I’m now developing IoT platform on AWS in serverless architecture.
For now, I use S3 to host Single Page Application html and javascript, cognito to authenticate users.
For the security reasons, I want to add client-side ssl certificate authentication for all the https connections.
I’m thinking of creating a server that can do client-side ssl certificate authorization, and
host single Page Application files there, then build custom cognito proxy program so that
every http(s) connections goes throught that server with client-side auth.
The biggest problem of this idea is that this architecture requires a server…
CloudFront does not support client authentication with client-side SSL certificates. If an origin requests a client-side certificate, CloudFront drops the request.
I achieved this by using the client side certificate to attach to AWS IOT. Then I made an IOT function that returned a JWT token to the client. That token has the serial number from the client certificate embedded in it. You then exchange the token for temporary credentials. I am working in C but this should all be possible from Javascript in a browser. Check out developer authenticated identities.