- Newest
- Most votes
- Most comments
Your overall approach seems correct, and you've described a common authentication flow using AWS Cognito and an Application Load Balancer (ALB). Let's break down the flow:
- ALB with Authenticate Action:
Your ALB is configured with an authentication action, and it redirects requests to the Cognito Hosted UI when accessing the protected route /admin/*. This is a common pattern to enforce authentication before allowing access to specific routes.
- Cognito Hosted UI:
The user is prompted to enter their username and password through the Cognito Hosted UI, which internally calls the InitiateAuth API and returns a session cookie and sets headers on the request.
- Callback URL:
The callback URL configured in the Cognito Client App for the user pool is set to www.alb-domain.com/oauth2/idpresponse. This is where the ALB receives the authenticated request from Cognito.
- Backend App in Target Group:
Your backend app inside the target group has middleware that protects the /admin/* route. The middleware validates the token in the request headers after successful authentication.
- Frontend App:
The Vue.js frontend app, upon successful authentication through Cognito, loads the admin dashboard. Subsequent requests made by the admin are authenticated using the session cookie, avoiding the need to go through the entire authentication process again for the duration of the session.
Your approach of deferring the login to the frontend until after the successful Cognito authentication and token validation on the backend is common. This allows you to centralize authentication logic and token management on the backend, providing a more secure and manageable solution.
One thing to consider is handling token refreshes if your session cookies have expiration times. This ensures that users are not suddenly logged out after the session expires.
In summary, your described architecture is in line with common best practices for securing applications with AWS Cognito and an ALB. Make sure to thoroughly test your implementation and consider additional security measures like HTTPS, secure cookie attributes, and handling token refreshes based on your application's requirements.
Relevant content
- asked 10 months ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 5 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Thank you so much for confirming the general approach is correct Renato! It's my first time setting up Cognito for work so I wanted to make sure I'm doing the right thing, and you have re-assured me so I'm at peace now!