Federated Identity Providers other than Google/Amazon/Facebook

I am building an app that requires authentication via a 3rd party (Strava). I’m having trouble understanding how to effectively integrate this into my serverless app. Should I be leveraging AWS Cognito at some point? Should I bypass Cognito and just manage OAuth tokens myself (seems like a headache)?

So far, I’ve been successful obtaining an OAuth token by manually kicking off the authentication process in my client-side code (redirecting users to Strava’s login UI). However, I’m not sure where to go from here.

I certainly don’t want to manage token retrieval, expiration, etc on my own. After reading and re-reading Cognito docs, it sounds like I can leverage User Pools to intorduce my own identity provider. However, only see options Google/Amazon/Facebook/SAML/OpenID, and none of these seems to support my use case. I feel like I’m swimming upstream on what I sees to be a fairly common use case!

Is leveraging Cognito the right choice here? Should I bypass Cognito entirely and just manage the OAuth tokens myself? What are others doing to work with 3rd party identity providers that aren’t the ones supported by AWS Cognito out of the box?

2 Likes

At this point, I’m considering creating a Lambda that handles the OAuth callback (e.g. the place Strava redirects to once the user logs in). The lambda could then request the OAuth token from the 3rd party and then make API calls on behalf of the user.

Not sure if I’m on the right track or not, but it kida-sorta feels right…

Have you checked lambda authorizer, here a link I found https://aws.amazon.com/blogs/compute/introducing-custom-authorizers-in-amazon-api-gateway/

I implemented with Serverless framework and it’s really easy and secure. Check this blog https://serverless.com/blog/strategies-implementing-user-authentication-serverless-applications/ and let me know if you have any questions

1 Like

Thanks for the input!

I have read those articles, and I’m still considering my options. Unless I’m missing something, custom Authorizers appear to be helpful for authorization (who can call which API endpoint), but that still leaves me to roll my own authentication.

I’m still wrapping my head around the different authentication/authorization strategies for serverless apps built on AWS, which has been far more complicated than I expected. Cognito is not trivial to understand, but integrates well with the rest of AWS. Rolling my own custom authorizers leaves me to manage the OAuth flow, manage token storage/expiration, etc. All of this seems like a heavy lift for such a common use case.

You want to 1. setup a user pool with Strava as an identity provider.

These references may help -

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html

https://developers.strava.com/docs/authentication/

Then 2. you can define a cognito authorizer and apply it to any secured resources (such as http events) in your sls functions.

events:
      - http:
          path: private/path
          method: get
          authorizer:
            arn: arn:aws:cognito-idp:us-east-1:xxxx:userpool/yourPool
            scopes:
              - your-app/read
1 Like

Cognito with federated identities is pretty terrible. You have no choice but to use their built-in UI, which will have to run in a webview if you are building a mobile application. After spending over a week trying to get Cognito to work with the native Facebook SDK, I ended up switching to Firebase Authentication and had it implemented in in half an hour. Just my two cents.

1 Like

Thanks for the advice @duongben. I’ve read that article on Cognito User Pools and Identity Federation several times, since it sounds like what I need. However, step 5 makes it sound limited to the out-of-the-box identity providers:

  1. Choose a social identity provider: Facebook , Google , Login with Amazon , or Apple .

Unless I’m missing something, I don’t see a way to configure an identity provider other than the ones supported out of the box.

In addition to social providers, Cognito integrates with OIDC or SAML-based providers.

I think you want to pursue the OIDC https://openid.net/connect/ integration:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html

The Strava docs mention OAuth (classic) a lot which can easily confuse those who are aware of the differences between it and the OAuth2 implementation which OIDC relies on. However, I spotted this note at the beginning of the Strava API docs “Strava uses OAuth2 for authentication to the V3 API.”, so you should be good to go.

1 Like