[AWS] Amazon Cognito ์ด์šฉํ•˜์—ฌ Amazon API Gateway์— ์ธ์ฆ(Authentication) ์ถ”๊ฐ€ํ•˜๊ธฐ

2023. 5. 8. 18:13ใ†AWS

Amazon Cognito?

Amazon Cognito user pools

User pool์ด ์ œ๊ณตํ•˜๋Š” ๊ฒƒ

  • Sign-up and sign-in services.
  • A built-in, customizable web UI to sign in users.
  • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, as well as sign-in with SAML identity providers from your user pool.
  • User directory management and user profiles.
  • Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
  • Customized workflows and user migration through AWS Lambda triggers.

Cognito Token ์ด์šฉํ•˜๊ธฐ

์ถœ์ฒ˜: AWS Document (์•„๋ž˜ ๋งํฌ)

์œ ์ €๊ฐ€ ๋กœ๊ทธ์ธ์— ์„ฑ๊ณตํ•˜๋ฉด, Cognito๋Š” ์„ธ์…˜์„ ์ƒ์„ฑํ•˜๊ณ  ์ธ์ฆ๋œ ์‚ฌ์šฉ์ž์—๊ฒŒ ID token, access token, refersh token์„ ๋ฆฌํ„ดํ•œ๋‹ค. ํ† ํฐ์€ API Gateway๋‚˜ ์ž์ฒด ๊ตฌ์„ฑ๋œ server-side ๋ฆฌ์†Œ์Šค์— ์ธ์ฆ ๋ชฉ์ ์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. Cognito Identity Pool์„ ์ด์šฉํ•ด์„œ ์ด ํ† ํฐ๋“ค์„ API Gateway๊ฐ€ ์•„๋‹Œ AWS ์„œ๋น„์Šค์— ์ ‘๊ทผํ•˜๊ธฐ ์œ„ํ•ด ์ž„์‹œ AWS credentials์œผ๋กœ ๋ฐ”๊ฟ€ ์ˆ˜๋„ ์žˆ๋‹ค.

์ข…๋ฅ˜

  • ID token(์ž๊ฒฉ ์ฆ๋ช… ํ† ํฐ): ๋กœ๊ทธ์ธํ•œ ์‚ฌ์šฉ์ž์˜ ์ž๊ฒฉ ์ฆ๋ช… ํด๋ ˆ์ž„์„ ๊ธฐ๋ฐ˜์œผ๋กœ API ํ˜ธ์ถœ ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋œ๋‹ค.
  • Access token(์•ก์„ธ์Šค ํ† ํฐ): ์ง€์ •๋œ ์•ก์„ธ์Šค ๋ณดํ˜ธ ๋ฆฌ์†Œ์Šค์˜ ์‚ฌ์šฉ์ž ์ง€์ • ๋ฒ”์œ„๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ API ํ˜ธ์ถœ ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋œ๋‹ค.
  • Refresh token(๋ฆฌํ”„๋ ˆ์‹œ ํ† ํฐ): ์‹ ๊ทœ ID/์•ก์„ธ์Šค ํ† ํฐ์„ ๋ฐœ๊ธ‰๋ฐ›๋Š”๋‹ค. ๋ฆฌํ”„๋ ˆ์‹œ ํ† ํฐ์˜ default ๋งŒ๋ฃŒ ๊ธฐ๊ฐ„์€ 30์ผ์ด๋ฉฐ, 60๋ถ„~10๋…„ ์‚ฌ์ด๋กœ ์„ค์ • ๊ฐ€๋Šฅํ•˜๋‹ค.

