DEV Community

starpebble
starpebble

Posted on

Authenticating APIs with Cognito

The world is changing fast. It feels like the whole world is shifting towards standards like GraphQL. API Gateway isn't the only way to host an API. I have a feeling that AppSync is rising as a possible serverless API host. Is there a future proof way of authenticating today?

Authentication Methods

Let's quickly list the possible authentication types.

  1. JSON Web Token (JWT)
  2. OAuth 2.0
  3. OpenID (OIDC)
  4. API Gateway API Key
  5. AWS Lambda Authorizer
  6. Identity and Access Management (IAM)
  7. Cognito User Pool

This list answers a question like "How does a particular API authenticate a user?"

Serverless API Types

Let's also list the types of serverless APIs. The popular pattern of API Gateway REST + Lambda isn't the only way anymore. There's a shift.

  1. AppSync
  2. API Gateway HTTP
  3. API Gateway REST

This list answers a question like "What serverless API host serves a particular API on the Internet?"

Future Proof

There's uncertainty in what users may demand. So there is implied uncertainty in how to offer services to users. The serverless wagon hasn't fallen off the trail just yet. There is momentum in the resource sharing model that a serverless model offers. Is there a future proof approach?

I like any approach that is flexible. AWS Cognito is a point of leverage for flexibility. Here's why I believe Cognito can help future proof. Cognito can generate JWT tokens - API Gateway accepts them. Cognito can generate OpenID OIDC tokens - AppSync accepts them.

Nifty Approaches

Let's not forget to discuss some of the nifty new things. Consider the passwordless login. Now I'm not thinking about biometrics. I'm simply referring to logging in without a password. Here's the approach: the user asks for a temporary login to be sent to something the user has. Like an exact email address. Or a specific phone number. The user authenticates with the temporary login. This is really nifty! It's also an example of shift that wasn't predictable. Which is why a flexible approach to authentication has many benefits, one of which is simplifying adaption to future users.

Top comments (0)