Sunday, 21 August 2022

What is the authentication flow for SPA (React) + Amplify + Cognito + Backend? Is Amplify Cognito integration only for serverless apps?

What I have?

A client (React) and a backend (PHP) with a simple authentication flow: the client exchanges the id token with the back-end and keeps it in localStorage.

What I want to do?

I want to change the above approach to authentication with Cognito, to support Google Sign In and a sign-in against the user pool.

Important: I do not want to use Cognito Hosted UI or Amplify pre-built auth components. I already have UI for the authentication pages on my client, and I want to hook up the authentication with Cognito to that UI.

How am I doing it?

On the client, I am using Amplify library to implement the authentication against Cognito, as it provides all the functionality I need.

In the process of signing in on the client, the Amplify library gets all the tokens from Cognito in the following form:

{
   AuthenticationResult: ""
   AccessToken: "…"
   ExpiresIn: 3600
   IdToken: "..."
   RefreshToken: "..."
   TokenType: "Bearer"
   ChallengeParameters: {}
}

Apart from that, the client receives a user object from the user pool with all the attributes.

Now this is a step I have questions about - what should be done next?

I realize that the client is already logged in to Cognito. However, the client still needs to call my own backend API for accessing the required resources.

I came up with the following options:

  1. After signing in, the client could send the access token to the back-end, where the token can be verified, and, if valid, the back-end will respond with some kind of a flag that indicates to the client that it can call the API now.

  2. After signing in, the client could send the access token to the back-end, back-end verifies the token, and issues a new token to access the back-end API only, which the client then stores and uses it against back-end endpoints.

I really got lost in Amplify documentation, and not even sure if I got everything right here. Is Amplify actually intended to be used only for serverless apps, or my case is also a valid scenario? If so, please let me know what would be the best practice here, and which approach should I take.

Thank you!



from What is the authentication flow for SPA (React) + Amplify + Cognito + Backend? Is Amplify Cognito integration only for serverless apps?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)