0

Recently I read this article:

http://aws.amazon.com/articles/SDKs/Android/4611615499399490

Now my question is...

Can the Amazon STS (Security Token Service) used as a Token Vending Machine to manage user sessions for a clients of a Web Server (As opposed to Clients of AWS Services)?

Assume I have a Web Application. And this Web Application has Registered Users who are Authenticated with Login Credentials. Now I wish to issue a Session Token to these Users who are Authenticated.

1. User -> Web App -> User Login Page
2. User gives Credentials -> Web App -> Issues a Session Token (with expiry policy)
3. User the Session token -> Web App Resources (Non-AWS Resources proxy-ed by the Web App)

Can I use the Amazons Simple Token Service independently for the above Usecase? Or is Amazon STS only available for access to Amazon Services only?

The reason I wish to use Amazon STS is because they are :

- I don't have to worry about Session Token management
- Proven and Scalable

Please help. I am a little confused about this.

Hari Krishna Ganji
  • 1,647
  • 2
  • 20
  • 33

1 Answers1

1

STS will provide temporary credentials (access key, secret key and token) for AWS Services only and should not be used for application authentication (or session management). But you could store those credentials in your session for AWS API access from your app.

Julio Faerman
  • 13,228
  • 9
  • 57
  • 75
  • Great. Thanks for clarifying. Can you suggest any best way or library that can do that other than doing it myself? – Hari Krishna Ganji May 08 '14 at 18:22
  • I do not know of a library, but the web identity federation playground application is a nice example: https://web-identity-federation-playground.s3.amazonaws.com/index.html – Julio Faerman May 08 '14 at 23:28