User Authentication with AWS Application Load Balancer and Cognito (w/o modifying your source code!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody my name is Kay Tripp sevim and today I will talk I will be talking about how you can use application load balancer with kognito to help you to quickly add standards based authentication to your web application and the coolest part is that well we actually don't have to modify the source code for that so ok can you see this so on our agenda is I will be briefly talking about application load balancer in Amazon Cognito those are actually huge topics on their own and through it all I'll be demoing these services so right now I have a little website set up on AWS it has a landing page and a secret page and the objective of this demo is to make sure that only authenticated users can see the secret page without modifying the source code ok so right now this is my current setup on it'll yes I have a patchy web server running on ec2 instance T to my credit ec2 instance like I said it has two pages index dot HTML in secret HTML it's open to the world anybody can access it and it lives in a single availability zone so if it's a good starting point for my little web application but you'll see that it it's flawed if anything is the system fails my application will go down so basically it has a single point of failure and I'm not planning for success if my web application becomes very popular and millions of users want to visit it it can scale so what we've really want is we want to put application load balancer in front of many instances of my web application it will serve as a single point of contact for the end user and nobody else so basically nobody will be able to access my instances outside of my application load balancer and ELB will distribute workload across multiple resources I will be able to add resources and remove them as I see fit and the flow of requests to my application will will not stop and when we set up application load balancer we will we will be forced to choose to availability zones at least and that will increase the availability and fault tolerance for my web application just in case you know one data center gets flooded one day or something so let's just set this up let's up this architecture on AWS so I will be demoing everything in the three parts to the demo so alb is the first one so go to it oh yes management console and just find ec2 service like I said I already have my instance running with my web server and the left nav you can find load balancers and I'm going to create one now so there Amazon provides three load balancers really and I will tell you a little bit later why we chose application load balancer so click create give it an unique name within the set of your application load balancers so meet up and we'll leave it internet-facing we one request to come in from clients over the internet IP address as so every application load balancer will have a listener listener checks for connection requests on the protocol and port that we define here so because I want to eventually authenticate my users I want to set it to HTTPS okay and as I mentioned earlier we need to choose to availability zones each availability zones it each availability zone should have a resource in it I currently right now have one resource here and no other resource so it's ok for it to be empty so I'll just choose anything here but you know if this goes down my website goes down and because I chose HTTPS listener actually have to upload SSL certificate and there are multiple ways to do that you can add either use AWS certificate manager but to do that you actually have to have a domain name and since I don't have a domain name I created a self-signed certificate and there is a link to how to do that in the resources slide and the slide deck close to the end so I'll just choose the one that I have already created and I'm leaving security policy as what the default is ok now I have to set up security groups so we're gonna create a new security group or call it meetup security code and I will only allow HTTP traffic through like so now we need to configure target groups target group is a collection of a double your AWS resources like ec2 instances where IP addresses or containers and target groups can exist independently of applica balancer but application load balancer will route traffic to the targets or resources inside a target group so just give it a name and leave the rest as default and target groups will have health checks so basically if any target inside a target group is unhealthy or it doesn't basic bicycle that it doesn't return HTTP code 200 it will be deemed unhealthy and application load balancer will stop routing traffic there so register my targets so the targets are basically the ec2 instances well easy to instance in my case so I choose this one and I add a register it right on port 80 what do I can you guys see this well okay okay next so here you have your preview you can change anything you want right here and let's create this okay successfully created load balancer and that is it for the load balancer so basically we achieved this architecture except that I actually just have one web server but that's my now that we have this done and we need to think about where are we going to store our users so Amazon Cognito so it's a secure scalable and fully managed user directory and when I say scalable it scales to hundreds of millions of users it supports social Federation like Google Facebook and Amazon and it supports enterprise identity Federation like Open ID Connect in sam'l it has a built-in customizable hosted web UI