1
00:00:00,270 --> 00:00:02,550
‫So we know we can integrate Cognito

2
00:00:02,550 --> 00:00:05,310
‫with the API gateway to authenticate users,

3
00:00:05,310 --> 00:00:07,230
‫but we can actually do the very same thing

4
00:00:07,230 --> 00:00:09,420
‫with an application load balancer.

5
00:00:09,420 --> 00:00:12,300
‫So your ALB can securely authenticate user

6
00:00:12,300 --> 00:00:15,060
‫and this allows you to remove the work

7
00:00:15,060 --> 00:00:16,620
‫away from your application

8
00:00:16,620 --> 00:00:19,860
‫and have this responsibility put on your load balancer

9
00:00:19,860 --> 00:00:21,900
‫so that your applications can only focus

10
00:00:21,900 --> 00:00:24,240
‫on their business logic.

11
00:00:24,240 --> 00:00:26,700
‫So you can authenticate in multiple ways

12
00:00:26,700 --> 00:00:28,680
‫for your application load balancer.

13
00:00:28,680 --> 00:00:31,500
‫The first one is to use an identity provider

14
00:00:31,500 --> 00:00:36,210
‫that is OpenID Connect, so OIDC-compliant.

15
00:00:36,210 --> 00:00:39,450
‫The second option is to use Cognito user pools

16
00:00:39,450 --> 00:00:42,810
‫and this is for social identity providers

17
00:00:42,810 --> 00:00:47,190
‫such as Amazon login, Facebook login, or Google login

18
00:00:47,190 --> 00:00:48,990
‫or if you have corporate identities

19
00:00:48,990 --> 00:00:53,220
‫that are compatible with SAML, LDAP, or Microsoft AD.

20
00:00:53,220 --> 00:00:55,440
‫So the first one, first option is to integrate

21
00:00:55,440 --> 00:00:57,660
‫directly without Cognito user pools

22
00:00:57,660 --> 00:01:00,510
‫and the second option is to use Cognito user pools,

23
00:01:00,510 --> 00:01:03,600
‫and I will show you them both in this lecture.

24
00:01:03,600 --> 00:01:05,340
‫Now to make it work,

25
00:01:05,340 --> 00:01:09,810
‫you must set up an HTTPS listener, S for secure,

26
00:01:09,810 --> 00:01:13,860
‫and then you can set either the authenticate-oidc

27
00:01:13,860 --> 00:01:16,890
‫or the authenticate-cognito rules.

28
00:01:16,890 --> 00:01:19,470
‫So when you go and you configure your load balancer,

29
00:01:19,470 --> 00:01:21,000
‫you will see something like this

30
00:01:21,000 --> 00:01:24,330
‫where as you can see for this listener detail on HTTPS,

31
00:01:24,330 --> 00:01:27,240
‫the first default action is to authenticate

32
00:01:27,240 --> 00:01:30,570
‫and then to forward to your backend.

33
00:01:30,570 --> 00:01:34,590
‫Now in case your user is unauthenticated,

34
00:01:34,590 --> 00:01:35,430
‫what do we do?

35
00:01:35,430 --> 00:01:37,710
‫We have the option, we have three options.

36
00:01:37,710 --> 00:01:41,220
‫The first one is to naturally say please authenticate.

37
00:01:41,220 --> 00:01:42,330
‫That's the default one.

38
00:01:42,330 --> 00:01:45,540
‫But you can also just deny the request altogether

39
00:01:45,540 --> 00:01:47,910
‫or allow the request altogether,

40
00:01:47,910 --> 00:01:49,260
‫and allow would be very helpful,

41
00:01:49,260 --> 00:01:50,700
‫for example, for your login page

42
00:01:50,700 --> 00:01:52,620
‫because people would access your login page

43
00:01:52,620 --> 00:01:54,663
‫without first being authenticated.

44
00:01:55,500 --> 00:01:56,640
‫So how does that work?

45
00:01:56,640 --> 00:01:58,740
‫Well, let's say we have an application load balancer

46
00:01:58,740 --> 00:02:00,150
‫connected to Amazon ECS

47
00:02:00,150 --> 00:02:03,810
‫and we want to implement a login through Amazon Cognito

48
00:02:03,810 --> 00:02:07,620
‫in which case the users will do GET/api/data.

49
00:02:07,620 --> 00:02:11,430
‫Then the ALB is going to be set up with HTTPS

50
00:02:11,430 --> 00:02:13,860
‫with the action authenticate-cognito.

51
00:02:13,860 --> 00:02:15,690
‫So Cognito will do its thing

52
00:02:15,690 --> 00:02:17,490
‫and authenticate the user,

53
00:02:17,490 --> 00:02:20,400
‫and then the payload and the request is passed on

54
00:02:20,400 --> 00:02:24,150
‫to Amazon ECS with the added information

55
00:02:24,150 --> 00:02:28,860
‫of the user that was doing the request from Cognito.

56
00:02:28,860 --> 00:02:30,030
‫And this is very helpful

57
00:02:30,030 --> 00:02:31,470
‫because now you have more information

58
00:02:31,470 --> 00:02:33,780
‫to deal with with Amazon with your application,

59
00:02:33,780 --> 00:02:35,550
‫for example, with Amazon ECS,

60
00:02:35,550 --> 00:02:39,390
‫and you can return a specific response

61
00:02:39,390 --> 00:02:42,570
‫that is based on what the user information is.

