IuriiO Notebook
Search…
Web Identity Federation
  • Federation allows users to authenticate with Web Identity Provider (Google, Facebook, etc).
  • The user authenticates first with Web ID Provider and receives a token, which is exchanged for temporary AWS credentials allowing them to assume IAM role
  • Cognito is an Identity Broker which handles interaction between your applications and the Web ID Provider:
    • Provides sign up, sign in, and guest user access
    • Syncs user data for a seamless experience across your devices
    • Cognito is the AWS recommended approach for Web Identity Federation, particularly for mobile apps.
  • Cognito uses User Pools to manage user sign up and sign in directly or via Web ID Provider
  • Cognito acts as an Identity Broker, handling all interactions with Web ID Provider
  • Cognito uses push synchronization to send a silent push notification of user data updates to multiple device types associated with a user ID.
STS AssumeRoleWithWebIdentity
  • Part of STS (Security Token Service)
  • Allows users who have authenticated with Web ID Provider to access AWS resources
  • Once the user has authenticated, the application makes the 'assume-role-with-web-identity' API call.
  • If successful, STS will return temporary credentials enabling access to AWS resources
  • AssumedRoleUser ARN and AssumedRoleID are used to programmatically reference the temporary credentials - not an IAM role or user.
  • Mobile apps should use Cognito for federation instead of STS AssumeRoleWithWebIdentity
Last modified 2yr ago
Copy link