I have been reading a lot of AWS Amplify and Cognito docs but seems like there is no direct approach described for this.
What I have:
I have an iOS app written in Swift and back end is set up in a few lambda functions. I am able to access REST endpoints in the usual way (just like any public URL).
As a result, I have no Amplify or AWS SDK integrated in my iOS code.
What do I want?
1) Include user management: Allow users to sign up / sign in (this is already there in my back end, but I am open to using Cognito)
2) Secure my back end API so that only authenticated users can access it, through mobile app. (I may use it from Postman for my own development purposes)
What I Know:
I know there is OAuth 2 (PKCE) mechanism available for secure API access from mobile without requiring client secret, but AWS does not make it clear which tools to use to truly achieve it.
I do not mind using Cognito (if it’s all good) or my own back end lambdas for user management. The only thing is that the solution must be able to secure my REST APIs.
The obstacles:
Looks like their documentation is so fragmented around this that
-
REST is not discussed at all. GraphQL is, and they show a nice way how to do everything from within swift code using GraphQL models, but it’s an overkill for my purposes. I would like to access it like any other REST endpoint in the world, but in a secure way that is restricted for my mobile app.
-
There is no clear distinction between AWS SDK vs Amplify SDK (I got a few hints from google that Amplify sits at higher level and abstracts a lot of choices, but nothing concrete)
-
Documentation on AWS is very much conceptual but does not include any example on how to tackle this particular use case.
-
I watched a few great Youtube videos as well but they do not address this platform stack.
PS:
No more readymade docs links please. I have already gone through many, and unless any of them directly approaches my questions above, I am afraid they won’t help.
UPDATE
I found some nice examples of how Cognito handles token + user management within mobile app. However, in those examples it still seems that signup happens without a token. Exposing pool id etc details in the app bundle, and assuming anyone can sign up using the SDK, a token can be easily obtained. Even with custom lambda authorizers, using smart string parser / fiddler, endpoints can be exposed from within app bundle, and misuse of the API is very much possible.
These examples are probably not using PKCE (my take is that they use SRP). Or I am missing a crucial step.
Let’s say I use AppAuth to get the token from Cognito endpoints. Will it justify if I want to authenticate user using Cognito userid/password?
I also have confusion regarding the redirect URI. Is redirect in a mobile app mandatory to obtain a token (even when I am not using any public authentication like Google/Facebook)?
2
Answers
-> Authenticate with Cognito to obtain Cognito tokens. ID, Access, Refresh.
-> Send Token to Rest API and perform validation on the JWT token sent.[1]
Additionally:
-> Amplify Auth component is nice to work with to sign in/sign up and manages your tokens/session.
-> Then use any HTTP library to send the request to API.
-> If the API is going to be API Gateway (backed with Lambda) you have a lot more options. The API component in Amplify will help with sending the request and there are IAM/Custom Lambda/Cognito authorizer options on the API Gateway which are all valid options when using Cognito as the IDP.
[1] https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
The direction I always take is a standards based approach rather than an AWS specific one, since your goal is to build great UIs and APIs with the best future options.
My below tutorial based blog links do not cover Amplify but I think they will be relevant to you. There can be quite a learning curve with this tech.
Here is some code of mine to validate Cognito tokens in an API.
I have working demo Web and Mobile UIs that use Cognito tokens to call a cloud hosted version of the API – you can quickly run the UIs from this page.
The blog’s index page has a number of step by step guides, such as explaining the Serverless API and running it on your PC, though some of the posts are long and detailed.
If you find any of this useful then feel free to post any follow up questions.