62
00:02:42,570 --> 00:02:44,160
‫So to set it up, it's very easy.

63
00:02:44,160 --> 00:02:45,430
‫You go to the ALB UI

64
00:02:46,290 --> 00:02:49,290
‫and then you would first create a Cognito user pool,

65
00:02:49,290 --> 00:02:51,060
‫a client, and a domain.

66
00:02:51,060 --> 00:02:54,360
‫You make sure that the ID token, the JWT token, is returned,

67
00:02:54,360 --> 00:02:56,700
‫but this is the default in Cognito user pools.

68
00:02:56,700 --> 00:03:00,360
‫Then you connect your Cognito user pool to your social

69
00:03:00,360 --> 00:03:03,600
‫or your corporate IdP if that's what you want,

70
00:03:03,600 --> 00:03:06,510
‫and then you set up several URL redirections

71
00:03:06,510 --> 00:03:10,140
‫and then you go ahead and you set up more callback URLs

72
00:03:10,140 --> 00:03:12,090
‫which are very specific to Cognito user pool

73
00:03:12,090 --> 00:03:13,830
‫so I don't wanna linger on this.

74
00:03:13,830 --> 00:03:16,770
‫And then you just link that Cognito user pool

75
00:03:16,770 --> 00:03:20,790
‫into your ALB with the specific app clients

76
00:03:20,790 --> 00:03:21,930
‫and you're good to go.

77
00:03:21,930 --> 00:03:23,340
‫So it's quite easy.

78
00:03:23,340 --> 00:03:25,560
‫In case you're using OIDC authentication,

79
00:03:25,560 --> 00:03:26,790
‫there is a little bit more work

80
00:03:26,790 --> 00:03:29,100
‫because it's not using the Cognito integration.

81
00:03:29,100 --> 00:03:29,970
‫You can just integrate

82
00:03:29,970 --> 00:03:33,750
‫with any OIDC-compliant identity provider.

83
00:03:33,750 --> 00:03:35,700
‫So let's take the same example.

84
00:03:35,700 --> 00:03:37,590
‫They will be an HTTP requests.

85
00:03:37,590 --> 00:03:40,470
‫Then the ALB is going to redirect the user

86
00:03:40,470 --> 00:03:43,500
‫for authentication to the authentication endpoint

87
00:03:43,500 --> 00:03:45,510
‫of your identity provider

88
00:03:45,510 --> 00:03:48,900
‫which is going to grant an authorization code.

89
00:03:48,900 --> 00:03:52,830
‫The authorization code is going to be passed to the ALB

90
00:03:52,830 --> 00:03:55,440
‫which is going to send it to the token endpoint.

91
00:03:55,440 --> 00:03:59,820
‫So the grant code is going to be switched

92
00:03:59,820 --> 00:04:02,850
‫and exchanged for an ID token

93
00:04:02,850 --> 00:04:04,770
‫and an access token.

94
00:04:04,770 --> 00:04:08,010
‫And then your ALB will again do a request

95
00:04:08,010 --> 00:04:11,100
‫to the user info endpoint of your identity provider

96
00:04:11,100 --> 00:04:15,210
‫to exchange that access token for a user claims.

97
00:04:15,210 --> 00:04:17,190
‫And user claims is basically saying

98
00:04:17,190 --> 00:04:18,570
‫hey, this is the user id,

99
00:04:18,570 --> 00:04:20,520
‫this is the user attributes, and so on.

100
00:04:20,520 --> 00:04:22,920
‫And then once the user claims is obtained,

101
00:04:22,920 --> 00:04:26,400
‫then the request is going to be sent to Amazon ECS

102
00:04:26,400 --> 00:04:28,890
‫with the original request and the user claims.

103
00:04:28,890 --> 00:04:29,723
‫We get the response

104
00:04:29,723 --> 00:04:31,980
‫and the response gets passed to the user.

105
00:04:31,980 --> 00:04:34,620
‫So similar functioning as Cognito

106
00:04:34,620 --> 00:04:37,410
‫but a bit more request happening between your ALB

107
00:04:37,410 --> 00:04:39,420
‫and your identity provider.

108
00:04:39,420 --> 00:04:41,130
‫So a bit more, as you can see,

109
00:04:41,130 --> 00:04:42,780
‫settings to configure as well.

110
00:04:42,780 --> 00:04:45,840
‫So we have what is the authorization endpoint,

111
00:04:45,840 --> 00:04:48,450
‫the token endpoint, the user info endpoint.

112
00:04:48,450 --> 00:04:50,520
‫We need to set up a client's ID

113
00:04:50,520 --> 00:04:52,200
‫and a client secret

114
00:04:52,200 --> 00:04:54,510
‫and then we need to allow proper redirection,

115
00:04:54,510 --> 00:04:57,720
‫again just like before so that your ALB

116
00:04:57,720 --> 00:05:02,640
‫and your OpenID Connect endpoints can function together.

117
00:05:02,640 --> 00:05:04,200
‫But you've seen now the two ways

118
00:05:04,200 --> 00:05:06,540
‫to authenticate users with your ALB.

119
00:05:06,540 --> 00:05:07,740
‫So I hope you liked it

120
00:05:07,740 --> 00:05:09,903
‫and I will see you in the next lecture.