Moped Documentation
  • Welcome đź‘‹
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • MUI X Pro License
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
      • Power BI
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Goals
  • Architecture
  • Architecture flow
  • Deployment strategy
  • Claims Format
  • SLA
  • References and documentation

Was this helpful?

  1. Dev Guides
  2. Authentication

Authentication Architecture

PreviousAuthenticationNextDynamoDB & Cognito

Last updated 3 years ago

Was this helpful?

This is brief authentication diagram, the main goal is to provide a birds-eye view of how the authentication works and the different AWS resources used to accomplish this authentication process.

The crux of the challenge was to have a token that Hasura can parse and decrypt; thankfully, Hasura is compatible with AWS Cognito and it can use its certificates to decrypt its tokens. Hasura is also compatible with many other providers, such as Auth0, FireBase, etc.

Goals

  • Provide a centralized user pool for Moped

  • Protect the Moped Hasura endpoint and its data, and provide compatibility.

  • Protect the Moped API endpoint, and provide compatibility.

  • Allow for Single Sign-on using Outlook/Microsoft

Architecture

The stack consists of four distinct AWS resources:

  1. AWS Cognito

  2. AWS Lambda (with Python)

  3. AWS DynamoDB

  4. AWS Secrets Manager

Architecture flow

We should assume that Netlify and that the Moped editor written in React are working properly using AWS-Amplify, and that it always complies with the way the architecture works (even if it isn’t at the moment).

  1. The user goes to the website hosted on Netlify, provides credentials to the app. The AWS-Amplify library knows the name of the Cognito user pool, and attempts authentication.

  2. Cognito retrieves the credentials, checks its user pool and authenticates. It executes a lambda trigger based on the event type, in this case it executes the pre-token trigger which is in charge of generating the token which includes our claims.

  3. The trigger is a simple Lambda function written in Python which uses the Boto3 library. The only task of the script is to generate a JSON document with the claims we need for our token, and it is provided the user uuid as it is stored in Cognito and DynamoDB.

  4. The trigger will first attempt to fetch the encryption key from Secrets Manager, once it gets it it should be able to decrypt any content.

  5. The trigger will then attempt to find the user record in DynamoDB by its unique cognito user id (uuid). The DynamoDB table has two string columns: user_id and claims. The main goal is to fetch the claims string and to decrypt it. The claims string is just a JSON string that contains the permissions for Hasura.

  6. The trigger returns a decrypted JSON containing claims back to Cognito

  7. Cognito will “tokenize” the claims and encrypt using its own certificate along with a large metadata payload and it sends it back to the aws-amplify react client.

  8. The client now has a token it can use against an API or against Hasura.

Other notes:

This is not a permanent model, this architecture was designed to be changed and customized.

  • Lambda Execution

  • Limited DynamoDB access

  • Limited Secrets Manager Access

Deployment strategy

The deployment of the structure was manual (initially); however, the lambda functions for the triggers have been automated to be deployed to AWS using GitHub actions. These lambda triggers live in the repo under the moped-auth folder.

Currently PRs are not supported for the Lambda triggers, so right now we only deploy:

  • Main Branch → Staging

  • Production → Production

Claims Format

The claims should have a custom logic to determine what the default role is and what the allowed roles will be, this should be done at the API level which should in turn be controlled by the MOPED editor.

{
    "x-hasura-user-id": "96051f62-7897-4264-ad97-34be981bfcc9",
    "x-hasura-default-role": "user",
    "x-hasura-allowed-roles": ["user"],
}

This is what it looks like encrypted:

gAAAAABfa8G-jUNTAN3zer8k7C1Jt1m55o-qH4Xvjo2trpEkuFhivvsB4r90UA7_Tf6DCtGxX8LyjLa7jzvFbKDcWP0HKk3lHVJDbZr7k2lVlqSZYjPlxNczS7OkOgXrA5t_teUQelSlZgC3GnPQZcVUa0-n4l1-1jrMUa886R_jogF-hQLwuLQ=

SLA

Requests Per Second (RPS): DynamoDB does have a pre-set “limit” in the number of requests per second, initially it is 5 requests per second, which is the default. This should probably be changed to something like 20-40 RPS but it needs to be investigated.

Latency: Cognito has a 3 seconds limit to fetch the claims, if it doesn’t get it within 3 seconds, cognito will return an timeout error message back to aws-amplify and to the user.

References and documentation

Diagram owner

Team

  • @ Team member

Informed

  • @ Stakeholder

  • @ Stakeholder

Status

Last date updated

e.g.,24 Sep 2020

On this page

Name

Description

Operational Excellence

The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.

Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Reliability

The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

Performance Efficiency

The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Cost Optimization

The ability to run systems to deliver business value at the lowest price point.

Also, in order to access all the other AWS resources, a role has been created named which includes

Hasura Cognito Documentation:

Using Amplify CLI for adding Auth to your Hasura GraphQL engine:

()

atd-moped-cognito-hook
https://hasura.io/docs/1.0/graphql/core/guides/integrations/aws-cognito.html
https://dev.to/hasurahq/using-amplify-cli-for-adding-auth-to-your-hasura-graphql-engine-23f9
AWS Well Architected Framework PDF
Data & Technology Services
Sergio Garcia
Sergio Garcia