Custom authorizer vs Cognito - authentication for amazon api gateway - Web application -
i have been making web app. (angular 2 on s3 , apis in lambda through api gateway). authentication played both cognito , custom authorizer (i configured authentication work google , facebook bith via custom authorizer , cognito). in case of custom authorizer passing token via authroization header , custom authorizer validates it.
i looking advice on should go forward , pros , cons. ones think of are:
aws cognito:
pros
- aws sdk handles , cannot make mistake in authentication process.
- fine grained access control aws resources via iam.
- an lambda function in front of every api not required authentication.
cons
- need use aws sdk on client side. programmers have add toolchain , make use if during development. adds complexity.
- fine grained access control resources not required since access required api gateway.
custom authorizer
pros
- you can have authentication mechanism way want it. ultimate control on authentication , authorization.
- you can have ui call apis standard token (jwt) , flow developers remains same. no consideration of aws sdk.
cons
- authentication requires lot of thinking , effort build.
- chances of missing crucial aspects there.
- its reinventing wheel. why when amazon has done you.
all being said, leaning towards custom authorizer now. need advice here on topic.
ps: know there cannot definite answer question have posted of great people trying decide on authentication applications.
okay, authentication , security indeed hard , there lot of issues have been thought , taken care aws security team may not think of , implement , make application insecure. implemented custom authorizer expect authorization token (passed through authorization header) base64 encoded value repeat across requests in session. turns out due weaknesses in rc4 , diffie hellman makes tls susceptible attack. if use cognito using iam aws sigv4 request signing protects these weaknesses. watch https://www.youtube.com/watch?v=zmmpgbihcpw more details.
another benefit of using cognito/iam protects against csrf replay attack. request signing involves using timestamp. iam deny requests signed more ~5 minutes ago.
in short avoid using custom authorizer if can , use iam cognito. thank yourself.
Comments
Post a Comment