By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to authorise a user during an AppStream session

0

Hi!

I'm looking for a way to check authorisation a user during the start script phase of an AppStream session. We are using AppStream to provide a SaaS solution, and each user posses a license for one or more applications. From the AppStream session (StreamView: APP), we need to validate what licenses that a user has authorisation to use. We need to do this in the start script, before the application start.

Setup

In order to start a session, a user calls our API requesting a StreamingURL. If the user is allowed to use the product (has any license like trial, regular, extended, ...) a StreamingURL is created. At this point I can store some metadata in my backend. Request looks something like this:

aws appstream create-streaming-url --stack-name my-stack --fleet-name my-fleet --user-id 10 --application-id my-app-xyz

Once the user starts a session based on the StreamingURL in the response from our API, I would like to setup that session for that specific user. This includes fetching the license for the products that the user owns.

Question

Is there a way to authenticate that user in for example an API or S3 bucket? Somewhere the start script can fetch the license. If I some how could transfer a key when creating the signed StreamingURL to the session.

So far...

Idea #1

Make an open API endpoint (/license) where you send in a session ID and a user ID. Let the API endpoint do a describe-sessions towards the fleet and look for any matches. Possibly also verify the IP number that the request origins from. If there is any match, trust the user ID in the request and respond with the license for that user. Security relies in "hard to guess" unless I missed something and its possible for User A to get hold of User B's session ID. It's still not obvious for the start script to know what application (defined in application-id) it should request a license for.

Idea #2

Same as #1, but store all license files on the image, and let the /license endpoint only respond with only the name of the licenses the user owns. Delete all other licenses from the running instance during the execution of the start script.

Idea #3 - scrapped

Like Idea #2, but send the license name in the session-context variable when generating the streaming URL. This will not work since the session context is not available in the start script, and it can be manipulated by the end user.

  • GK
    13 days ago

    Just a question are How you are handling the licenses ? are you using License Manager ?

Topics
End User Computing
Tags
Amazon AppStream
Language
English
Andreax
asked 13 days ago37 views
1 Answer
-1

To authorize a user during an AppStream session, you can leverage the AppStream session context feature. The session context allows you to pass user-specific information to the AppStream instance during the session start-up process.

Here's a step-by-step approach you can consider:

  1. Retrieve user's license information:

    • When your API is called to create a streaming URL, retrieve the user's license information from your backend.
    • You can store this information in a secure way, such as encrypting it and attaching it to the session context.

  2. Pass the user's license information in the session context:

    • When creating the streaming URL using the aws appstream create-streaming-url command, include the user's license information in the --session-context parameter.
    • The session context can be a JSON-encoded string that contains the user's license details.

    Example:

    aws appstream create-streaming-url --stack-name my-stack --fleet-name my-fleet --user-id 10 --application-id my-app-xyz --session-context '{"licenses": ["trial", "regular"]}'

  3. Retrieve the user's license information in the start script:

    • In the start script of your AppStream image, you can access the session context information using the $APPSTREAM_SESSION_CONTEXT environment variable.
    • Parse the session context JSON and retrieve the user's license information.

    Example start script:

    #!/bin/bash

# Retrieve the session context
SESSION_CONTEXT=$APPSTREAM_SESSION_CONTEXT

# Parse the session context and extract the user's licenses
licenses=$(echo $SESSION_CONTEXT | jq -r '.licenses[]')

# Validate the user's licenses and perform any necessary actions
for license in $licenses; do
  case $license in
    "trial")
      # Grant access to trial applications
      ;;
    "regular")
      # Grant access to regular applications
      ;;
    # Add more license types as needed
  esac
done

# Start the application
/path/to/application

By using the session context, you can securely pass the user's license information to the AppStream instance during the session start-up process. This allows you to validate the user's licenses and grant or deny access to the appropriate applications within the start script, before the application is launched.

Remember to ensure that the user's license information is stored securely in your backend and that the session context is protected from tampering by the end-user.

AWS
JonQ
answered 7 days ago
  • Andreax
    7 days ago

    This will unfortunately not work, I tested that as described in "Idea #3 - scrapped". The session context variable contains the context from the previous session during the execution of the start script, it is not updated until after the start-script is finished. :-(

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content