so basically all the forms that you need to create for logging in signing up resetting passwords all is given to us by Amazon Cognito and it supports multi-factor authentication just cool okay so second demo let's setup Cognito so just in your services look for Cognito you will notice that Amazon Canada actually consists of two components user pool and identity pool so the difference between these two is outside of the scope of this presentation but I'll just tell you that user pool is a standalone identity provider and that is what's going to give us the hosted UI so gonna choose that and create a user pool choose wisely because you can't actually change this once you created it so made-up users step through settings okay here you can choose how you want your users to sign in either through a username email address or phone number I like to send into a user name and I also have like to have an option to sign in with my verified email address here you can choose standard attributes that you require if you choose these attributes to be required you will have to supply them during the signup process so when a user signs up I will require an email address I will also require a phone number because later I want to do multi-factor authentication through SMS messages and here you can add custom attributes these will not be required during signup but they'll just become part of your users profile for example age is a number between 0 and 1000 sounds good now you can configure the strength of the password so for the purposes of the demo I'm just gonna keep it minimum length eight but you know to secure your passwords however you want you can allow only administrators to create users but so then you don't have the signup screen I want my users to be able to sign up this one basically says if a user has an account they never use since it's been created by administrator it will expire in seven days okay so multi-factor authentication if you want that to be required on every user Simon you have to set it required now you cannot require it later so once you created the user pull this cannot change you can make it from required to optional to off but you'll never make it required again and to demonstrate multi-factor authentication I'll be using SMS text messages and kognito will be using Amazon SNS which means we will have to create a role for kognito to send those messages and we will want to verify the phone number because that is how we're going to be authenticated and let's create the role for SMS messages okay next step here you can customize your SMS verification messages invite messages emails even your from address and reply to address I'm gonna skip all that add tags to categorize your AWS costs so you can track them later you can remember users device I'm gonna skip that no for now here we're going to add app client app client is actually the entity that's going to be calling the register to sign up and The Forgotten password ap is so we definitely need that and it's required by application load balancer here her makeup line and we leave everything as default do not uncheck this a alb will requires that application with balancer needs this secret not all applications will like JavaScript applications might why not here you set attributes read and write a readable and writeable attributes by your app client and that'll become clear a little bit like in a minute so I want all the attributes for my user to be readable and writeable here you can customize the workflow of user sign up and sign them through a lambda functions so we're skipping this here's our preview changing things you like this your last chain chance oh you can't even change the name at this point once you type it in that one time that's it you can create pull I did not I skipped that bye thank you okay well thankfully I can edit that for the way you can have more than one app client per user pool app client is what's going to call the api's to register and sign up yes but our application will a balancer will be accessing the pool yes to different clients for the single yeah so now we need to set up domain name for our hosted UI it's actually a domain prefix here so and since it's a domain name we got to check for availability okay not available I'm probably using up that actually somewhere else good so this is for the sign up and sign-in pages the last part that we need to set up is Oslo so this is important for applicational balancer to be communicating with our app client so first we choose identity provider so like I mentioned earlier user pull kognito user pull is a standalone identity provider but you could have configured others under Federation here you can see that you can choose other identity providers like Facebook Google and Enterprise identity providers but I'm not going to show any of that so I'm just gonna choose the Commuter user pull so this callback URL the sign-in callback URL this is the URL that's being called as soon as we successfully logged in and that is being provided by application load balancer by the way let's take a look at our application load balancer so we set it up but I never saw if it actually completed so here's that application load balancer right here and you will see that it gives us a DNS name I'm gonna copy that and go back to user pool and paste it here I'm gonna provide the scheme HTTP because that's the only thing we accept and the URL that we want to access is bought to IDP identity provider response so that is provided by our application Allah balancer sign now URL is the is basically where you want to navigate in your webs website as soon as you successfully sign out I'll talk about sign out later so application load balancer uses authorization code grant it'll use this code to get ID and access token from our user pool ID token will have claims about the identity of our authenticated user and so basically a auth scope defines what kind of attributes our ID token is going to return so if I say open ID it will return all the readable attributes all the attributes readable by the client so remember I showed you readable and writeable attributes so that's right and so that's where it's important okay Save Changes okay so at this point the Veneto is all set up what we have right now is Cognito it kind of looks like it's floating above application load balancer but we have our application load balancer and kognito and what I want is that every request being routed to secret HTML page I want my application load balancer to contacted Neto saying hey is this person authenticated and either led them through or actually asked them to sign in by the way I wanted to if you look here I'm putting my web server in the same security group as my application load balancer so right now if I reload my easy-to-do guys see this so this is my ec2 instance this is where my website is so I don't want anybody to access this actually I want that to be locked down I want only I want my application load balancer be the only single point of contact for my users so in order to do that first of all let me show you the you know the URL for application load balancer I get the connection is not private because I created a self-signed certificate so I say I trust it and I proceed and Here I am so I'm accessing through application load balancer right now I just want to make sure I can access the ec2 instance anymore so what I do is I go into my security groups and find security group that I use for my web server right here so this is the security group I used for my web server and in inbound rules it's right now open to the world I want to say that only my application will bounce balancer can access it so I'm assigning it meetup security group so that that's the security group I created for my application load balancer I save it and if i refresh this page it'll start thinking loading and eventually it'll say the website cannot be reached so we're done here so this is our application we'll bounce her URL now we're just going to connect our cognitive to our application load balancer and that is done through listener rules so go back to your load balancers and there'll be listeners tab right here so here's the HTTP listener we'll set up earlier and you will see that there's view edit rules link right here and here our rules rules define how application load balancer will route traffic to the targets within one or more target groups every listener will have a default rule right now it says request otherwise not routed forward to meet up target group so basically it says just route just just just let them see everything we cannot change this rule this default rule can cannot be changed at least the condition of it cannot be changed so so rules have conditions and then the actions they take when conditions are met you can have I don't know I don't know how many rules you can have many if not infinite so I'm going to insert a roll right here last rule it says last it'll always be able to evaluate at last so application load balancer allows me to route my traffic based on the URL or host it'll actually look into the header of my HTTP request and get that information from there so given that I want to secure just a specific page I'm going to choose a conditioned path is so I'm saying every time I get somebody one until access secret HTML I want them to be authenticated and right away application load balancer connects to Amazon Cognito and that's actually I mentioned that I would tell you why we chose application load balancer is because it's the only one that provides user authentication and is seamlessly integrated with Amazon kognito so we choose our user pull our client there are some advanced settings right here like session cookie name timeout and the scope we set scope to open ID and you'd have to I think type type the scope here you can't even choose it there's no drop-down and basically on unauthenticated request authenticate and keep RIA tempting to authenticate you will notice that I still can't save is because every rule has to have a default action either forward to redirect to or return fixed response so I just want to forward all my traffic to my target group when user got authenticated forward to to my target group so and the rules will be evaluated in the order that you see and when the condition is met these actions will be performed also in the order that you see yes it does yes it does say okay so our secret that hTML is now secure let's reload our index.html and go to our secret page tada now we have everything forgot your password you know everything that's standard for the authenticated users sign up and we don't we're not stuck with this look either we actually can go to user pool and customize our user interface so we can either upload an image here which will go actually in this banner but I actually want to get rid of this banner for now so I'm gonna go and customize banner I'm just gonna give it zero pixels Save Changes it might take a minute to register so if I keep one refreshing oh there it is it's gone okay so now we sign up you will see that at sign up we require all the attributes that we set to be required so we're going to eat I created a fake user number for this so don't try calling okay and I set my password it'll actually help you out as you're typing it'll tell you that you