I am currently working on a web application that has the following setup:
- Backend written with Serverless, using API Gateway and Lambda functions that access DynamoDB
- Frontend with Angular2 hosted on S3 bucket consuming REST webservice exposed by API Gateway
- AWS Cognito for user management (and Cognito authorizer)
Now I was wondering if I really have to use the AWS Cognito Identity JS SDK for login/register/etc on the clientside. I think when providing additional endpoints via the REST API with API Gateway to allow login, register, etc. would result in a more consistent API without the need to include Cognito SDK in every application. My frontend would then just send userdata (username and password) to a public HTTPS endpoint /login within my API Gateway and the lambda functions forwards the userdata to cognito. On positive authorization I can return a JWT token generated from Cognito from my Lambad function that can be used for any further authorized requests (added to authorization headers on client side).
Does this approach leads to any security concerns compared to client side Cognito authentication directly in the frontend? So far, I have not found anything related using a lambda function to get JWT token from Cognito.
Thanks in advance for your opinions