Learn AWS Cognito, authentication with Spring Boot made easy | Oauth 2.0

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up my people and welcome to another video in waldrop's code authentication and authorization are two very important topics we are covering today most of the time we want to develop applications where users may create accounts and secure their private identity and secure their private information on one side authentication deals with a problem who am i allowing to enter to my application authorization on the other hand deals with this problem how many privileges i am allowing i am granting to this user is this a guest user or is this an admin user and with vote too you can separate both concerns very easily in what we know as authentication server and resource server and this allows us to maintain and scale independently both servers aws cognitive is a very nice solution for implementing an authentication server using vault 2 and springboot with its security dependencies can also be a very nice example for implementing a resource server so stay in this video if you want to see how a springboard application deployed to the cloud and working as a resource server may interact with aws cognito in order to authorize user access into it okay my people so let's start with this video so in this diagram as you already have noticed in my previous videos i'm showing the current architecture of a system i have deployed in aws just a load balancer with a couple of docker containers running in a springboard application and a rest api basically inside of the target group and everything is orchestrated by an auto scaling group you know everyone every time the demand increases the auto scaling group triggers uh scaling action to scale out and create more containers and so on but today we want to focus on this part of the system which is aws cognito as you know aws cognito it is an authentication service which you can see right here in aws you can look at it here you can write cognito and it has two main parts of it one is the user pools which we are going to see today and cover today and the other part are the federated identities which we are not covering today because they are a whole other story to tell but yes we already have a user pool created this one wireless demo code but first let's explain how does it work in the diagram so as you know oauth has this a protocol to authenticate users which divides authentication from authorization as i explained in the introduction so aws cognito is the authentication part of it of the flow and you can re retrieve your users i mean your users whenever they open your application they can create accounts right and they can then identify themselves and in order to identify themselves they use credentials they put a password and a username and then cognito whenever the password is correct it grants back it sends back a awt token which is a large token and which is signed this is a keyword it is already signed and it can only it can be defrauded deciphered by any djwt decoder like this one which we are going to use later in this video but the important thing is this signature the signature is only valid from this um as you mean the signature which is going to be tested here whenever the the information of the token is going to be read here is going to be proof that the signature cross comes from this issuer from this aws cognito user pool and no other way so this is another layer of security that ensures or put us in the safe zone to say okay this jwt token was produced by my application and by no other by no other i don't know middle middle in the middle how do you say this kind of attack money in the middle yes by no other man in the middle but yeah that is basically and you have many flaws to obtain one of these awt tokens one of them is the authorization code flow which is the safe test safest if you are using web applications or mobile applications and this is this is the recommended one implicit grant was deprecated it is still being used maybe you can use it too but it's not more recommended as as it is not as safe as the authorization code if you are using a clients in the browser a browser clients or mobile clients and there is also the credentials flows but there are actually there are more flaws but i'm not going to dive deep in one of those code flows we are going to focus more on this part of the diagram so let's head back to the cognito console in aws which is here i mean and yes so we created a user put which is basically i'm going to put it simple like it is a database owned by aws of users and you can actually have a ready and already i mean there is this website which you can use i'm gonna show it right now it's like here you have um out of the box ui for signing in or creating a creating accounts really really like easy available to use out of the box i mean and the ui hosted uis here but i am not this always happy happens in the demos i never find the url i think this is the one it's like or demo app okay let's try with this one yes here you see the sign in but i see only the name but i don't see anything any content here but me maybe i have to i really don't remember it i think it's here it's like to or this is really awkward i mean i'm pretty sure that there is like a url where you can easily create a view hosted ui i was looking for a url but it is actually a button how silly okay so this is like an out of the box ui for creating accounts or for signing in if you want a granted for cognito you can integrate this part of ui in your web applications if you want but i'm not using this today because we can easily create users directly i mean i just want to show you the part of the back end of this system i'm not going to focus on the front end which i can do in another video but you can head adjust to users you can see i already i have already created two users um mart and fauna supported those are two images that are already existing and i own them for example let's look at this user i don't have mfa but i recommend always using mfa i didn't use it use it because for the sake of this video and it has a custom parameter that is admin and i put it in true so you can have custom fields for users to explain to set up for example users that are i mean admin or have another privileges higher privileges that a common users or guest users who knows but yeah you can actually we can create a user right now it's like just create user set an email invitation you can choose whatever you want and then you can write any email and then set a password and that was it i'm not going to create it right now but you can see the process of creating a user is very simple if you want to do it manually and if you don't you want it to if you want to do it from your application as you know you can host this use this out of the box ui and put it in your already existing app and yeah what happens whenever you want you have a user let's go back to the diagram and your user wants to authenticate against your application