know your password is too short right now okay so I sign up and it'll say we have sent a code bias a mess to your phone number so it'll actually go to my email so just give it a second look there it is seven confirm way oh by the way this suck code by SMS is valid for three minutes so I better get it right okay I got it okay so here is my secret page so we verified the phone number now let me demonstrate the multi-factor authentication Oh actually let me also show you what it looks like in the user pull right now so if you go into users and groups and refresh here I am and my status is confirmed it has my profile here and if I turn this on you would track it would remember my device as well okay now let me show you multi-factor authentication so you will notice I don't have a sign out button so I have to open a new browser for that okay so if I go here again connections now private that's fine okay now I'm going to try to log in with the user I just create it inheres multi-factor authentication basically every time I will try to log in it'll ask me for a quote it's loading it's deloading well while it's loading let me show you that you can actually invite people to your user pool so you can import or create users I'm not going to invite anybody but basically you can supply their phone number email and username and it'll send them an email or yeah I think it'll send them an email and you can craft your email in the message verification section so that Wow it's still loading what's happening okay you can actually I think I think yeah yeah you can so if we go to so remember how I told you if you want to require for every user login you'll have to make it require a user create but you can actually turn it off now or make it optional and if you make it optional you can actually then turn it on user per user basis so we can make it optional and then we can go ahead and in every user we can just enable it if we want to so don't get the email can't open the email okay well let's try that we disabled let's sign in as a different user okay disabled in and not can get in so that was done three of three about pricing so Amazon could metered there's no minimum fee no a firm commitment you pay for monthly active user now you are considered of a mau if you have performed an identity operation for example sign up sign in' password reset or token refresh and you do not get billed after after that so all the subsequent sessions are free and if you have an active users those are also free within that month in first 50,000 are free we calculated that a million users would be above forty four hundred dollars and it sounds a lot but if you have a million years so you probably have $4,400 yeah yeah and for application load balancer pricing well first of all it's region based I was demoing everything in North Virginia so it is two cents and a quarter per alb hour and there's also this LC you measure basically there are dimensions on which the application load balancer processes your traffic new connections per second active connections per minute bandwidth and megabits per second and rural evaluations so it's kind of hard to say looking at this how much everything cost I'll tell you I've been spending up application load balancers for the last week and I barely have like a dollar there don't know there's a great example on AWS application load balancer pricing page you want to retry that just to determine how it all fits it into your case final step this the log out right so application load balancer creates a session cookie that we could change the name of in in in the rule it sends it to the client so the client can keep on coming back to our secret page for like I can't I can keep on reloading this and I'm logged in and it's because I have a cookie setup I'll show it to you it is an application can you guys see it and cookies this is this is what it is it's right here and in order to get rid of it we first have to have set it to negative one or just leave it blank and then we need to hit a logout endpoint on our identity provider which is our user pull so set the session cookie to negative one and go to the URL that looks like this but for your domain name you put in the domain name that you set up in your user pool client ID you also get from your app client and logout URL is the redirect URL that you want to go to after you successfully logged out so you cannot clear this session cookie from your friend in JavaScript you actually have to do it server-side and that would be how you'd log out here are the resources that were used for this presentation all the diagrams were done in cloud craft I link to how you can sell sign your certificate Doc's for application load balancer Amazon kognito simplify logging with application with balancer built-in authentication that's what inspired this meetup that's a block by AWS and pricing for alb incognito that's it I'm not sure about that okay here right here yes do you have any control over like the actual forms that Connie who provides to you I'm not going to redirect you automatically and that's going to be like an Amazon URL but it's a yeah your own domain here we yes oh it's sub-domain test we're going to get ready to it students will definitely the mains like example yeah if you have your domain in drought 53 that's the way to do it certainly yeah we're actually getting ready to deploy this for a customer like very soon actually so you know we thought about that I think you can do something similar with cloud front cloud front provides the same type of authentication header is that Cognito alright we have the application load balancer in our particular case that we're