How best to build custom Cognito login pages for use with a server-side app?

0

A customer has a question, how best to build custom login pages for use with a server-side app?

Note: "Chorus" is the name of the customer's internal application which they are modifying to user Cognito for authentication.

I do not have much experience with identity and so not well-equipped to answer this question.

I can point the customer to, but I feel this is light: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-server-side-authentication-flow

Are "developer-authenticated identities" part of the answer? https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html https://github.com/aws-samples/amazon-cognito-developer-authentication-sample

The github example above is mobile, though customer will be building a web app (not sure of backend yet, but probably one of the standards, e.g. JS, ruby, etc.).

asked 3 years ago462 views
1 Answer
0
Accepted Answer

The first clarification point is why do you need login pages for server-side authentication? server-side means machine to machine authentication so there is no login forms that expect end-user input.

If this is the case, then using client credentials authentication flow is the recommended approach. In this case, client application will use app-client id and secret to authenticate (using secured back channel, no browser in this case), after authentication, client app gets accessToken and client should pass this access token to backend (Chorus) with every call. This token shouldn't be exposed to end-user.

You also mentioned "Examples all use a client-side only flow, resulting in a token in the browser". there are multiple authentication flows with OAuth2, the one that returns token to browser is "implicit grant" which is not recommended unless you can't use the recommended one "Authorization code grant". in Authorization code grant, client receives a code instead of the token which could be passed to Token endpoint through secured back channel (not the browser) to get tokens. take a look at this blog post for more details about authentication flows.

I think you might need a specreq to discuss customer's use-case and get advise on which auth flow to use and how.

EXPERT
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions