integrate social login into mobile apps (sec401) | aws re:invent 2013
DESCRIPTION
Streamline your mobile app signup experience with social login. We demonstrate how to use web identity federation to enable users to log into your app using their existing Facebook, Google, or Amazon accounts. Learn how to apply policies to these identities to secure access to AWS resources, such as personal files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Integrate Social Login
Into Mobile Apps
Bob Kinney, AWS Mobile
November 15, 2013
Agenda
• AWS Mobile
• Why are we here?
• Web identity federation
• Other options
AWS Mobile
AWS IAM
Social Login
Amazon S3
File Storage Amazon DynamoDB
Online Data
Amazon SNS
Mobile Push
AWS Mobile
• http://aws.amazon.com/mobile – AWS Mobile SDKs (iOS and Android)
– Amazon SNS Mobile Push
– Geo library for Amazon DynamoDB
– S3TransferManager
…plus more added all the time
Why are we here?
ACCESS_KEY = "AK….."
SECRET_KEY = "….."
signed requests
Why are we here?
Why are we here?
• Get credentials onto device
• Limit lifetime, enforce rotation
• Limit access to users’ resources
web identity federation
What is Web Identity Federation?
Mobile Photo Share
DEMO
Mobile Photo Share – Architecture
Amazon S3
AWS IAM
Amazon DynamoDB
Web Identity Federation
Geo Library for Amazon DynamoDB
S3 Transfer Manager
Geo
AWS Mobile SDKs MBL402
Web Identity Auth Flow
AWS Cloud
Mobile Client
AWS STS
Amazon S3 Bucket
Getting Started with
Web Identity Federation
• AWS Mobile SDKs
• Application with identity provider
• AWS IAM role for web identity federation
• SDK to authenticate with identity provider
Login with Amazon
http://login.amazon.com/
Setting Up Application Through
Login with Amazon
DEMO
Getting Started with
Web Identity Federation
• AWS Mobile SDKs
• Application with identity provider
• AWS IAM role for web identity federation
• SDK to authenticate with identity provider
AWS IAM Roles
• Mechanism for delivering temporary credentials
• Has two policies – Trust (who can assume role)
– Access (what resources the role can access)
• Three types of roles – AWS service roles
– Cross-account access
– Web identity federation
Role for Web Identity Federation
• Trust policy – What provider do we trust?
– What application with that provider do we trust?
• Access policy – What resources should the user have access to?
Creating an IAM Role
DEMO
Getting Started with
Web Identity Federation
• AWS Mobile SDKs
• Application with identity provider
• AWS IAM role for web identity federation
• SDK to authenticate with identity provider
Adding Login with Amazon SDK
• Download SDK from http://login.amazon.com/
• Add files to project
• Integrate into app – APIKey
– AWS IAM role ARN
Adding Login with Amazon SDK
DEMO
Getting Started with
Web Identity Federation
• AWS Mobile SDKs
• Application with identity provider
• AWS IAM role for web identity federation
• SDK to authenticate with identity provider
Web Identity Auth Flow
AWS Cloud
Mobile Client
AWS STS
Amazon S3 Bucket
Breaking Permissions
DEMO
Access Policy {
"Effect":"Allow",
"Action":["s3:*"],
"Resource":"*"
}
{
"Effect": "Allow",
"Action": ["dynamodb:*"],
"Resource": "*"
}
{
"Effect": "Allow",
"Action": ["sns:*"],
"Resource": "*"
}
Access Policy Restriction {
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",
"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
"Resource":"arn:aws:s3:::BUCKET_NAME/*"
}
{
"Effect":"Allow",
"Action":["s3:ListBucket","s3:ListBucketMultipartUploads"],
"Resource":"arn:aws:s3:::BUCKET_NAME"
}
{
"Effect": "Allow",
"Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"],
"Resource" : "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME”
}
{
"Effect": "Allow",
"Action": "sns:CreatePlatformEndpoint",
"Resource": "arn:aws:sns:REGION:123456789:app/PLATFORM/APP_NAME"
}
Access Policy Restriction {
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",
"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
"Resource":"arn:aws:s3:::BUCKET_NAME/BobKinney/*"
}
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::BUCKET_NAME",
"Condition":{"StringLike":{"s3:prefix":"BobKinney/"}}
}
{
"Effect":"Allow",
"Action":["s3:ListBucketMultipartUploads"],
"Resource":"arn:aws:s3:::BUCKET_NAME"
}
Policy Variables for
Web Identity Federation • Facebook
– graph.facebook.com:app_id
– graph.facebook.com:id