getting ready to deploy we're not putting it's only a small number of users it's like an admin console for only administrators so we're not conference overkill so we're that's why we went with the certainly if you were going to do a large-scale massive kind of millions of users because I thought one is essentially free because you paid for the traffic but you get a rebate essentially on the traffic from your ec2 and your outpatient load balancer and these days they'll top right so yeah so putting it like cloud front in front of an s3 bucket servers [Music] so I think I'm pretty sure so platform had the same type of rules that you set up with like you know you can do like authentication if imagine just regex and similar we'd like this because we need to manage our specific users we're not gonna let people sign up for our particular use gates we are going to create them ahead of time so having this ability to just create users without modifying any of our existing admin dashboard code was was awesome so speaking of admin I guess you have to use the EPI or it's and manage users so if you want to have like a part of your application have like a user management like macula Grantham rules or something right you have to the API yeah can you provide like it does it have an API for managing users that I can give to a client as opposed to yeah we Camino has a biagas definitely but the question is do you want to expose that to your clients or do you want to set your application to you would probably have your application so identity pools which you know I told you that there are two two sections to it identity pools will actually be like AWS token vendor machine for you so you can access resources either we use resources that you access in your application and you can let users you can choose which users can use that basically not sure yeah we like basically setting yourself up this like an OAuth provider at seventh third party API call into my Hani oh cool a scintilla Thunder gate user he gets me especially for the client important there's one of the checkboxes is grant client ability to the users if you enable this what does everything is passing the callback you are like when someone signs in there was the callback you are wanted to get yeah yeah you can you can get just unpack then you see the standard heels so whichever standard standard fields once you people you did with GWT you have access to these games there's not every request that's and yeah that's me quantum does now you busy you could ask well if somebody think it's has to that cookie can they just be code the key and see all that stuff yes so but in order to basically to verify that she had work with there's actually a code that is used to actually sign with you so he if you had that on your server side you could use that to disappea read or reaping I'm saying you can they see recode the to reduce if you're low well does does and when I add this code to it does it match what it's supposed to match so in our situation we have our market rupture where each one of those were services they one day need to verify that that's been passed in the header he's actually was issued by an Indian tax management and Julie actually built a couple we've learned anything verify that yes she was issued all that system they can even is like a share a secret on the shorter side today system fair apology so that means if one of those services yes that jvp and we can get a meniscus at okay this is this was issued by the unknown entity if not the can actually be detrimental but like company that's authenticated through the load balancer if I want to identify now my back-end who that user is is it just the JWT or is there something else been Heather that's being passed you need to go to do it and you'll get the the Auto Center feel like that and first name last name so I think it important it's important to point out that like we made a simple example here and for us we have an admin dashboard that we've been using for a long time that we suddenly had to add authentication to we didn't want to change the code so this was a great approach for us sort of like a single sign-on you don't have to change you certainly can Cognito has API is available where you can verify or get the identity of get okay we should probably get users profile information you can make it be like or if it's a GWT we just directly but like he said you have to verify that it took it hasn't been tampered with by validating sure we here we love to down all to the security group of application with bouncers who doesn't have to do that but yeah you can completely skip application load balancer and download an SDK provided by cos neither I think it provided for every language well right that's if your app itself wanted to get more information about the user first night using gardeny no he didn't have that's nicely why that you see so we built all all that right for the client side and available especially that the alternative that we found really was just like Active Directory or some kind of other user management thing which is just not where we wanted to go oh sorry you know good off zero yeah well yeah that was another option as well but we we just have sold this client with a huge AWS migration we've like literally lifted in shift the entire application this little dashboard is just a small piece but it's really their entrance into their reporting layer their you know minor controls that they have over this giant application that we built so we really wanted to keep it within AWS completely and one bill right we'll break cool can you control yeah you can but you need to your user will actually