A sample authentication service implemented with a server-less architecture, using AWS Lambda to host and execute the code and Amazon DynamoDB as persistent storage. This provides a cost-efficient solution that is scalable and highly available.
The authentication can be used with Amazon Cognito to assume an Authenticated Role via Developer Authenticated Identities.
The basic functions implemented are:
- new user creation, an email is sent to validate the email address provided
- login, getting back an authentication "token" that can be used with Amazon Cognito to assume an Authenticated Role via Developer Authenticated Identities
- password change
- password reset, an email is sent with a link to reset the password
Passwords are not saved in clear in the database, but "salted" (via HMAC-SHA1) using a dedicated, random salt for each password.
Amazon SES is used to send all emails.
The login function is calling in the backend GetOpenIdTokenForDeveloperIdentity, a Cognito API to register (or retrieve) the IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process.
A sample implementation can be found at http://lambdauth.danilop.net.
Copyright (c) 2015 Danilo Poccia, http://danilop.net
This code is licensed under the The MIT License (MIT). Please see the LICENSE file that accompanies this project for the terms of use.
A sample installation script using Bash (init.sh
) is provided to install and configure all necessary resources in your AWS account:
- the Amazon S3 bucket to host the sample HTML pages
- the Amazon DynamoDB table for users and credentials
- the AWS Identity and Access Management (IAM) roles for Amazon Cognito and AWS Lambda
- the Amazon Cognito identity pool
- the AWS Lambda functions
The init.sh
script requires a configured AWS Command Line Interface (CLI) and the jq tool. The script is designed to be non destructive, so you can run it again (e.g. if you delete a role) without affecting the other resources.
Before running the init.sh
script, set up your configuration in the config.json
file:
- your AWS account (12-digit number)
- the AWS region (e.g. "eu-west-1")
- the Amazon S3 bucket to use for the sample HTML pages
- the Cache-Control: max-age value, in seconds, to use on Amazon S3 (e.g. if distributed by Amazon CloudFront or another CDN)
- the Amazon DynamoDB table to create/use
- the Amazon Cognito identity pool name to create/use (the identity pool id is automatically overwritten if present in the config.json file)
- the Developer Provider Name to use with Amazon Cognito
- the external name to be included in emails
- the email source for emails (must be verified by Amazon SES)
- the link to the verification page (usually http://bucket.s3.amazonaws.com/verify.html, but can be customized using a bucket name that is a DNS domain, Amazon CloudFront or another CDN)
- the link to the password reset page (usually http://bucket.s3.amazonaws.com/reset.html, but can be customized using a bucket name that is a DNS domain, Amazon CloudFront or another CDN)
{
"AWS_ACCOUNT_ID": "123412341234",
"REGION": "eu-west-1",
"BUCKET": "bucket",
"MAX_AGE": "10",
"DDB_TABLE": "LambdAuthUsers",
"IDENTITY_POOL_NAME": "LambdAuth",
"DEVELOPER_PROVIDER_NAME": "login.mycompany.myapp",
"EXTERNAL_NAME": "My Authentication",
"EMAIL_SOURCE": "[email protected]",
"VERIFICATION_PAGE": "http://bucket.s3.amazonaws.com/verify.html",
"RESET_PAGE": "http://bucket.s3.amazonaws.com/reset.html",
}
At the end of the init.sh
script, you can start creating users pointing your browser to:
http://bucket.s3.amazonaws.com/index.html
(replacing bucket
with your bucket name)
As an optional step, you may want to configure Amazon S3 for Website Hosting and use Amazon CloudFront to distribute the static content.
A sample deployment script using Bash (deploy.sh
) is provided to update the AWS Lambda functions and the sample HTML pages on the Amazon S3 bucket.
Sample HTML pages are provided to showcase how to use this framework with a JavaScript application:
- signup.html - to create a new user, the email address will be validated sending a custom link to the verify.html page
- login.html - to login in, assuming an authenitcated role with Cognito
- verify.html - to validate the email address of a new user
- changePassword.html - to change password, knowing the old one
- lostPAssword.html - to ask for a passwrod reser, via email
- reset.html - to reset the password, linked by the email sent for a lost password
The same use cases can be implemented on a Mobile device using the AWS Mobile SDK.
The APIs are exposed as AWS Lambda Functions:
Function | Input | Output |
---|---|---|
LambdAuthCreateUser | email, password | created: true / false |
LambdAuthVerifyUser | email, verify | verified: true / false |
LambdAuthLogin | email, password | login: true / false, identityId, token |
LambdAuthChangePassword | email, oldPassword, newPassword | changed: true / false |
LambdAuthLostPassword | sent: true / false | |
LambdAuthResetPassword | email, lost, password | changed: true / false |