Demystifying Amazon CognitoMark Wolfe Engineer @ Versent

Welcome

• @wolfeidau on Twitter and Github

• Who is Versent?

Amazon Cognito

• Identity as a service

• Designed for Web and Mobile applications

• Tightly integrated into the AWS “serverless" ecosystem

• Rich API

Identity As a Service?• Sign Up

• Verify your Email or Mobile No

• Sign In

• Supports MFA

• Password Change and Recovery

• Server side encryption of ALL data

• Save User Settings

• No Servers where harmed during setup..

Configuring Cognito

• Configure an internal pool of users

• Associate that pool with the identity service

• Assign some IAM policies

• Include the SDK in your application

What Next?• AssumeRoleWithWebIdentity

• Retrieve standard AWS credentials using your cognito identity.

• Lets you access the AWS API directly from the client.

• This is an interesting and somewhat scary proposition.

• Serverless…

Obligatory Reading

• IAM, AWS Identity and Access Management

• AWS SDK, Amazon Webservices Software Development Kit

• JWT, JSON Web Tokens (RFC 7519)

Demo

• https://cognito-vue-bootstrap.wolfe.id.au/

• Self service demonstration!

• Code is at https://github.com/wolfeidau/cognito-vue-bootstrap

Fundamentals

Secure Remote Password protocol (SRP)

• An eavesdropper or man in the middle cannot obtain the password

• password-authenticated key agreement (PAKE) protocol

• Uses Challenge and response

• Does not require a trusted third party

• Version 3 is described in RFC 2945

Why SRP?

• Is the network your users are connected to compromised?

• Government Actors

• Corporate Security Devices…

• Why not go that extra mile to protect users?!

JWT

• JSON Web Tokens industry standard RFC 7519

• Signed Tokens by the issuer

• Encoded using Base64

• Contains the claims and a small amount of identity information

Why JWT?

• More context for clients and services

• Includes scopes / expires / issuer

• JSON makes it easy to parse

• Digital signature

• Standards based

HMAC Signatures

HMAC Signatures

• Hash-based message authentication code (HMAC)

• Calculate a message authentication code involving a hash function in combination with a secret key

• Used to verify the integrity and authenticity of a a message

Contrived Example

"Authorization: AWS " + AWSAccessKeyId + ":" + base64(hmac-sha1(VERB + "\n" + CONTENT-MD5 + "\n" + CONTENT-TYPE + "\n" + DATE + "\n" + CanonicalizedAmzHeaders + "\n" + CanonicalizedResource))

Resulting HTTP Request

PUT /quotes/nelson HTTP/1.0 Authorization: AWS 44CF9590006BF252F707:jZNOcbfWmD/A/f3hSvVzXZjM2HU= Content-Md5: c8fdb181845a4ca6b8fec737b3581d76 Content-Type: text/html Date: Thu, 17 Nov 2005 18:49:58 GMT X-Amz-Meta-Author: foo@bar.com X-Amz-Magic: abracadabra

AWS Signature Version 4

• Uses a HMAC Signature for each Web request

• Requires client to have:

• A synchronised clock

• A Client Identifier

• A Secret Key

How it works• You create a canonical request.

• You use the canonical request and some other information to create a string to sign.

• You use your AWS secret access key to derive a signing key, then use that and the string to create a signature.

• You add the resulting signature to the HTTP request in a header

Takeaways• Amazon Cognito is great if you are already working

in AWS

• When building APIs always keep an eye on what Amazon is doing

• Wherever possible use standards

• Security should always be front and centre when building APIs

Questions

• @wolfeidau on twitter and github

• mark@wolfe.id.au