need to set that up so for this demo wouldn't be possible till Tiki there's a new one where clients are self authenticated it's done usually using you key to control your stuff and there's no server-side encryption is basically a so again the reason why we like this too is like you know you all know that authentication and user management is changing all the time but it's always a complex thing but it's not even related to your business it's like it's almost like an annoying thing if do it on this guy so we love to decouple that completely from the application so if you can do as much as possible I feel like you know tools like this really so I chose a question on blogging like what happens when an option for that I just don't know sorry the interviews case helped us call music calling that I can't login I try login into the pals so I'm wondering how do I keep ugh that problem if I can't see a log like the users attempts logins and passwords wrong and their captain locked out that the odd I don't make it 5:00 lunch done right here so you're saying it was yeah oh yeah was in the neighborhood but if you if you want to get to a series of up you catch issues there's in the process of authentication kognito Valachi has a callback folks so even if they succeed in logging in I mentioned in the start then we want to touched on a lot of different technologies in this presentation and we're thinking about doing a deeper dive on some of them and the next meetup and we wanted to get some feedback from you guys actually we could go we've got on our schedule down the road to do a deeper dive on load balancers in general there's application of a balance it was never blow balancers there's lots of things you can do with the load balancers that alone could be a whole meet-up topic similarly Cognito this is only touching the surface you know you've probably done a lot more than what you've seen here today we want to go and do a deeper dive on Cognito as well we can get into a lot of these kind of things and some of the management of all your users and what you do with it and then the third thing that we still have on our roadmap is app sync which is pretty new but we like it a lot because it's familiar with graph QL it's it's a neat it's like an alternative way that you know instead of REST API this is more of like a data query you can specifically ask for specific types of JSON and do filters and it's a really neat way of syncing the data from your back-end to your front end whether it's a mobile app or a website and it's all kind of managed and built into so so those are the three things that we're thinking about doing next and you know any feedback you know from you guys it's certainly welcome you know taking Cognito yes sorry we did yes fortunately I think the problems you doing forget we did that we have we have a video is that a video of your work posted online so you just go are you ten days we put all of these online you know recording them and we got screen cast as well so if we have a college that land those because that we ended up using the container service a lot for some processes where we were running into the time limit lambdas so we did our own lamp as we call but in general I mean you know just a quick show of hands I mean or most of the people here developers administrators what kind of rolled you guys normally still developers Stoppelman just happening DevOps right both all the above so yeah all right well I mean oh this is good I mean this is a good discussion I think you know those are three of the topics that we plan to kind of have in you know upcoming meetups any other suggestions we did do the Camino ECS already but more check it out but any other suggestions you know send it to us be able to meet up a judge I think the load balancers going more in depth in that you're tying well with this I think it's good that whatever you all are working on and where your strengths are yeah this is where you're going to be able to best you know transmit that knowledge out to us true so I mean if we ask for something off the wall that you've never touched yeah you know you're not gonna waste the time to go digging into that I'm sure it's a business case works all right but if this yeah like what you said that you can bolt this onto the front of the existing yeah solution that you have but I think yeah yeah personally load balancers I think and understanding and intrigued by using this with load balancers and porno pod containers yeah you know not just ec2 instance reasons that interesting seeing whether it's doing containers within ec2 instances just with docker or doing kubernetes or swarm receipt or something like that whatever it is this should work right the same yep you know incognito attaches the same way to cloud from and API Gateway know all three services are working the same way yeah yeah we've done it's a topic on API gateway in the past we've done a whole server list end to end with you know static HTML and J's JavaScript in s3 API gateway lambda for authentication so if anyone's interest from that I think we should have that on our YouTube for technically oriental permits or technologies yes we should we'll post it so we'll put some links on the meter fees as well yeah there's putting the resources at the end of this one let's do it it's always to have presentation cool thanks

Info

Channel: Thorn Technologies

Views: 20,127

Rating: undefined out of 5

Keywords: thorntech, amazon web services, aws, cloud, cloud computing, Cognito, Application Load Balancer, web application, software

Id: cAEtjMI1KcQ

Channel Id: undefined

Length: 59min 53sec (3593 seconds)

Published: Tue Sep 04 2018