Hey all - am looking at SST for full-stack interna...
# helpj
Joe Qureshi
01/14/2022, 1:53 PMHey all - am looking at SST for full-stack internal tooling, specifically having resources protected via ALB authentication (Figma have a good blog post about this pattern - https://www.figma.com/blog/inside-figma-securing-internal-web-apps/).
However, all the examples for SST that I’ve seen are geared towards auth using amplify/public API gateways & Cloudfront.
Is my use case/this auth pattern a little far out for SST right now? Essentially we decouple authentication from applications by making applications (ECS clusters rn) only accessible via ALB, and using the ALB built in authentication screens to log users in from a cognito pool.
t
thdxr
01/14/2022, 1:55 PMSST would work for this usecase, APIG supports internal APIs
thdxr
01/14/2022, 1:56 PMHowever it would probably look different than what's in the figma article
thdxr
01/14/2022, 1:57 PMBut also I don't think making it internal is a requirement for what you want to do. The pattern I'd generally suggest is build it as a normal APIG and you can use cognito to specify that people need to login using your org's SSO. You can even use their out of the box sign in UI since it looking pretty is probably less important for an internal app
thdxr
01/14/2022, 1:57 PMI haven't personally set this up but I know it's doable
j
Joe Qureshi
01/14/2022, 2:05 PMInteresting - will have a play around and update this thread.
The help is much appreciated!
r
Robin
02/04/2022, 4:00 PM@Joe Qureshi I'm looking at doing something similar. How have you got on 😄
Robin
02/04/2022, 4:03 PMSetting up an ALB with Cognito Auth token check that allows access to API routes and S3 🪣 only if logged in
j
Joe Qureshi
02/07/2022, 11:50 AMHey - sorry for the delayed reply!
I actually parked this (used ECS) - thought was to use Lambda (using cognito authoriser integration) for API + Lambda serving S3 bucket content + ALB directly targeting lambdas.
This is slightly less good as the application is required to be configured correctly (not totally decoupled from security) + lambda serving s3 content doesn’t feel great (I think there are some limitations to this)
r
Robin
02/07/2022, 1:39 PMOne other option I was looking at was to add an authorizer via Lambda@Edge
Robin
02/07/2022, 1:40 PMBasically trying:
1. not to use Amplify
2. not to have authorizers on the frontend app
j
Joe Qureshi
02/07/2022, 1:44 PMI was keen on using the hosted UI for cognito auth login as well -> as this isn’t a customer facing app we could give the users a direct link to the hosted UI (with a redirect URI in it).
Joe Qureshi
02/07/2022, 1:48 PMSo there are 2 routes for doing this:
1. ALB + Lambdas + S3 (allows for VPN only access limit too - not sure why I’d want this tbh)
2. Lambda@edge + cloudfront + API gateway + hostedUI direct link (https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-t[…]edge-and-json-web-tokens-to-enhance-web-application-security/)
Or could do a mixture of ^
4 Views