Doesn't AWS support standard authentication and authorization concepts?

0

Hi, I'm creating an API for a client and have done so in the SAP world for years. Usually when integrating solutions, we rely on client ID and client secret to get token or simply login to and endpoint. I recently integrated SAP Event Mesh with Azure, and from our Azure partner, we got oauth credentials to that we could use in SAP Event Mesh. With AWS, it seems impossible to get this standard solution to work.

For AWS, it seems like the only supported methods are Cognito which mostly relies on Web login or IAM which have to be signed in AWS Signature 4 format. I know I can create a custom Lambda authorizer but then I need a third party identity pool.

As you can see, these are the possible login options in Event Mesh created by SAP. It seems very strange to me that neither of those are supported natively by AWS. SAP Event Mesh

Have I missed something here, or is AWS just far behind in this area?

1 Answer
0

Hi,

you can use OAuth2 Client Credential flow with Amazon Cognito as mentioned in the documentation and you can use Mutual X509 authentication with both ALB and Amazon API Gateway. Using mutual TLS for app-to-app authentication would be the recommended way if supported by both parties.

If none of these options are satisfactory, you could use Lambda Authorizers with API Gateway.

AWS
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • Hi! Thanks for answering. From what I've learned, Cognito always redirects to a web browser for signing in. Is there a way of getting a token by using basic auth against a token endpoint? I see in the documentation that client Id and secret can be added to the token endpoint, but It can't be necessary to create a new app for each customer in Cognito? If I have 100 customers that will call the same endpoint and would like to authenticate without browsers (e.g by integrating their ERP systems against our solution), how can that be done?

    Still, I really don't understand why AWS doesn't support basic client id and client secret like Azure does..?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions