Serverless — Authentication
We developed REST, GraphQL, and AppSync APIs for our serverless application. The AppSync APIs are protected using an API key.
AAA (Authentication, Authorization, and Accounting) controls the access to computer resources, enforces policies, and audits usage. For modern applications, we have protocols like OAuth2 and OpenID Connect that we can use to implement authentication and authorization.
In this article, we are going to
- Learn the basics of SAML, OAuth2, and OpenID Connect.
- Use Serverless Stack (SST) to provision the AWS Cognito service.
- Protect the AppSync APIs using the Cognito User Pool.
- Deploy and test the APIs.
This article is part of the Serverless for Beginners series.
The source code can be found in this repository.
Let’s go through the basics before writing the code. To support authentication and authorization, we have protocols like SAML, OAuth2, and OpenID Connect. We will briefly go through each of them.
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
The primary SAML use case is Web Browser Single Sign-On (SSO) in which the application uses the monolithic architecture.
SAML is not secure for modern applications like mobile and single-page applications. OAuth2 is designed to meet the need of these modern applications.
OAuth2 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its behalf.
OAuth2 supports different authentication flows for different client types (browser-based applications, server-side web…