In this blog, we are going to see how to secure a AWS Lambda backend using AWS ALB and Cognito
Use Case :
Many of the modern web apps are built as Single-Page apps (SPAs). Backend for Frontend pattern is one of the most commonly used design pattern. OpenID Connect protocol is a secure way to protect both backend and frontend. AWS ALB provides built-in support for OpenID Connect authentication. In this way, even a Lambda function set as ALB target can be secured easily without much code changes.
- User types the website URL in browser
- Browser forwards the request to AWS ALB
- AWS ALB will check the cookie sent from the browser
- If the cookie is valid, goto Step 6. If the cookie is invalid, redirect to AWS Cognito for OpenID Connect Authorization code grant flow
- AWS Cognito will return the ID, Access and Refresh tokens to AWS ALB. Please note that multiple browser redirects and backend API calls will be performed to get the tokens and it is not shown in this diagram.
- If the cookie is valid, AWS ALB will forward the tokens in request header to AWS Lambda function
- AWS Lambda function can execute the business logic and return the response back to AWS ALB
- ALB will return the response back to browser which can render the data
There are few prerequisites for setting up this integration:
- AWS Account — business or free tier.
- Knowledge on AWS Lambda, AWS ALB, AWS Cognito services
- Knowledge on OIDC protocol
We have to perform the below steps for this integration :
- Create a AWS ALB with HTTPS listener and configure a AWS lambda function as target. You can follow the below video.
- Create a Cognito user pool and configure the cognito OIDC provider in AWS ALB. You can follow the below video .
If you are using Okta instead of AWS Cognito, follow the below video :
If you are using Auth0 instead of AWS Cognito, follow the below video :
Some key points to note in this configuration :
- Here is the AWS Lambda source code for reference. This function will return the json representation of the event object. event object will have all the request headers and parameters passed from AWS ALB.
console.log('Loading function');exports.handler = async (event, context) => {
let response = {
"isBase64Encoded": false,
"statusCode": 200,
"statusDescription": "200 OK",
"headers": {
"Set-cookie": "cookies",
"Content-Type": "application/json"
},
"body": JSON.stringify(event, null, 2)
};
return response;
};
- All the Cognito endpoints like Authorize, Token etc. can be retrieved from the well-known configuration URL. URL format is :
https://cognito-idp.<region>.amazonaws.com/<UserPool ID>/.well-known/openid-configuration<region> - This is the AWS region where the user pool exists. For ex: us-east-1
<UserPool ID> - You can get this from the Cognito general settings
- I generated a self-signed certificate using https://www.samltool.com/self_signed_certs.php. But, you can use any tool or commands like openssl. Just make sure it is in the correct format.
- If you are using Okta, you can signup for a free developer account in https://developer.okta.com/signup/
- If you are using Auth0, you can signup for a free developer account in https://auth0.com/signup
Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.
