dft street manager spike 0398 aws cognito

Technical spike - Managed authentication investigation AWS Cognito

Introduction

This is a technical spike to review AWS Cognito to see if it could be used in our application for authentication and authorisation.

Questions to answer:

How would we integrate with our applications?
- OAuth2 as an identity provider (support Oauth 2.0, SAML 2.0, and OpenID Connect, see here)
How would we configure it?
- AWS CLI and Management Console (here), also supported by Terraform (see here)
Does it support:
- 2FA (from Phil and Threat model workshop) - Yes, SMS and time-based one-time password (TOTP), see here
- Ability to style login (GDS GOV.UK styles, need some customisation) - Yes, see here, need to confirm if can be customised enough for GDS styles
- Non-javascript support (preferable, I know Azure B2C doesn't support this) - No, requires JS for OAuth redirect posts (same as most OAuth providers)
- Ability to pre-register or invite specific users by email - Yes, via AdminCreateUser API (see here) you can populate and invite users.
- Authorisation/Directory services (so we can identity users roles for permission checking) - Yes, see here. "The groups that a user is a member of are included in the ID token provided by a user pool when a user signs in"

Conclusion

AWS Cognito could be used and supports the main functionality we require.

The implementation would ressemble a standard OAuth2 authentication setup, setting up an AWS Cognito User Pool with our application users and our web applications directing to Cognito customised login to authenticate. Upon successful authentication the applications would issue user a session token in cookie for future requests, which would also store group memberships for RBAC permissions.

Additionally it supports federated authentication (see here), which means we could configure it to allow LHAs/Promoters own Active Directory systems to login, providing SSO for those users.

Useful links:

Node sample app blog - https://aws.amazon.com/blogs/mobile/amazon-cognito-in-your-node-js-web-app/
Node sample app source - https://github.com/awslabs/cognito-sample-nodejs
SpaceFinder reference app - https://github.com/awslabs/aws-serverless-auth-reference-app

Further questions

These are questions we should answer before using in production:

How could we migrate users out of Cognito if we moved authentication providers?
How do we monitor Cognito usage? (especially failures/errors)
Verify we can style login and notifications to GDS standards with PoC
- Check No-JS support
Do they use links (only) or can you configure them to send 1-time value in regular text? (please go the portal and enter this value. Some users do not want, Cognito does offer customisation but need to check)
Can we control which MFA options users are allowed (e.g. disable TOTP for all users)

dft street manager spike 0398 aws cognito

Technical spike - Managed authentication investigation AWS Cognito

Introduction

Questions to answer:

Conclusion

Further questions

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally