Integrate AWS Cognito to MEAN Stack - passport.js

I have a starter level MEAN app with angular v4. There is no Authentication mechanism built in yet no passport nothing. I want to use AWS cognito for Authentication (Sign In/UP). Do I need passport for this purpose or Cognito is enough by itself. I am not sure about the steps to take for Integrating Cognito to MEAN. Do I need to start by integrating Passport to MEAN and then Cognito. Or only Cognito. I couldn't find an example for this scenario.

Take a look at passport-cognito, it integrates cognito with passport with passport strategies.
Now you only need to integrate passportjs with your MEAN stack. There is no sample example that illustrates passport-cognito with passportjs though.

Yes, you will have to add passport for authenticating user from third party authentication provider.
And after user login, passport returns the accesstoken which is should be given to AWS cognito,then cognito verifies the access token by contacting with third party authentication provider.
In this way AWS cognito and passport works to get authentication done using third party authentication provider.

Related

If i'm not using 3rd party logins/services, will Oauth2 make my bakcend api more secure than basic user/password auth

I am currently looking to create a private web app with separate front-end and back-end on AWS using nodejs without signup and 3rd part logins, so generated user and passwords. I have looked over a few post, seems Oauth2 only provide more security when I am allowing 3rd party login or services, because it is a authorization framework. so I have a few questions:
In my case, I don't think authenticate oauth2 token is anymore secure than authenticate hash password. So I don't need oauth2 am I correct ?
Other than SSL on transfer and then use session-token after user login, what other ways I can make the backend API more secure ?
Please provide links or examples(best with nodejs )
Thanks,

How do you use AWS Cognito with a custom NodeJS server?

I am building an app using Angular and NodeJS.
I've heard about AWS Cognito and would like to use it in my app. However it is very unclear in the documentation how it is supposed to work.
There is an example on how to use Cognito with an Angular SPA, but there is no word on how I can use it to authenticate users on my backened NodeJS server.
How is NodeJS supposed to know if a user is logged in? I can think of several possible answers, but none appear in the documentation and there is surprisingly no code sample. So I decided to ask here before investing a lot of time in trial and error.
You can use AWS Cognito Userpools in your backend NodeJS server to authenticate users. The steps are as follows.
Create a Cognito Userpool and setup an App Client.
Create a Cognito Userpool ( Optionally Cognito Federated Identities if you want your users to directly allow controlled access to AWS services).
Configure Cognito Hosted UI ( Built in Signin page and optionally Signup page).
For User Signin, redirect the User to this Domain URL for Signin.
Setup an App Client with redirect URLs to your App for Oauth2 flow.
After user Signin, you will receive an id_token (e.g In implicit grant flow) in URL which you can forward to your NodeJS server where you can validate it using NodeJS middleware.
You can decide whether to store the id_token in a cookie or in browser storage and implement the storage and validation accordingly for subsequent requests.
Note: Since the id_token is a standard JavaScript Web Token (JWT) you can find a library to validate it. Refer AWS documentation Using Tokens with User Pools for more details.

What's the difference between passport and oauth?

I'm trying to build an authentication service with express.js, but I didn't catch the idea of authentication modules yet.
What's difference between passport and oauth middleware? Are they dependent of each other? Is useless to have the BearerStrategy without an oauth server to generate tokens to the BearerStrategy validate? Am I on the right way?
I've read about oAuth2 and Its authentication flow, but I'm still lost with this uncoupled code.
I'm trying to build the Resourse Owner Password authentication with refresh token for my AngularJS frontend communicating with the backend API, and I'm facing with many combinations of password.js strategies (Basic, Bearer, ClientPassword) with oauth2orize on the other side.
So, I'd like to know a very simple explanation of how authentication works on NodeJS. At really I know that Express is not inventing a new way of how authentication works, but the modules are too unobtrusive that I need to understand the base of how It works to achieve them working together.
Passport is authentication middleware.
OAuth is authorization middleware.
To understand the difference:
Authentication is the process of ascertaining that somebody really is who he claims to be.
Authorization refers to rules that determine who is allowed to do what. E.g. Bob may be authorized to create and delete databases, while Bobbette is only authorized to read.
In other words. Authentication is your username + password. Authorization is what you're allowed to do.
Passport will allow you to authenticate the user before allowing access to your API. It does not (directly, it's possible) allow to check if a user is allowed to perform an action after authentication.
Check this Wikipedia for more on Authentication vs Authorization.
What OAuth does that Passport doesn't, is that it allows users to grant a service access to their personal information. It also allows users to allow or disallow certain privilages (scopes in OAuth).
Do note that there are a lot of OAuth flavors. The most common is the version with authorization grant types seen when authorizing with Facebook or Google. But there are many others including the Resource Owner Password strategy you mentioned.

Token authentication on Socket.io with Passport

I've built a Node.js API that use Passport for authentication.
Once a user is authenticated he can access to the web services with the BearerStrategy.
Now, I'd like to create a chat and allow access to authenticated users only. I found only one solution dealing with token : jsonwebtoken and I'd like to know if there is a way to use Passport to do that. Specially because I already implemented the Passport Bearer strategy.
Thanks

PassportJS / NodeJS secure REST API with Google Auth

I have an application that uses passport with passport-google-oauth to allow Google Authentication with RESTful API endpoints.
I'm looking to create other applications (for example, a Chrome extension) that need to communicate with these API endpoints. How do I secure a REST API with Google authentication in passport? I read a lot of things on securing a REST API in general (i.e. if I had my own login), but how would I do it if my application relies on a third-party login? (ie. Google, Facebook, Twitter, etc.)
Thanks
Passport.js ONLY handles authentication -- it doesn't handle authorization at all.
What you'll want to do, if you want to authenticate a user to your webapp is use something like Google Oauth to let a user create an account on your webapp.
You'll then need to use a separate Passport.js strategy for handling developer authentication against your API service.
For instance, if you want a developer to authenticate against your API using Basic Auth, you could use this Passport strategy to allow this: https://github.com/jaredhanson/passport-http
Hopefully that makes sense!

Resources