I deployed a React App on AWS with amplify. Now I developed an express backend which communicates with the React frontend.
Now I am wondering if there is a way to host the backend within the same project as the react app on AWS using amplify. So hosting the whole Fullstack App with amplify.
I have read a lot about hosting backend with amplify. But from the documentation it looks like that I can only use the backend-services provided by aws using Amplify CLI and not my own express backend.
Does anyone have experience with hosting their own express backend using Amplify?
As I do not have much experience with cloud-hosting at all, I would be very thankful for some help :)
Best regards from Germany
Jan
Usually, on Amplify you use AppSync for the backend.
This way you have your full-stack on Amplify
With the API you can easily add the basic operations of an API, and customize the more specific ones using lambdas.
But if you still need to host your own, you can add a lambda function for your backend, check this article about running ExpressJS on a lambda.
If you add it via Amplify-CLI (amplify function add) you can see it on the Amplify Console, including logs and other details about it.
I'll go through both scenarios in more detail below:
Custom operations with AppSync
In case you decide to use DynamoDB/AppSync with GraphQL interface you can define your custom operations on the GraphQL Schema.
i.e:
Create a lambda function MyCustomOperation
Define the operation, input and the return you want from your operation (you can use Javascript)
On your GraphQL schema use the #function directive to associate the function to the query desired
type Query {
myCustomQuery(input: String): String #function(name: "MyCustomOperation-${env}")
}
See more details here
Express Backend
In case you need your full backend
To add it to your Amplify project you can create a lambda function
amplify function add and select the template Serverless express function (Integration with Amazon API Gateway), the documentation has more details.
It will give your API endpoint, which you provide on the next step.
You can now manually set it on the configuration as informed here
Amplify.configure({
// OPTIONAL - if your API requires authentication
Auth: {
// REQUIRED - Amazon Cognito Identity Pool ID
identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
// REQUIRED - Amazon Cognito Region
region: 'XX-XXXX-X',
// OPTIONAL - Amazon Cognito User Pool ID
userPoolId: 'XX-XXXX-X_abcd1234',
// OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',
},
API: {
endpoints: [
{
name: "MyAPIGatewayAPI",
endpoint: "https://1234567890-abcdefgh.amazonaws.com"
},
{
name: "MyCustomCloudFrontApi",
endpoint: "https://api.my-custom-cloudfront-domain.com",
}
]
}
});
Then you just need to adjust the lambda function with the code you already have for the backend.
Related
I have a separate structure for backend using GoLang Gin and frontend ReactJS and would like to integrate the Azure AD Oauth2 login.
However, it's ok to authenticate GoLang App or React App, but how to pass the auth info to the backend when I authenticate in frontend using msal-react?
In my current backend API, I use JWT like this to protect APIs:
v1.Use(jwtauth.JWTAuth())
or should I authenticate the backend and pass the info to frontend? but I cannot get it to redirect(Azure login) since they are in different port...
Thanks!
The typical pattern is:
Front-end (React app in your case) uses msal (or other compatible library) to redirect the user to login
Front-end acquires access token for back-end using a scope defined in API app registration (or same app registration)
Front-end attaches access token to back-end requests
Back-end validates access token (signature using public keys from Azure AD, expiry time, audience, issuer, scopes etc.)
In .NET we configure an "authority" for JWT authentication, e.g. "https://login.microsoftonline.com/", and the authentication handler then downloads metadata + public keys from "https://login.microsoftonline.com//.well-known/openid-configuration".
It might be possible to configure something like this for your library as well.
Scopes you typically have to check yourself.
I want to integrate third party authentication with AWS Cognito in my webapp.
I have a React JS app with a django backend.
I found this tutorial but I dont really get how this will work with an existing frontend application rather than how to implement it.
if a user logs into the frontend and is authenticated via cognito (other question: is a backend in Amplify necessary?), can the token be passed to the django API - does cognito then need to be called again in django? this step is not yet completely clear to me.
Any help is appreciated. Are there no examples for react + DRF?
The tutorial that you read shows the correct way to implement it on the backend. In your react frontend, you will use Amplify to get the token. When you are making an API call from your React API, pass the token to your API via the HTTP header Authorization with the value Bearer <access_token>.
I have some trouble understanding the MSAL authentication and authorization. I have a single page app developed in React. I have setup the MSAL Azure SSO authentication by registering the web app on the Azure AD. Now, I have a Web API (in .Net Core) which is running on a separate app service. How do I integrate the authentication from my React app to the Web API?
Few questions coming to mind:
Do I have to register the Web API app as well similar to my React app?
Do I have to pass the auth token from my React App to the Web API?