ํŠน์ง•

  • Cognito์—์„œ ๋ฐœํ–‰ํ•˜๋Š” ํ† ํฐ์€ ํด๋ ˆ์ž„ ๊ธฐ๋ฐ˜์˜ ํ† ํฐ์ด๋‹ค. Access/ID ํ† ํฐ์€ ๋ชจ๋‘ cognito:groups๋ผ๋Š” ํด๋ ˆ์ž„์„ ํฌํ•จํ•œ๋‹ค.
    • token: ์œ ์ €๋ฅผ ์ธ์ฆํ•˜๊ณ , ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผ์„ ํ—ˆ์šฉํ•œ๋‹ค.
    • claim: ํ† ํฐ์— ํฌํ•จ๋œ ์œ ์ € ๊ด€๋ จ ์ •๋ณด. ์ฃผ์ฒด๊ฐ€ ๋ฌด์—‡์ธ์ง€ ํ‘œํ˜„ํ•˜๋Š” ์ด๋ฆ„๊ณผ ๊ฐ’์˜ ์Œ.
  • Cognito๋Š” Base64 ์ธ์ฝ”๋”ฉ ๋œ string ๊ฐ’์œผ๋กœ ํ† ํฐ ๋ฐœํ–‰ํ•œ๋‹ค. Cognito ID ๋˜๋Š” access token์„ Base64๋กœ๋ถ€ํ„ฐ plaintext JSON์œผ๋กœ ๋””์ฝ”๋”ฉ ๊ฐ€๋Šฅํ•˜๋‹ค.
  • refresh token์€ ์•”ํ˜ธํ™”๋˜์—ˆ์œผ๋ฉฐ Cognito administrator๋‚˜ ์œ ์ €๋กœ๋ถ€ํ„ฐ ์ฝํž ์ˆ˜ ์—†๋‹ค.

 

 

๐ŸŒŽ As-Is Architecture

As-Is Architecture

EC2์— API Server๊ฐ€ ๊ตฌ์„ฑ๋˜์–ด ์žˆ๊ณ  ์‚ฌ์šฉ์ž๋“ค์€ ์•ž๋‹จ์˜ API Gateway๋ฅผ ํ†ตํ•ด ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์— ์ ‘๊ทผํ•˜๋Š” ํ˜•ํƒœ๋กœ, API Gateway๋Š” REST API๋กœ ๊ตฌ์„ฑ๋˜์—ˆ๋‹ค. API Gateway์—์„œ REST API๊ฐ€ ์•„๋‹Œ ๊ฒฝ์šฐ Cognito๋ฅผ ์ด์šฉํ•œ ์ธ์ฆ์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค.

 

โ˜„๏ธ To-Be Architecture

To-Be Architecture

  • ์ธ์ฆ(Authentication): API๋ฅผ ํ˜ธ์ถœํ•˜๋Š” ํด๋ผ์ด์–ธํŠธ์— ๋Œ€ํ•œ Identity(์‹ ๋ถ„)์„ ํ™•์ธํ•ด ์ฃผ๋Š” ๊ธฐ๋Šฅ
  • ์ธ๊ฐ€(Authorization): ํด๋ผ์ด์–ธํŠธ๊ฐ€ API๋ฅผ ํ˜ธ์ถœํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์ด ์žˆ๋Š”์ง€ ํ™•์ธํ•ด์ฃผ๋Š” ๊ธฐ๋Šฅ

ํ•ด๋‹น ํฌ์ŠคํŒ…์—์„œ๋Š” ๊ถŒํ•œ ๋ถ€์—ฌ(์ธ๊ฐ€) ์—†์ด ๋‹จ์ˆœํžˆ Cognito ์‚ฌ์šฉ์ž ํ’€์„ ์ด์šฉํ•œ “์ธ์ฆ”๋งŒ์„ ์ถ”๊ฐ€ํ•ด๋ณด๋„๋ก ํ•˜์ž.

Cognito User Pool์„ ์ƒ์„ฑํ•˜๊ณ  User Pool์— ๋“ฑ๋ก๋œ ์‚ฌ์šฉ์ž์ธ ๊ฒฝ์šฐ, API Gateway๋ฅผ ํ†ตํ•ด API๋ฅผ ํ˜ธ์ถœ์ด ๊ฐ€๋Šฅํ•˜๋„๋ก ๊ตฌ์„ฑํ•ด ๋ณด์ž.

