How to authenticate user using AWS Cognito via Java API

Question

We are building up an iOS/android app with a Web(angular) portal(for management purpose). The backend API will be build using Java, considering web portal can have different types of users I was thinking about using Spring security.

I was thinking upon using my backend services to authenticate user using AWS Cognito. I don't want to integrate the iOS/Andorid/Web directly with AWS Cognito as in future we might need to switch to other providers.

I am not sure whether this is possible or not but was thinking about something like this: 1. Register API: iOS/Android/Web(with role) calls my backend service with email and password. The backend service register an user with AWS Cognito. AWS Cognito will return an Identifier for that user and the same identifier I will use in my local db to create a link b/w user and the roles and other tables. The backend service will return a json response to client(iOS/Android and web) stating that user is created.

2. Login API: iOS/Android/Web(with role) calls my backend service with email and password. The backend service passes the email and password to AWS Cognito. If the user is available, AWS Coginto return a token(with expiration time) that is passed to client(iOS/Andorid/Web) through the backend service and if it is not available it throws an exception.

3. Get User Info API: Once the user logins, iOS/Android/Web(with role) calls my backend service with the token(fetched from Login API). The backend service validated the token with AWS Cognito. If the token is valid, AWS Cognito returns the user information also like the email and the identifier to identify the user in my local db.

4. Any other API: All other backend works as Get User Info i.e client (iOS/Andorid/Web) calls the backend service with a token and the same token is used by backed service to authenticate the user using AWS Cognito.

5. Logout API. Once this API is call the token should be invalidated.

I have gone through a lot of documentation of AWS Cognito but more I read more confused I get. It will be a great help if someone can let me know whether the above is possible through AWS Cognito or not and if it is, how can I proceed on that.

Thanks In Advance!!

Answer 1

I think you should integrate with Cognito on the client, even though you explicitly pointed out the following:

I don't want to integrate the iOS/Andorid/Web directly with AWS Cognito as in future we might need to switch to other providers.

You are increasing the risk and potential threats to your customers by handling customer credentials in aggregate on the server side. This does not sound like the core business of your application. It is the core business of Cognito.

It sounds to me like integrating with Cognito on the client would solve all of your problems. I'm just not sure about getting user metadata back (like email address), but in any case, it's much less work for you to do just that part on yourself than everything.

Also, even if you want so switch identity providers in the future, Cognito supports several (Google, Facebook, Amazon), or even a custom one, if you really need it.