okay in the back in behind the scenes what is going to happen your user is going to send the credentials to cognito cognito is going to use one of those flows and finally it's going to throw back a awt which is then redirected to the load balancer by each rest api called http call i mean because now that our back end is secured against intruders it always expects that there is a a jlwt or a bearer token as you can see we are going to see that right away so that's why i have postman in this video because we are gonna see the difference between sending requests without and with authorization headers with the authorization token so this is the url of my obligation load balancer i'm gonna show it right now i have an application load balancer running here this is the dns as you can see and as you remember this application is very very easy it has like two endpoints one for retrieving users in at least in the form of a json which is actually this url customer at the end of the domain but now i am not using any authorization header so what happens if i just send a get request a plain get request and i will become a 401 that is unauthorized and if i see the let's check out the response headers and there's no any information but yes it is an authorized pretty much so we need a token let's get a token and i got already prepared an aws client command you know what is the aws client you know that aws has a client where with with wish or a client with i don't know how to say it in english but with this client you can send requests or configure many many aws services like s3 you can connect to dynamodb you can connect to cognito and you can connect to many many other stuff lambdas for example and now we are going to retrieve one of those tokens manually we are going to imitate what our application in the front end would do with the with one of those authorization flows like the authorization code flow so this is a command that er whose name is initiate auth from cognito api this is identity pool i think idp i think so the aws client can do anything you want with aws it's like a substitute you can look at this you can look at the client like a substitute for the console so and sometimes more even more powerful because there are sometimes actions that you cannot do in the console but you can do it in the client okay enough about the client now with this initiate auth command i can use the user password authorization flow which is a custom flash from a cognito where i just write the username and the password this is a dummy password i'm gonna delete the user after the video is uploaded so it's not unsure to put it now on on a video because i wouldn't i would never do that with a production password and now i click enter and what is going to happen cognito or aws cognition is going to give me back two tokens one of them is the access token which is a double baj the jwt but there is also this id token which is the one i'm interested in which is another jwt token but with the information of the users and the client the pre it has the privileges of the user what is it able to do and what is not able to do the use and there is also a refresh token whenever okay so this is very important also by default my token is going to expire in 3600 seconds that is like an hour i think an hour but you can move um you can adjust that time i'm pretty sure you can now let's take a look at this let's take a look at this um jwt in this website there is a website to decode jwt tokens and let's see what is inside first the signature was verified i mean this is correctly encoded and now this is the payload of the jwt there's the email so in the token there is the username so the rest api the springboot application can know which is the user that is now doing this request that is very important because that is part of the identification you can it's like a part of the authorization flow also you this one this guy wants to know who is coming in and what can he do what can can't he do cannot what cannot he so one of the things is the email there is also the audience which identifies from which issue issue is this coming and we can verify if the audience match the one we are expecting and we are doing that in the backend logic of our springboot application this is the springboot application we have already seen in the past two videos but now i added the security layer and in order to do that i added some stuff in the configuration as you can see here for example here we have a springboot application security blah blah blah audience i hard coded it and write it here and you can also pass it using environment variables i used i hard coded it be for the sake of the video but in order to be sure that it is not hardcoded in your code and your repository you can pass it through variables or through configuration parameters or whatever and here's the user issuer yuri you do you know where do i get this yuri from this is a generic theory where i just have to specify here they use um the region of my aws cognito service which is actually running in u.s east one and this a parameter here you know or this one comes from the user uh cognitive user here i mean this one is this the user pull id this is the user pull id so this is very important to set up with your application so these two parameters identify which is the the guy actually who signed this token and so our application can know if token comes from a verified source that is very very important because anyone could be feeding a jwt token to our application and we have to separate those who are from a maleficeous or how do you say from a source of doubt or doubtful source yes do you say that okay but you understand the idea we have to verify which tokens are like trustful and which are not and yeah um we're gonna see more in deep this code but later so now we were looking at the awt here there's other information the email verified for example and so on but there are not many claims in this user i mean this could be a generic user it's not it's not an admin we are going to see later uh how does does it look like for an admin user there's another claim that says it is an admin and we can use it to restrict even more stuff inside the the api so now we do have our jwt token so let's copy it we already saw that the playing get request to our resource api doesn't work because we receive a 1 401 but what happens if we add this token to the better token so in postman i can add an authorization with a better token here and i can write it here i'm gonna overwrite this one because this one may be expired and once i paste my id token i can send it and now the request is working guys i received a 200 so the api and look at this this is the url of my aw a ws load balancer ilb i wanted to say so the same one that face now it's working because i'm feeding it the correct dwt token with from the value from the verified source and the list of users which we always were expecting okay so that is working but what happens if we have a restricted route so routes that have