Custom authorizer vs Cognito - authentication for amazon api gateway - Web application -


i have been making web app. (angular 2 on s3 , apis in lambda through api gateway). authentication played both cognito , custom authorizer (i configured authentication work google , facebook bith via custom authorizer , cognito). in case of custom authorizer passing token via authroization header , custom authorizer validates it.

i looking advice on should go forward , pros , cons. ones think of are:

aws cognito:

pros

  1. aws sdk handles , cannot make mistake in authentication process.
  2. fine grained access control aws resources via iam.
  3. an lambda function in front of every api not required authentication.

cons

  1. need use aws sdk on client side. programmers have add toolchain , make use if during development. adds complexity.
  2. fine grained access control resources not required since access required api gateway.

custom authorizer

pros

  1. you can have authentication mechanism way want it. ultimate control on authentication , authorization.
  2. you can have ui call apis standard token (jwt) , flow developers remains same. no consideration of aws sdk.

cons

  1. authentication requires lot of thinking , effort build.
  2. chances of missing crucial aspects there.
  3. its reinventing wheel. why when amazon has done you.

all being said, leaning towards custom authorizer now. need advice here on topic.

ps: know there cannot definite answer question have posted of great people trying decide on authentication applications.

okay, authentication , security indeed hard , there lot of issues have been thought , taken care aws security team may not think of , implement , make application insecure. implemented custom authorizer expect authorization token (passed through authorization header) base64 encoded value repeat across requests in session. turns out due weaknesses in rc4 , diffie hellman makes tls susceptible attack. if use cognito using iam aws sigv4 request signing protects these weaknesses. watch https://www.youtube.com/watch?v=zmmpgbihcpw more details.

another benefit of using cognito/iam protects against csrf replay attack. request signing involves using timestamp. iam deny requests signed more ~5 minutes ago.

in short avoid using custom authorizer if can , use iam cognito. thank yourself.


Comments

Popular posts from this blog

account - Script error login visual studio DefaultLogin_PCore.js -

xcode - CocoaPod Storyboard error: -