I have written several Spring 4 back-end web-applications that serve RESTful API's. I have even managed to secure these with Spring Web Security.
In one case, we have our own instance of OpenAm installed. A user who goes to the client UI can login against OpenAM and the client web-app gets a token back in a cookie. We pass that token to the backend within a header, and then Spring Security uses a CustomeUserDetailsService to check that token against OpenAM to see if it is valid. If so, we create a User in the Spring Security Context, assign roles, and then we see if those roles are valid against the API. If so, the API executes, if not, the user gets a 401 Security Error. I believe this is OAuth2.
We also managed to do exactly the same thing with Okta. We have our own client web UI with our own login page. The UI makes a call to Okta and gets back two (2) tokens. We concatenate those tokens and pass it to the back-end which does the same process we described above. I also think this is Oauth2.
I am working on a new project now, and this time I'd like to secure my web-application with AWS IAM since the front-end and back will be hosted on an AWS EC2 instance.
I have been scouring the web to find out exactly how to do this. There is an AWS IAM SDK, and there is AWS Cognito. My initial look into IAM didn't quite show an Oauth2, I saw OpenID and SAML. I know I have a lack of knowledge on OpenID vs. Oauth2 vs. SAML.
So, I am looking for any links to any code-bases, or sample code, or documentation which will help me secure my back-end API's with Spring Security using AWS IAM and/or Cognito. And BTW, I don't want to use the Spring API Gateway as Spring Web Security is already doing that for me.
Thanks in advance for any help!
Ok, I did some of my own research on this and from the AWS site I got this:
AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources
But, I am not looking for this. I have a web-application, and I might have a mobile side to it as well. I just do not want to have to write user management, or handle my own login sessions and authorization, etc. So, I think in this case:
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users devices so that their app experience remains consistent regardless of the device they use.
With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and sync across devices.
So, AWS Cognito it is ...