Skip to main content

General

The authentication system will use AWS Cognito as the centralized service, enabling authentication both directly and via external providers such as Okta.

Development

This module is planned to be developed using AWS Cognito. A User Pool should be created to allow integration with identity providers like Okta, and direct authentication via email/password should also be supported. It should be evaluated whether direct authentication is handled by Cognito or by the application service itself.

Auth Diagram

Authentication and Authorization Flow

The diagram illustrates an authentication architecture based on OpenID Connect (OIDC), where Okta acts as the identity provider (IdP) and AWS Cognito acts as an intermediary for authorization and user management. The flow ensures that only authenticated users can access protected services in AWS.

Main Components

Client:

  • A website with a plugin that requires authentication to access protected features.
  • A web server that handles requests and coordinates the authentication process.

AWS Cloud:

  • API Gateway: Entry point for requests to AWS backend services.
  • AWS Cognito: Service responsible for user management, authentication, and authorization.
  • Okta Server: External identity provider using OIDC to validate credentials and issue authentication tokens.

Detailed Flow

  1. User sign-in: The user accesses the website and requests an action that requires authentication, such as viewing private information or performing a protected operation.

  2. Redirect for authentication: The web server detects that the user is not authenticated and redirects them to Okta (the identity provider) using the OIDC flow. This may open a login window or use an authentication endpoint.

  3. Credentials entry on Okta: The user enters their credentials (username and password) directly in Okta's interface, ensuring identity validation is performed securely and centrally.

  4. Validation and token issuance: Okta verifies the credentials and, if valid, issues an ID Token and an Access Token according to the OIDC standard. These tokens contain information about the user and their permissions.

  5. Token exchange with Cognito: The web server receives the tokens from Okta and sends them to AWS Cognito. Cognito validates the tokens and, if valid, may issue its own access tokens for the user, integrating the external identity into its management system.

  6. Access to protected services: The client uses the Access Token provided by Cognito to make requests to the API Gateway. The API Gateway verifies the token with Cognito before allowing access to AWS backend services, ensuring that only authenticated and authorized users can interact with resources.

Benefits of the Architecture

  • Centralized authentication: Allows managing users and credentials from Okta, simplifying administration and compliance with security policies.
  • Scalability and flexibility: AWS Cognito can integrate with multiple identity providers and supports different authentication flows.
  • Security: The use of tokens and validation at each step reduces the risk of unauthorized access and protects internal services.