 

 

 

1. Cognito User Pool ์ƒ์„ฑ

[Authentication Provider]

  • provider type: cognito user pool
  • cognito user pool sign-in options
    • ์œ ์ €๊ฐ€ ๋กœ๊ทธ์ธํ•  ๋•Œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ์†์„ฑ ์„ ํƒ
    • user pool ์ƒ์„ฑ ํ›„ ์˜ต์…˜ ๋ณ€๊ฒฝ ๋ถˆ๊ฐ€๋Šฅ

[Security Requirements]

  • Password policy : ๋น„๋ฐ€๋ฒˆํ˜ธ ์ •์ฑ…
  • Multi-factor authentication : ๋กœ๊ทธ์ธ ๊ณผ์ •์—์„œ MFA ์‚ฌ์šฉ ์—ฌ๋ถ€
  • User account recovery : ์œ ์ €๊ฐ€ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์žŠ์€ ๊ฒฝ์šฐ ๊ณ„์ • ๋ณต๊ตฌ ๋ฐฉ๋ฒ•

[Sign-up experience]

  • Self-service sign-up : ์œ ์ € ํšŒ์›๊ฐ€์ž… ๊ฐ€๋Šฅ ์—ฌ๋ถ€
  • Attribute verification and user account confirmation: ์‚ฌ์šฉ์ž ํ™•์ธ(attribute verification/user pool administrator confirmation). ํ™•์ธ๋œ attribute๋งŒ ๋กœ๊ทธ์ธ, ๊ณ„์ • ๋ณต๊ตฌ, MFA์— ์‚ฌ์šฉ ๊ฐ€๋Šฅ.
  • Required attributes : ์‹ ๊ทœ ์œ ์ € ์ƒ์„ฑ ์‹œ ํ•„์š”๋กœ ํ•˜๋Š” ์†์„ฑ. OIDC ํ‘œ์ค€์—์„œ ๊ฐ€์ ธ์˜จ ํ‘œ์ค€ ์†์„ฑ.

[Configure message delivery]

  • Email/SMS : ์œ ์ €์—๊ฒŒ ์ „์†กํ•  email/SMS message ๋ฐœ์†ก ๋ฐฉ์‹ ์„ ํƒ

[Integrate your app]

(์ฐธ๊ณ ) AWS Docs: Setting up the hosted UI with the Amazon Cognito console

  • User pool name : user pool ์ƒ์„ฑ ํ›„ ๋ณ€๊ฒฝ ๋ถˆ๊ฐ€๋Šฅ
  • Hosted authentication pages
    • Cognito Hosted UI๋Š” OAuth 2.0 ํ˜ธํ™˜ ์ธ์ฆ ์„œ๋ฒ„๋ฅผ ์ œ๊ณตํ•œ๋‹ค.
    • Hosted UI ๊ตฌ์„ฑ ์‹œ, ์•„๋ž˜์™€ ๊ฐ™์€ sign up, sign in ๊ฐ€๋Šฅํ•œ ์›นํŽ˜์ด์ง€๊ฐ€ ์ œ๊ณต๋œ๋‹ค. ํ•ด๋‹น ์›นํŽ˜์ด์ง€๋Š” ์ปค์Šคํ„ฐ๋งˆ์ด์ง• ๊ฐ€๋Šฅ.
    • Domain : Hosted UI์™€ OAuth 2.0 ์—”๋“œํฌ์ธํŠธ๋ฅผ ์œ„ํ•œ ๋„๋ฉ”์ธ. Hosted UI๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ์ธ์ฆ ์—”๋“œํฌ์ธํŠธ๊ฐ€ ์ƒ์„ฑ๋˜๋Š” ๋„๋ฉ”์ธ์„ ๋ฐ˜๋“œ์‹œ ์„ ํƒํ•ด์•ผ๋งŒ ํ•œ๋‹ค.

