Skip to content

A centralized login and SSO application to authenticate several websites and mobile apps.

License

Notifications You must be signed in to change notification settings

KevyVo/aws-amplify-identity-broker

 
 

Repository files navigation

AWS Amplify Identity Broker: code sample

DISCLAIMER: This project is a code sample provided as an illustration of how to achieve and identity broker and SSO on top of Amazon Cognito. Doing this provides extra flexibility at the price of more responsibility on customer side (see section "Comparison with the Amazon Cognito Hosted UI" for a visual comparison of the responsibility shift). Most customers should use the Amazon Cognito hosted UI as a production ready solution. If you decide to use this project in production make sure you have engineering resources to maintain it as well as expertise to keep it secure.

This project demonstrates how to build a login application to authenticate several websites and mobile apps. It is based on AWS Amplify and Amazon Cognito. Authentication is based on standard JWT token and can be integrated with any application supporting Oauth2/OIDC.

Short Demo

Current features are:

  • login flows: sign-in, sign-up, forgot password, reset-password ...
  • central SSO
  • is a standard OIDC Identity Provider
  • 100% UI customizable (fork the project)
  • i18n : languages in this demo: English and French
  • Social login federation: Facebook, Twitter, Amazon, Google logins
  • Corporate federation: SAML and OIDC (JWT token)
  • MFA : SMS, OTP
  • PKCE and Implicit Oauth2 flows : for secured web and mobile application login
  • deep customization of flows
  • Migration helper (transparent migration from an existing user base to this project)
  • account setting page with various customer attributes
  • SSO dashboard (listing apps)
  • consent approbation

This is a simplified view of the scope of the project (what this repository is about):

Projet Scope Image

Live demo

You can sign-up, sign-in, try SSO from any of these two client application demos:

In a real use case, your user will only go to the broker from a client website or app, but for reference the Broker demo url itself is:

Demo Credentials

For the main app you can sign-up to create your own account (we don't use emails and phone numbers for anything else than the demo)

  • AWS SSO SAML Demo User Credentials: Username: demouser Password: &7P4X^rd5fJVfd&h5h
  • OIDC Demo User Credentials: Username: demo Password: P@ssw0rd
  • Social login: use an account of your own

See client demo code repository

Documentation

User Documentation

  • Explains, how to deploy, how to customize the broker, how to migrate from your existing user pool system. Click here for details.

Client Developer Documentation

  • Explains how to integrate the broker in your website or mobile application. Click here for details.

Developer Documentation

  • Documentation for the contributor of this project, can be found here : PRs are welcome!

Comparison with the Amazon Cognito Hosted UI

Click to expand!

This project is similar to the Amazon Cognito hosted UI by many aspects. Here is the list of similarities and differences.

Similarities

  • both expose similar APIs : they are standard OIDC identity provider (with few exceptions for the current project)
  • feature scope is similar (but this project has more features)
  • both require very low effort to deploy
  • both are managed within the AWS account of the customer

Differences

  • The Hosted UI is managed, you don’t have access to the code or deployment infrastructure. This project is a code project with an simplified deployment system into a Serverless infrastructure you control.
  • This project can be customized deeply. UI, languages, specific behaviors (depending on IP address, link, ...). Again since you have access to the code you can do whatever you want with it
  • This project comes with some missing feature of the Hosted UI: i18n, full CSS, JS customization, consent approbation
  • This project diverge a bit here and there of standard OAuth flows (because of some current restrictions). The limitation is in the way Oauth scope are injected in tokens and some oauth2 API are handled (see User Documentation). We are working on it to fill the gap.

VISUAL COMPARISON

with the Amplify Identity Broker:

Without Hosted UI

with Hosted UI only:

With Hosted UI

Architecture

The project architecture is the following:

Projet Architecture Image

See Developer Documentation to see more detailed information on every component.

Contributing

Your contribution is welcome, see CONTRIBUTING for ideas of PR and for contribution guidelines.

Security

See Security Issue Notifications for more information.

License

This project is licensed under the MIT License. See the LICENSE file.

About

A centralized login and SSO application to authenticate several websites and mobile apps.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 98.5%
  • Other 1.5%