I'm writing a serverless app with AWS (Lambda, API Gateway, Cognito, etc) and I find myself wondering how to best secure my stack.
I've read that for applications using a server, EC2 or otherwise, best practice is to keep user's ID tokens stored on the backend. This makes sense, since a node process would provide me a long term solution for hanging onto and reusing ID tokens. A serverless app on the other hand, does not provide this luxury. I've considered just keeping it on the front end- since after all, JWT tokens provided by cognito are signed, and should therefore be tamper proof, but this seems a bit unsettling from my end. I'd much prefer a system where users have no direct access to their own tokens. I've also thought about just requesting a new token for every request sent to Lambda, but this too seems like a far from perfect solution.
Is there some kind of accepted best practice surrounding serverless authentication and authorization? Am I on the right track just storing my tokens client side while the user has the app open?
I don't see an issue storing your tokens client side. The user can copy paste the token from the header request anytime. The token is not a secret. It can't be tampered with because it's digitally signed.
For example below contains the headers of a request.
The JWT token is stored in Authorization and can be decoded in https://jwt.io/, but it cannot be modified:
Host: aa.aa.aa
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer: token234567890-eddedede
X-Requested-With: XMLHttpRequest
Connection: keep-alive
In addition, it’s best practice to expire your tokens and renew at certain intervals.