Search code examples
authenticationsingle-sign-onamazon-cognitomobile-application

How mobile app and web server communicates if AWS Cognito is added in between

My mobile App currently performs SSO using following steps

  1. User will select one of the IDP from the list on the Mobile APP and click Login
  2. Mobile App will instenciate in-app browser control and navigate to SSO URL
  3. If not already authenticated IDP challenges user for authentication
  4. User will be presented with the login form to enter his/her credentials.
  5. Once user is authenticated successfully by IDP, the SAML Assertion will be passed to Web Server
  6. Web Server trusts IDP, accepts SML token and generates Session token
  7. Mobile Browser component accepts the session token and share it with native mobile app
  8. Mobile App calls web server APIs with this session token

Now due to security reasons Session token is not advisable to be stored on Mobile Device, whereas OIDC or JWT tokens can be stored

As my Web Application does not support generating OIDC tokens so I thought of adding one more layer of AWS Cognito in between my mobile device and IDP. Now the authentication flow will be like (SAML User Pool IdP Authentication flow)

  1. The mobile app starts the sign-in process by directing the user to the UI hosted by AWS.
  2. User is redirected to the identity provider.
  3. The IdP authenticates the user if necessary. If the IdP recognizes that the user has an active session, the IdP skips the authentication to provide a single sign-in (SSO) experience.
  4. The IdP POSTs the SAML assertion to the Amazon Cognito service.
  5. After verifying the SAML assertion and collecting the user attributes (claims) from the assertion, Amazon Cognito returns OIDC tokens to the mobile app for the now signed-in user.

Now my question is once I have OIDC token, how mobile App will call my web server for any API calls? Is it through Cognito? Direct call to my web server will not work as it does not understand the OIDC token returned by Cognito? How I can achieve this communication from Mobile App to my Web server?

UPDATE: I was able to validate the JWT token from my web server issued by Cognito. If anyone else is looking to do the same then they can refer this cognitojwt library (not written by me just found it on internet)

Solution

  • OIDC tokens returned by Cognito are ID Token and Access Token, both are JWT. You can pass these to your custom backend directly (most commonly in Authorization header).

    On the backend you should decode and verify the token using your user pool's public key (JWK). JWK is available at https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. If token is valid and not expired, you can trust it and use it for custom backend authorization logic.

    The whole process of verifying tokens is described here https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html and there are a number of open source libraries which will help you do that.