privileges not any user can access to it we can describe them in a springboard like this so first we have a security configuration in springboot uh especially for this kind of logins i mean authentication because there is this scopes concept of scopes have you ever heard about the scopes in the context of a health here's an example so do you see here i created a bin that supplies to my application a security web filter chain but okay what is going to be allowed to be requested without tokens in my application and what is going to be requested with token and what is going to be only allowed for admins so for example we want that health checks are allowed for anyone because our health checks must be accessible for our uh automatic load balancer application load balancer otherwise it's not gonna register as a healthy instance and that's gonna cause a lot of problems in the future right and also the options you want to list the options or endpoints like available to you because they are part of the artist part of the https protocol right i mean i'm i'm pretty sure https need the options but i'm not sure if you know that you can write it around and you can write that down in the comments in the box comment box okay so here is a route that is protected only for admins so now this user that i'm um simulating right now with this token is not an admin what happens if i query the config route i write here config send and take a look at this this is this is very interesting because now we see a 403 um i'm gonna move this like this so we see a 403 this is different from unauthorized this is like and the description of the error is actually in the headers insufficient scope error description the request requires a higher privileges than provided by the access token so we have a problem of privileges here our users is our user our current user has not the enough privileges to get this route and so do you see how amazing is about to because in one simple token we can have a lot of information about the user and the token is protected because it is encoded and validated and only the the real source of this token can validate this thing put the signature on the token so many people could try to clone or to produce a fake jwt token to access to valuable data in our resource server but they would fail because the signature wouldn't be valid so we are very well protected okay so now let's try the same but with an admin admin user so we can see in action how can we use this route protect route for admin privileges and i'm prepared for that because i have already created a user that has an admin but first let's let's see this user in the console so this is the user we were looking at right now so it has only two attributes email and sub but now if we go to the other user this smart user has a custom admin attribute that is one attribute that i created myself you can create create whichever custom field you want is up to you i created an admin one and i put it as a value through so this is an admin and now this information can also be encoded in the awt that is amazing we are going to see that right now so now instead of a requesting a token to aws cognito from this user i'm going to use this other user and i just expect to receive another id token which is also a jwt let's take a look a quick look on it in this awt decoder and as you can see here the email is now different it is this new user but we have now this custom field with admin true now this is the field that is going to be read in the backend and it's going to know that this is an admin with privileges so let's use this awt token again but now i'm gonna replace this old token with no privileges with this one with admin privileges and let's try again this request and now we receive a 200 which is amazing and the body is just here comes a message from aws param store blah blah blah so we are accessing exclusive content for admins and that was a simple just because uh we allowed that uh in the application code in springboot this is the lock that says okay this route is only available for a users which has this admin scope but in order to finalize to terminate this video i want to explain a little bit more of code because this was not so straightforward to accomplish but actually once you know how to do it it's very very easy i had to create a claim adapter as you can see here we in springboot has to have to we have to specify which the awt decoder algorithm should we use in order to parse these tokens and understand what is going on in the information so how do we tell springboard hey whenever you see this custom admin field that means this is an admin you can do that right here in the claim adapter i created a claim adapter here which is a custom class i created and it must implement this interface and now i see okay whenever in the claims you see this custom admin just add to the scope that this is an admin it was as simple as that but the solution i i already saw this solution somewhere i don't remember where but once you know it you know how to do the things right so that was it guys i think that was everything i wanted to cover today it was about oauth a springboard oh one important aspect of springboard that i am forgetting to mention but it is very very important which dependencies where he uses it here actually these are the dependencies okay but first i want to clarify that this repository is already uploaded in github and the repository link is going to be in the description so if you want to see or revise everything by yourself you are free to do so so these are the two depends on the dependencies that i've used for oauth 2 of 2 resource server as we know what two houses i know i'm not really sure what is this about but i know it's useful i think it's had to do with them no i really don't know and this is also useful i think this is also like the starter security it was it was also so i would um i would try uninstalling this one and trying to run the application but i'm pretty sure 99 sure it won't work because of some configurations that i had to do here i think this one this enables webflow security is part of the basic security dependencies but yes right guys that was it for today i'm gonna revise one more time the diagram because i'm not sure if i am leaving anything out of the no i think that was it for today so if you enjoy this content don't forget to like to smash the like button if you are new in this channel subscribe i upload content like this every time every once per week once yeah once per week or i try to do that so often and yeah basically so we see in the next video november

Info

Channel: Walrus Code

Views: 13,278

Rating: undefined out of 5

Keywords: oauth, oauth 2, oauth 2.0, spring, spring boot, java, aws, aws cognito, user pools, cognito user pools, aws oauth, aws spring boot, spring boot resource server, authentication spring boot, jwt, openid connect, openid, aws cli, jwt token

Id: y3z9pkoAlws

Channel Id: undefined

Length: 27min 46sec (1666 seconds)

Published: Mon Apr 04 2022