Developing an authorizer for a serverless application
Problem statement: Many applications struggle with
integrating third-party OIDC and OAuth2 providers. It’s relatively easy for
development teams to come up with a solution to serve the business functionality
but when it comes to writing the authentication systems they feel like a fish
out-of-water. This is primarily because writing an authentication system that
reads or writes passwords is difficult to build. Most cloud providers have
their own well-established IAM systems that work well with identity providers.
This document describes adding a user pool authorizer to an API gateway that
sits in front of a serverless application and fetches both the JWT token as
well as temporary IAM credentials for the serverless application to admit the
request.
Solution: This solution assumes that AWS public cloud was
used to create a user pool with users and groups by completing the form
displayed on the management console. Then, the user pool identifier and the
client are specified to the web application as follows:
In the webapp.ts, add the following line:
import * as cognito from '@aws-cdk/aws-cognito';
In the interface properties, add the following lines:
interface WebAppProps {
:
userPool: cognito.IUserPool;
userPoolClient:
cognito.IUserPoolClient;
}
In the web app config, specify the following:
export class WebApp extends cdk.Construct {
:
new
cwt.WebAppConfig(this, 'WebAppConfig', {
bucket:
props.hostingBucket,
key: 'config.js',
configData: {
apiEndpoint:
props.httpApi.apiEndpoint,
userPoolId:
props.userPool.userPoolId,
userPoolWebClientId:
props.userPoolClient.userPoolClientId,
},
globalVariableName:
'appConfig'
}).node.addDependency(deployment);
}
The config data is exactly the same as what Amplify would
expect which enables it to integrate with the backend. The userPool and the
userPool client are instantiated using the corresponding Cognito classes in an
auth.ts typescript and passed as parameters to the webapp at startup.
No comments:
Post a Comment