1

I am trying to generate long lived access tokens to our app for our users in a cognito user pool (similar to the functionality of github/gitlab access tokens). So far i have not found a best practice on how to achieve this. I don't want to just generate a seperate IAM user for each cognito user and then hand out the AWS_ACCESS_KEY for multiple reasons.

The naive solution i thought of so far is to track custom tokens (just a string) in dynamodb and then exposing a public api endpoint "authenticateToken" that basically checks if the token matches one in the database and returns short AWS session credentials through STS then.

Is this a valid approach? or is there an AWS feature i didn't think of

Julian Dm
  • 363
  • 2
  • 17
  • We need a bit more info. This is the opposite of most advice for Oauth/JWT tokens - generally you want them to live for a very short time. And the JWT's are different by far than the API type tokens you reference. So can you elaborate on what it is you're trying to do? Perhaps Cognito isn't the right way to go about it. – stdunbar Nov 19 '22 at 23:30
  • I want to imitate the functionality of access_tokens of github or gitlab. Both of them enable the user to generate an access_token which is in most cases long lived and can be used as a replacement of a password. Yes it is dangerous but that's why these tokens are usually only for developers – Julian Dm Nov 20 '22 at 00:33
  • @JulianDm finally how did you achieve this ? – Teddy Kossoko Jul 13 '23 at 18:17
  • 1
    @TeddyKossoko the user can trigger a new token creation in the frontend which in the backend creates just a new row in a dynamodb table. Then in front of API gateway for the "public" API there's a custom authorizer lambda which checks if the entry with the same value exists in the dB as the one in the token supplied with the request. There's a KMS key to encrypt and decrypt in both operations the values so the API tokens are not saved directly in the dynamodb – Julian Dm Jul 14 '23 at 19:46
  • @JulianDm thank you very much. It is very clear...except the KMS part. Once the token is generated in back end, you use the KMS to encrypt it and save the encrypt version in the dynamo. The user can have access to this encrypt token. So when the user want to call the api, he uses this encrypt token ? Why decrypt in the lambda ? Why not just save the raw token and use it ? I don't really understand this part of KMS. Thank you – Teddy Kossoko Jul 16 '23 at 23:41
  • 1
    @TeddyKossoko The encryption and decryption has nothing to do with the end user experience it's just an additional security step in case of a databreach. Without encryption if anyone gets access to your dynamodb table they would have all tokens in plain text there. with the encryption they need also access to Secrets Manager which only should be given to admins – Julian Dm Jul 26 '23 at 21:55

0 Answers0