextAmazon Cognito

Last updated

Was this helpful?