How best to build custom Cognito login pages for use with a server-side app?

0

A customer has a question, how best to build custom login pages for use with a server-side app?

Note: "Chorus" is the name of the customer's internal application which they are modifying to user Cognito for authentication.

I do not have much experience with identity and so not well-equipped to answer this question.

I can point the customer to, but I feel this is light: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-server-side-authentication-flow

Are "developer-authenticated identities" part of the answer? https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html https://github.com/aws-samples/amazon-cognito-developer-authentication-sample

The github example above is mobile, though customer will be building a web app (not sure of backend yet, but probably one of the standards, e.g. JS, ruby, etc.).

已提问 5 年前1650 查看次数
1 回答
0
已接受的回答

The first clarification point is why do you need login pages for server-side authentication? server-side means machine to machine authentication so there is no login forms that expect end-user input.

If this is the case, then using client credentials authentication flow is the recommended approach. In this case, client application will use app-client id and secret to authenticate (using secured back channel, no browser in this case), after authentication, client app gets accessToken and client should pass this access token to backend (Chorus) with every call. This token shouldn't be exposed to end-user.

You also mentioned "Examples all use a client-side only flow, resulting in a token in the browser". there are multiple authentication flows with OAuth2, the one that returns token to browser is "implicit grant" which is not recommended unless you can't use the recommended one "Authorization code grant". in Authorization code grant, client receives a code instead of the token which could be passed to Token endpoint through secured back channel (not the browser) to get tokens. take a look at this blog post for more details about authentication flows.

I think you might need a specreq to discuss customer's use-case and get advise on which auth flow to use and how.

AWS
专家
已回答 5 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则