The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

425463 (2) [Avatar] Offline
#1
Hi there,

First of all congratulations for the book. As a full stack developer (Python / Django and PHP / Wordpress / Drupal) the microservice approach sounds like a modular light way to create scalable backends easily

The book is clear and with lots of examples. Maybe sometimes I have the feeling that you repeat some warnings or tips.

Right now I'm a little stuck on how to continue after I receive the identifier after the login and also how secure it is. I mean probably I can just add it on each post request and good to go but I'd like to know in the security perspective what is the best approach.

Keep the good work!
425463 (2) [Avatar] Offline
#2
I think the way to go would be adding the token in the header of the API Gateway and then when processing the request checking if its valid or not. I'll try that.

http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Danilo Poccia (11) [Avatar] Offline
#3
Hi, thank you so much for your feedback!

I am sorry, I have been slow to reply. I was finishing the book: it will be available soon!

After you receive the temporary credentials from Amazon Cognito, you can call all AWS services (including Lambda functions, and Amazon API Gateway methods) allowed in the IAM role (that can be for authenticated, or unauthenticated, users).

The Amazon API Gateway supports additional kinds of authentications:
- API Keys, that you can use for example with developers using your API
- custom authorisers, that you can use to support for example OAuth / JWT:

http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html