• Login with Amazon – www.amazon.com:app_id
– www.amazon.com:user_id
• Google – accounts.google.com:aud
– accounts.google.com:sub
Access Policy – Personal Photos <!-- Write/Read/Delete individual items -->
{
"Effect":"Allow",
"Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",
"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
"Resource":"arn:aws:s3:::BUCKET_NAME/${www.amazon.com:user_id}/*"
}
<!-- List these items -->
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::BUCKET_NAME",
"Condition":{"StringLike":{"s3:prefix":"${www.amazon.com:user_id}/"}}
}
<!-- Multipart Operations -->
{
"Effect":"Allow",
"Action":"s3:ListBucketMultipartUploads",
"Resource":"arn:aws:s3:::BUCKET_NAME"
}
Access Policy – Public Photos <!-- Read all public photos -->
{
"Effect":"Allow",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::BUCKET_NAME/public/*"
}
<!-- Write/Delete our public photos -->
{
"Effect":"Allow",
"Action":["s3:PutObject","s3:DeleteObject",
"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"],
"Resource":"arn:aws:s3:::BUCKET_NAME/public/${www.amazon.com:user_id}/*"
}
<!-- List these items -->
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"BUCKET_NAME",
"Condition":{"StringLike":{"s3:prefix":"public/"}}
}
Access Policy – Amazon DynamoDB
<!– DynamoDB policy -->
{ "Effect" : "Allow",
"Action" : [ "dynamodb:GetItem", "dynamodb:Query" ],
"Resource" : "arn:aws:dynamodb:REGION:12345678:table/Favorites",
"Condition" : {
"ForAllValues:StringEquals" : {
"dynamodb:LeadingKeys" : "${www.amazon.com:user_id}"
}
}
}
Correcting Permissions
DEMO
Web Identity Federation – Summary
• Three supported providers – Facebook, Google, and Amazon
• Uses IAM roles to provide access restrictions
• Uses IAM policy variables to allow for per-user
customized access
What about other logins?
• User doesn’t have Facebook, Google, or
Amazon account
• Want to support a private pool of users
(Identity) Token Vending Machine (TVM)
Identity TVM Auth Flow
Register User
Login
Private Key (Encrypted)
Get Token
Token
TVM Server
Amazon
DynamoDB
Amazon S3
Amazon SNS
AWS STS
Policies with Identity TVM
TVM App App
AWS IAM User Policy
Root Credentials
AWS STS Policy
Identity TVM Code
• Server code available on GitHub – https://github.com/awslabs/aws-tvm-identity
• Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples
– https://github.com/awslabs/aws-sdk-android-samples
• Provided as sample – Use and modify as necessary
What About Anonymous Access?
anonymous TVM
Anonymous TVM Auth Flow
Register Device
Get Token
Token
TVM Server
Amazon
DynamoDB
Amazon S3
Amazon SNS
AWS STS
Policies with Anonymous TVM
Anonymous == Read-Only
Anonymous Access
DEMO
Anonymous TVM Code
• Server code available on GitHub – https://github.com/awslabs/aws-tvm-anonymous
• Client code on GitHub – https://github.com/awslabs/aws-sdk-ios-samples
– https://github.com/awslabs/aws-sdk-android-samples
• Provided as sample – Use and modify as necessary
Conclusions
• User has a Facebook, Google, or Amazon
account web identity federation
• User has another account identity TVM
• User has no account anonymous TVM
Next Steps
Mobile Photo Share https://github.com/awslabs/reinvent2013-mobile-photo-share
– iOS Application
– Backend application • identity TVM
• anonymous TVM
• geo server
Web Identity Federation Playground
AWS Mobile SDKs
• SDKs and Samples – http://aws.amazon.com/mobile
– https://github.com/awslabs/aws-sdk-ios-samples
– https://github.com/awslabs/aws-sdk-android-samples
• Assistance – https://forums.aws.amazon.com/forum.jspa?forumID=88
– http://stackoverflow.com/questions/tagged/amazon-web-services
Connect
• Booth & Office Hours Thursday 4:30 – 5:30 pm
Friday 9:00 – 10:00 am
• AWS Mobile Blog
http://mobile.awsblog.com
@awsformobile
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC401
Additional Resources
• Web Identity Federation – https://web-identity-federation-playground.s3.amazonaws.com/index.html
– http://aws.amazon.com/articles/4617974389850313
– http://mobile.awsblog.com/post/Tx1P67OUG61P9CB/
– http://mobile.awsblog.com/post/Tx15RSS024YGKUL/
– https://github.com/awslabs/aws-mobile-sample-wif
– http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html
• TVM – http://aws.amazon.com/articles/4611615499399490
– http://aws.amazon.com/code/8872061742402990
– http://aws.amazon.com/code/7351543942956566