I am building an ERP and I decided to deploy it on AWS. I already coded my frontend in REACT and my backend in python Django. They are both Dockerized and I will deploy them with on ECS Fargate and with PostgreSQL on ECR. All of this contained in a VPC.
I want to create 1 VPC per client/company with their own pool of users authenticated with either Django or cognito. I'm not sure yet.
But I am wondering if I can have a landing page with my domain name where clients would be signing in with a cognito pool, giving them access to their respective VPC in a subdomain. And then signing in as a user in that VPC on a different sub-pool. Won't I have a token conflict being on the same domain?
I think having those 2 layers of auth would avoid chances of having clients accessing the wrong database.
(example: new user created in the wrong pool)
This is my first post, although I use this forum a lot. I hope it is clear. Let me know if you need more details
thanks
Update: so it seems I'm trying to do a multi-tenant application. I made I diagram to show what I am going for. The setup for each individual VPC, I'm almost done and got a good idea how to implement it. It's the top part that can't wrap my head around.
enter image description here
I think there should be not "two layers of authentication".
You should authenticate users with Cognito only once and assign authenticated users an IAM role. This IAM role and policies linked to it are used to control user access to different AWS resources.
There are several ways to achieve this. Some of them are depending on AWS service quotas, overall application and service arhcitectures etc.
You may find this AWS document useful: https://docs.aws.amazon.com/cognito/latest/developerguide/multi-tenant-application-best-practices.html
If you are able to provide a conceptual architecture diagram with all the AWS resources you are intending to use, there will be a change that you receive more detailed answers.
Related
I'm creating the user authentication in a web application, and I want to use Identity Server for resource protection.
The sample code and documentation shows how the user logs into Identity Server after creating an account for it. That is to say, they log in with their own Identity Server account. The quickstart even provides a UI.
But I don't want users of my application to have to log in to Identity Server, an external website. I want them to only have to log in to the web application.
So how to proceed? It just doesn't seem at all clear from the documentation how you're supposed to handle this scenario, which I would have thought would be the most common.
Do I just use a pre-defined API scope and user for token validation, holding for all the website's users? That doesn't seem to be very secure given that any user of the website or anyone with the client name and secret would have a valid token. Not sure what the point is in having the security if it's that easily worked around.
Or do I interact with my Identity Server instance somehow after the user is registered in the web application, and store the new user in a database? I can't find any mention of this in the documentation . It all seems to be very muddled to be honest.
Please could anybody shed light on some of this? What is the "standard" approach here? To have the user sign in to the external Identity Server website? That seems a great way to annoy your users.
If you only have one application and you don't intend to add more applications that needs to share users, then you should look at ASP.NET Core Identity
The whole point with OpenID-Connect/IdentityServer is to delegate the managing and handling of users/passwords (authentication) to a central entity. So individual applications don't need to deal with that complexity. IdentityServer is useful when you have multiple applications or if you have more complex integration needs. It is also perfect if you need to customize it to your own needs. If you don't need the customization part you can also outsource it to someone else like Auth0 that give you an IdentityServer like experience as a service.
I have crawlers running on VMs in Azure. After work is finished the Data crawled needs to be distributed to users across the internet depending on their access level. What I need help with:
1. How to onboard users? My idea was to use Azure AD
2. How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using. What is the most effective way? My idea was to use Azure Functions and then Azure siglalR so my clients (desktop, mobile) can get data very fast. All that would be organized as a Logical app?
Please help. I am just starting my programming experience so sorry if my question is naive.
How to onboard users?
Azure AD would be a good choice for you. With Azure AD, it will be convenient to manage the users.
How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using.
Based on the description you provided, you will expose the data crawled as rest api, right? If so, you can integrate your api with Azure AD, then you can control the user access as you need. You can add app roles in your application and assign users and groups to roles, then different users will have different roles to access your api.
Reference:
How to: Add app roles in your application and receive them in the token
Integrating with Azure Active Directory
I have an existing J2EE application which provides some specific features after logging in to the application.
I have to provide SSO to just ONE of the customer who logs into our application while the rest of the customers would still use the login page and login with their credentials.
I am planning to use OpenAM Fedlet act as SP deployed as a separate application in our container.
I need some help in understanding if i need a full blown OpenAM instance deployed within us. Please provide any insights if you may have on this .
You can use the fedlet as an SP for this user. The trick is identifying this particular user and initiating SSO for this person, and going to the login screen for everyone else.
I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.
Currently have an client application running on GAE that supports OpenId login to access resources on a server application (also on GAE) through OAuth. All is fine.
But, it requires that the user have an account with Google, Yahoo, or other OpenId provider. While that seems fine for personal users, how do I handle the corporate case where users want to use myname#mycompany.com as their login?
Do I build my own OpenId provider, host it, and store those names/passwords in a database?
Is there existing OpenId source that I can use, but give it my own names/passwords?
Do I skip OpenId entirely and somehow get my own custom db lookup to integrate with GAE authentication?
Something complete different?
My work is in Java, so Java solutions are preferred. And since this is more for prototyping than for production use, easier solutions are preferred :).
After doing some additional research it seems that if I want to stick with my current use of Restlet's GAEAuthenticator then I will have to rely on OpenId. There appears to be ways to rewrite the entire authentication so that it works both with Google/OpenId and a custom database (not what I want to try), and there appear to be commercial products (SadaSystems) that seem to also do it.
For now, my workaround is to ask people who want to use their own email address in our system to sign up with MyOpenId and add that email address as their persona.