How best to build custom Cognito login pages for use with a server-side app?

Question

A customer has a question, how best to build custom login pages for use with a server-side app?

> * https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentity.html
> * Examples all use a client-side only flow, resulting in a token in the browser.
> * Should the resulting token simply be POSTed to a Chorus endpoint to establish a session? This seems like a non-standard flow.

Note: "Chorus" is the name of the customer's internal application which they are modifying to user Cognito for authentication.

I do not have much experience with identity and so not well-equipped to answer this question.

I can point the customer to, but I feel this is light:
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-server-side-authentication-flow

Are "developer-authenticated identities" part of the answer?
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
https://github.com/aws-samples/amazon-cognito-developer-authentication-sample

The github example above is mobile, though customer will be building a web app (not sure of backend yet, but probably one of the standards, e.g. JS, ruby, etc.).

Accepted Answer

The first clarification point is why do you need login pages for server-side authentication? server-side means machine to machine authentication so there is no login forms that expect end-user input.

If this is the case, then using [client credentials authentication flow][1] is the recommended approach. In this case, client application will use app-client id and secret to authenticate (using secured back channel, no browser in this case), after authentication, client app gets accessToken and client should pass this access token to backend (Chorus) with every call. This token shouldn't be exposed to end-user.

You also mentioned "Examples all use a client-side only flow, resulting in a token in the browser". there are multiple authentication flows with OAuth2, the one that returns token to browser is "implicit grant" which is not recommended unless you can't use the recommended one "Authorization code grant". in Authorization code grant, client receives a code instead of the token which could be passed to Token endpoint through secured back channel (not the browser) to get tokens. take a look at [this blog post][2] for more details about authentication flows.

I think you might need a specreq to discuss customer's use-case and get advise on which auth flow to use and how.

[1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
  [2]: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

How best to build custom Cognito login pages for use with a server-side app?

相關內容