Do I have to setup the authentication only on the Web API side (using MSAL.Net) and the React App will connect to it?
Please share your thoughts. Let me know if I can explain any better.
If you are the author of both react app and web API, you can register just one app and use ClientId for both.
Yes. If your react app is standalone app (not a part of Asp.net app) you can use msal.js to login with AzureAD and then use openId token to login to your web API. Also you can use access token to access services secured by Azure (e.g. Microsoft Graph) directly from React.
If your React app is a part of Asp.net app, you can setup Auth on server. If it's standalone app you need to use approach from 2.
If your React app is standalone app and if you are going to access "downstream" API (like Microsoft Graph) from Web API, you need to implement On-Behalf-Of mechanism on your Web API. In two words:
- user login with React app and access Web API with openId token;
- Web API acquires new access token based on token sent from client
- Web API access Microsoft Graph with this new access token.
You can find Server side example here.
Client side example from another answer works in this case, but you need to send row openId to Web API instead on access token.
P.S. You can use access token instead of idToken to access your WebAPI as well, but in this case you need to define separate scope for your WebAPI in Azure as well. After that you can use this scope to access your WebAPI and separate set of scopes to access MS Graph.
Here is a complete video tutorial and source code on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
See Here. It allows you to call Graph API from client side.
I would like to understand how to configure MSAL and related artifacts to facilitate the following configuration.
Frontend Angular 7+ website/app published to Azure Storage account and served as a static website.
Backend Azure Functions API project for performing CRUD operations on a Cosmos-DB database
Both the Angular website frontend and the Azure Functions API backend should be restricted to individuals within our Azure Active Directory.
I attempted to learn how to configure MSAL for my intended use-case by studying this demonstration project: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/README.md. Unfortunately, that project refers to an API backend site that is no longer operational. And the backend bits are not included in the repository.
The demonstration project msal-microsoft-authentication-library-for-js\lib\msal-angular\samples\MSALAngularDemoApp doesn't work as published. Log-in attempts fail. Once encounters Uncaught (in promise): AADSTS650052: The app needs access to a service (\"api://a88bb933-319c-41b5-9f04-eff36d985612\") that your organization \"<MY-ORG>\" has not subscribed to or enabled.
With my current configuration, in the browser I'm encountering request cancellation when MSAL attempts to make a requests of the following form:
https://login.microsoftonline.com/67ba7efb-e8.....52-1f993843c3a0/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fte.....nfuncs.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=61601ca6-104.....524550f6ec&scope=openid+profile+email&response_mode=form_post&nonce=62877cb9e.....245f7f613_2019.....72304&state=redir%3D%252Fapi%252Fpeople%253Fcode%253DqJH4Bs%252F.....ameK%252FPh5S5Th%252FXttS.....D%253D%2526name-starts-with%253Dji
So I'm clearly doing at least one thing wrong. Following is a summary of my configuration. However, rather than attempting to debug my configuration, it might prove easier (more efficient) to describe all steps required to establish a working configuration.
Azure Function App
Platform features
Authentication / Authorization
App Service Authentication: On
Action to take when request is not authenticated
Log in with Azure Active Directory
Authentication Providers
Azure Active Directory Configured (Express: Existing App)
Advanced Settings Token Store
ALLOWED EXTERNAL REDIRECT URLS
Link to static website of storage container where Angular site is deployed
E.g., https://<storagecontainer>.z5.web.core.windows.net/
CORS
ALLOWED ORIGINS
https://<storagecontainer>.z5.web.core.windows.net/
http://localhost:4200
Function Signatures
`public static async Task<IActionResult> Function1([HttpTrigger(AuthorizationLevel.Function, "get", "post", "options", Route = null)] HttpRequest httpRequest, ILogger log) {`
I have a Next.js application that calls AWS functions. I want to add a login functionality to it though using a JWT token. I don't know how to do this. I want to publish the app as a static website so I don't want to have an express server.
I have looked at a whole lot of the solutions which all using a server to handle the JWT stuff. I would like to handle all of the authentication in an AWS Lambda function and then send through a JWT token to the Next.js app. Is this possible?
I would suggest you to have a look at AWS Cognito. Cognito User Pool is user directory with signin, signup, lost password, email verification and MFA flows and API. You can also federate identities from other Identity providers, such as Amazon, Google, Facebook, SAML or any OpenID compatible providers.
To make it easier to provision Cognito and use it in your client-side React App, have a look at the Amplify command line tool and SDK.
Adding Cognito to your project is as easy as : amplify add auth && amplify push
Amplify comes with a builtin user interface to implement the signin and signup flows, but of course you can choose to build your own.
The authentication part of Amplify documentation is available at https://aws-amplify.github.io/docs/js/authentication