Hosted UI ๊ธฐ๋ณธ Sign-in ํŽ˜์ด์ง€
Hosted UI ๊ธฐ๋ณธ Sign-up ํŽ˜์ด์ง€

  • Initial app client
    • ์ธ์ฆ๋˜์ง€ ์•Š์€ API ์ž‘์—…(sign-up, sing-in, ์•”ํ˜ธ ์ฐพ๊ธฐ ๋“ฑ)์„ ํ˜ธ์ถœํ•  ์ˆ˜ ์žˆ๋Š” ๊ถŒํ•œ์„ ๊ฐ€์ง„ ์‚ฌ์šฉ์ž ํ’€์˜ ๋‹จ์ผ ์•ฑ ํ”Œ๋žซํผ. ์‚ฌ์šฉ์ž ํ’€์—๋Š” ์—ฌ๋Ÿฌ ๊ฐœ์˜ ์•ฑ ํด๋ผ์ด์–ธํŠธ๊ฐ€ ์žˆ์„ ์ˆ˜ ์žˆ๋‹ค.
    • Advanced app client settings์—์„œ ์ด์ „์— ์„ ํƒํ•œ ๋‚ด์šฉ์„ ๊ธฐ๋ฐ˜์œผ๋กœ authentication flow, OAuth 2.0 grant type ๋ฐ OIDC scope ๋“ฑ์„ ์„ ํƒํ•  ์ˆ˜ ์žˆ๋‹ค.
    • ๋ณธ ํฌ์ŠคํŒ…์—์„œ๋Š” ํ† ํฐ์„ ์ง์ ‘ ๋ฆฌํ„ด ๋ฐ›๊ธฐ ์œ„ํ•ด OAuth 2.0 grant types์—์„œ Implicit grant(์•”์‹œ์  ๋ถ€์—ฌ)๋ฅผ ์ถ”๊ฐ€ํ•œ๋‹ค. Implicit grant๋ฅผ ์„ ํƒํ•˜๋ฉด ํ† ํฐ์— ๋Œ€ํ•œ ์ธ์ฆ ์ฝ”๋“œ๋ฅผ ๊ตํ™˜ํ•  ์ˆ˜ ์—†๋Š” ๋ฐฑ์—”๋“œ๊ฐ€ ์—†๋Š” ๊ฒฝ์šฐ ๋ฐ ํ† ํฐ ๋””๋ฒ„๊น…์— ์œ ์šฉํ•˜๋‹ค.

Amazon Cognito ์ฝ˜์†” > User Pool ์ƒ์„ฑ > Advanced app client settings

 

2. API Gateway REST API์™€ Amazon Cognito ์‚ฌ์šฉ์ž ํ’€ ํ†ตํ•ฉ

2-1. Authroizer ์ƒ์„ฑ

AWS API Gateway ์ฝ˜์†” > REST API > Authroizers

API Gateway ์ฝ˜์†”์—์„œ 1์—์„œ ์ƒ์„ฑํ•œ Cognito User Pool๋ฅผ ์ด์šฉํ•œ Authroizer๋ฅผ ์ƒ์„ฑํ•œ๋‹ค.

2-2. Method์— Authorizer ์ ์šฉ

์ธ์ฆ์ด ํ•„์š”ํ•œ ๋ฉ”์„œ๋“œ > Method Request > Settings > Authroization์—์„œ 2-1์—์„œ ์ƒ์„ฑํ•œ authroizer๋ฅผ ์ ์šฉํ•œ๋‹ค.

 

 

3. ํ…Œ์ŠคํŠธ

3-0. ์ธ์ฆ ํ† ํฐ ์—†์ด API ํ˜ธ์ถœ

Postman์„ ์ด์šฉํ•ด API๋ฅผ ํ˜ธ์ถœํ•˜์˜€๋‹ค. ์ธ์ฆ ํ† ํฐ ์—†์ด ํ˜ธ์ถœํ•˜์—ฌ 401 Unauthorized๋ฅผ ์‘๋‹ต๋ฐ›์•˜๋‹ค.

3-1. Access Token ๋ฐœ๊ธ‰

Hosted UI๋ฅผ ํ†ตํ•ด Sign-up ๊ณผ์ •์„ ์ˆ˜ํ–‰ํ•œ๋‹ค. ๊ตฌ์„ฑํ•œ๋Œ€๋กœ ์‚ฌ์šฉ์ž ์ธ์ฆ ๊ณผ์ •(์œ„ ๊ทธ๋ฆผ์—์„œ๋Š” ์ด๋ฉ”์ผ ์ธ์ฆ)์„ ๊ฑฐ์ณ ์ •์ƒ์ ์œผ๋กœ ๋“ฑ๋ก์— ์„ฑ๊ณตํ•˜๋ฉด Amazon Cognito ์ฝ˜์†”์—์„œ ์œ„์™€ ๊ฐ™์ด ์œ ์ € ๋ชฉ๋ก์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

