Streamline your mobile app signup experience with social login. We demonstrate how to use web identity federation to enable users to log into your app using their existing Facebook, Google, or Amazon accounts. Learn how to apply policies to these identities to secure access to AWS resources, such as personal files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.
4. AWS Mobile
• http://aws.amazon.com/mobile
– AWS Mobile SDKs (iOS and Android)
– Amazon SNS Mobile Push
– Geo library for Amazon DynamoDB
– S3TransferManager
…plus more added all the time
5. Why are we here?
signed requests
ACCESS_KEY = "AK….."
SECRET_KEY = "….."
10. Mobile Photo Share – Architecture
Geo Library for Amazon DynamoDB
Geo
AWS IAM
Web Identity Federation
MBL402
AWS Mobile SDKs
S3 Transfer Manager
Amazon S3
Amazon DynamoDB
11. Web Identity Auth Flow
Mobile Client
Amazon S3 Bucket
AWS STS
AWS Cloud
12. Getting Started with
Web Identity Federation
•
•
•
•
AWS Mobile SDKs
Application with identity provider
AWS IAM role for web identity federation
SDK to authenticate with identity provider
15. Getting Started with
Web Identity Federation
•
•
•
•
AWS Mobile SDKs
Application with identity provider
AWS IAM role for web identity federation
SDK to authenticate with identity provider
16. AWS IAM Roles
• Mechanism for delivering temporary credentials
• Has two policies
– Trust (who can assume role)
– Access (what resources the role can access)
• Three types of roles
– AWS service roles
– Cross-account access
– Web identity federation
17. Role for Web Identity Federation
• Trust policy
– What provider do we trust?
– What application with that provider do we trust?
• Access policy
– What resources should the user have access to?
19. Getting Started with
Web Identity Federation
•
•
•
•
AWS Mobile SDKs
Application with identity provider
AWS IAM role for web identity federation
SDK to authenticate with identity provider
20. Adding Login with Amazon SDK
• Download SDK from http://login.amazon.com/
• Add files to project
• Integrate into app
– APIKey
– AWS IAM role ARN
22. Getting Started with
Web Identity Federation
•
•
•
•
AWS Mobile SDKs
Application with identity provider
AWS IAM role for web identity federation
SDK to authenticate with identity provider
23. Web Identity Auth Flow
Mobile Client
Amazon S3 Bucket
AWS STS
AWS Cloud
33. Web Identity Federation – Summary
• Three supported providers
– Facebook, Google, and Amazon
• Uses IAM roles to provide access restrictions
• Uses IAM policy variables to allow for per-user
customized access
34. What about other logins?
• User doesn’t have Facebook, Google, or
Amazon account
• Want to support a private pool of users
(Identity) Token Vending Machine (TVM)
35. Identity TVM Auth Flow
Amazon
DynamoDB
TVM Server
Register User
Amazon S3
Login
Private Key (Encrypted)
AWS STS
Get Token
Token
Amazon SNS
36. Policies with Identity TVM
Root Credentials
AWS IAM User Policy
AWS STS Policy
App
App
TVM
37. Identity TVM Code
• Server code available on GitHub
– https://github.com/awslabs/aws-tvm-identity
• Client code on GitHub
– https://github.com/awslabs/aws-sdk-ios-samples
– https://github.com/awslabs/aws-sdk-android-samples
• Provided as sample
– Use and modify as necessary
42. Anonymous TVM Code
• Server code available on GitHub
– https://github.com/awslabs/aws-tvm-anonymous
• Client code on GitHub
– https://github.com/awslabs/aws-sdk-ios-samples
– https://github.com/awslabs/aws-sdk-android-samples
• Provided as sample
– Use and modify as necessary
43. Conclusions
• User has a Facebook, Google, or Amazon
account
web identity federation
• User has another account
identity TVM
• User has no account
anonymous TVM
44. Next Steps
Mobile Photo Share
https://github.com/awslabs/reinvent2013-mobile-photo-share
– iOS Application
– Backend application
• identity TVM
• anonymous TVM
• geo server