425463 (2) [Avatar] Offline
#1
Hi there,

First of all congratulations for the book. As a full stack developer (Python / Django and PHP / Wordpress / Drupal) the microservice approach sounds like a modular light way to create scalable backends easily

The book is clear and with lots of examples. Maybe sometimes I have the feeling that you repeat some warnings or tips.

Right now I'm a little stuck on how to continue after I receive the identifier after the login and also how secure it is. I mean probably I can just add it on each post request and good to go but I'd like to know in the security perspective what is the best approach.

Keep the good work!
425463 (2) [Avatar] Offline
#2
I think the way to go would be adding the token in the header of the API Gateway and then when processing the request checking if its valid or not. I'll try that.

http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Danilo Poccia (11) [Avatar] Offline
#3
Hi, thank you so much for your feedback!

I am sorry, I have been slow to reply. I was finishing the book: it will be available soon!

After you receive the temporary credentials from Amazon Cognito, you can call all AWS services (including Lambda functions, and Amazon API Gateway methods) allowed in the IAM role (that can be for authenticated, or unauthenticated, users).

The Amazon API Gateway supports additional kinds of authentications:
- API Keys, that you can use for example with developers using your API
- custom authorisers, that you can use to support for example OAuth / JWT:

http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html