๋ณธ ํฌ์ŠคํŒ…์—์„œ๋Š” ํ† ํฐ์— ๋Œ€ํ•œ ์ธ์ฆ ์ฝ”๋“œ๋ฅผ ๊ตํ™˜ํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฑ์—”๋“œ๊ฐ€ ์—†๊ธฐ ๋•Œ๋ฌธ์— Hosted UI ๊ตฌ์„ฑ ์‹œ OAuth gran type์— implicit grant๋ฅผ ์ถ”๊ฐ€ํ•˜์˜€๋‹ค.

https://<your_domain>/login?response_type=token&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>

์œ„ URL์„ ์‚ฌ์šฉํ•˜์—ฌ Hosted UI ์›นํŽ˜์ด์ง€์—์„œ ๋กœ๊ทธ์ธ์— ์„ฑ๊ณตํ•˜๋ฉด, Cognito๋Š” ์•„๋ž˜์™€ ๊ฐ™์ด ์œ ์ € ํ’€ ํ† ํฐ์„ ์›น ๋ธŒ๋ผ์šฐ์ € ์ฃผ์†Œ์ฐฝ์„ ํ†ตํ•ด ๋ฆฌํ„ดํ•œ๋‹ค.

<https://www.example.com/#id_token=123456789tokens123456789&expires_in=3600&token_type=Bearer>

์ •์ƒ์ ์œผ๋กœ ๋ฆฌํ„ด๋˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ, ์•„๋ž˜ ๋‘ ๊ฐ€์ง€ ์‚ฌํ•ญ์„ ํ™•์ธํ•˜์ž.

  1. Hosted UI ์›นํŽ˜์ด์ง€ ๋กœ๊ทธ์ธ URL์— response_type=token ํฌํ•จ๋œ ์ƒํƒœ์—์„œ ๋กœ๊ทธ์ธ์„ ์ˆ˜ํ–‰ํ–ˆ๋Š”์ง€.
  2. ์•”๋ฌต์  ์ฝ”๋“œ ๋ถ€์—ฌ๊ฐ€ ํ™œ์„ฑํ™”๋˜์–ด ์žˆ๋Š”์ง€.

3-2. Request Header์— ์ธ์ฆ ํ† ํฐ์„ ํฌํ•จํ•˜์—ฌ API ํ˜ธ์ถœ

Header์˜ Key์— Authorization, Value์—๋Š” 3-1์—์„œ ๋ฆฌํ„ด ๋ฐ›์€ id token์„ ์ด์šฉํ•˜์ž. ์•„๋ž˜์™€ ๊ฐ™์ด ์ •์ƒ์ ์œผ๋กœ 200์„ ๋ฆฌํ„ดํ•œ๋‹ค.

 

 

 

API Gateway๋ฅผ ์ด์šฉํ•œ Cognito User Pool ๊ฒ‰ํ•ฅ๊ธฐ ์„ฑ๊ณต~!

 


๐Ÿ”— ์ฐธ๊ณ  ๋งํฌ

  1. AWS Docs: What is Amazon Cognito?
  2. AWS Docs: Using tokens with user pools
  3. AWS Docs: Amazon Cognito ์‚ฌ์šฉ์ž ํ’€์„ ๊ถŒํ•œ ๋ถ€์—ฌ์ž๋กœ ์‚ฌ์šฉํ•˜์—ฌ REST API์— ๋Œ€ํ•œ ์•ก์„ธ์Šค ์ œ์–ด
  4. ๊ธฐ์ˆ  ๋ธ”๋กœ๊ทธ: OpenID(OIDC) ๊ฐœ๋…๊ณผ ๋™์ž‘์›๋ฆฌ
  5. AWS Docs: Using the Amazon Cognito hosted UI for sign-up and sign-in
  6. ๊ธฐ์ˆ  ๋ธ”๋กœ๊ทธ: MSA ์•„ํ‚คํ…์ณ ๊ตฌํ˜„์„ ์œ„ํ•œ API ๊ฒŒ์ดํŠธ์›จ์ด์˜ ์ดํ•ด (API GATEWAY)