Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Doesn't AWS support standard authentication and authorization concepts?

0

Hi, I'm creating an API for a client and have done so in the SAP world for years. Usually when integrating solutions, we rely on client ID and client secret to get token or simply login to and endpoint. I recently integrated SAP Event Mesh with Azure, and from our Azure partner, we got oauth credentials to that we could use in SAP Event Mesh. With AWS, it seems impossible to get this standard solution to work.

For AWS, it seems like the only supported methods are Cognito which mostly relies on Web login or IAM which have to be signed in AWS Signature 4 format. I know I can create a custom Lambda authorizer but then I need a third party identity pool.

As you can see, these are the possible login options in Event Mesh created by SAP. It seems very strange to me that neither of those are supported natively by AWS. SAP Event Mesh

Have I missed something here, or is AWS just far behind in this area?

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon CognitoAWS Identity and Access Management
Language
English
asked 2 years ago335 views
1 Answer
0

Hi,

you can use OAuth2 Client Credential flow with Amazon Cognito as mentioned in the documentation and you can use Mutual X509 authentication with both ALB and Amazon API Gateway. Using mutual TLS for app-to-app authentication would be the recommended way if supported by both parties.

If none of these options are satisfactory, you could use Lambda Authorizers with API Gateway.

AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • perage
    2 years ago

    Hi! Thanks for answering. From what I've learned, Cognito always redirects to a web browser for signing in. Is there a way of getting a token by using basic auth against a token endpoint? I see in the documentation that client Id and secret can be added to the token endpoint, but It can't be necessary to create a new app for each customer in Cognito? If I have 100 customers that will call the same endpoint and would like to authenticate without browsers (e.g by integrating their ERP systems against our solution), how can that be done?

    Still, I really don't understand why AWS doesn't support basic client id and client secret like Azure does..?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content