This is the sequence diagram of the http requests between your browser and
the application multiccy.
The IAM is managed by the combo AWS ALB + AWS Cognito IdP + AWS Cognito hosted UI.
With this combination, your application
does NOT have to:
- keep a users database;
- implement sign in, sign up, password reset services and emailing;
- use a session-management database like Redis/Dynamodb;
should: - be using the http header 'X-Amzn-Oidc-Identity', which is the authenticated cognito user id, as a session userid
- delete the AWSELBAuthSessionCookie in the logout callback URL call
by wrapping your application with AWS ALB + AWS Cognito + AWS Cognito hosted UI, the changes to apply to your application are:
- using request.getHeader('X-Amzn-Oidc-Identity') (= the authenticated cognito user id) as a session userid
- deleting the AWSELBAuthSessionCookie in the logout callback URL
ref: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
the numbers in the AWS doc workflow are referenced as (#1) above.
cookies:
- X-Amzn-Oidc-Identity = cognito user id
- X-Amzn-Oidc-Data = JWT with e.g. username inside
- AWSELBAuthSessionCookie-xxx = ALB session cookie
- JSESSIONID = application session - irrelevant.
¶
back to app-multiccy