AWS CloudWatch Client Side Logging - amazon-cloudwatch

I am running an react app. I want to log error to my aws cloudwatch without hard coding the access key and secret key on my client side code. I am using 'Error Boundary Component' for catching error.
Thank you for your help.

I assume by "react app" you mean a React-based web application, often called an SPA for Single Page Application.
In that case you are correct, you do not want to hard-code and credentials as that would expose them to any user who has access to the page.
The most common architecture for doing this is to setup the following:
A Lambda that will take your logging event and log it for you in Cloudwatch.
An API-Gateway that your application can call that will trigger the Lambda.
An Authorizer on the API-Gateway resource that will validate a JWT that is passed from the application.
AWS Cognito that will supply your application with a JWT based on some login, either directly or via some integration with another service that is applicable for your case.

Related

Using Next Auth to silent log in users with external tokens from AWS Cognito

We have a website where users authenticate themselves using AWS Cognito. That has been implemented using Next Auth with the Cognito provider based of their example code. That is working fine. However, whenever a new potential lead (customer) fills out a particular form we ship that information off to an external API. That API is connected to the same Cognito client and user pool in AWS, and it creates a new user and performs some operations. In the response of this API we receive the newly created user's access token, refresh token and identity token. The reasoning behind this is that whenever a new lead is created they automatically gets assigned a user and we log them in behind the scenes. It is far from an ideal solution, I know, but our assignments doesn't allow for rethinking and rewriting the current setup.
My questions is how we should implement such a custom login flow. We want to validate the tokens in the API response and create a session using those tokens, much as a regular login flow would do.
I've included this simplified chart trying to explain the process. See link:
Login flow chart
For anyone encountering a similar issue, this is how we solved it: After receiving the id_token from the external service we do a router.push(...) (next/router) to our own authorization callback API endpoint with the id_token. In our case, it became:
/api/auth/callback/cognito?id_token={ID_TOKEN}

Using Firebase Auth id tokens to authenticate (multiple) Cloud Run services

Related to Security Cloud Run services for end-users and other services
I'm using:
Firebase Auth to generate id tokens for users with Google, Microsoft, GitHub ... identities
Cloud Endpoints on Cloud Run to invoke (Cloud Run) gRPC services
Firebase Auth users are auth'd by one of my services
Where I'm struggling....
My app provides 1 or more Cloud Run services that the app's users should be able to curl. But authenticating Cloud Run services require per-service id tokens; the id token's audience must use the Cloud Run service URL and the Cloud Run service URL is service-specific.
It seems as though I ought to be able to exchange the Firebase Auth id token for (Google Account) id tokens (with appropriate audiences) that can then be used to invoke the Cloud Run service. The proxy could also run on Cloud Run and it would use my app's auth service to verify whether the id token user should be issued with a Google id token.
Guillaume Blaquire's answer proposes either Coud Endpoints or a proxy similar to what I describe above. However, Cloud Endpoints requires that the backend services be known at deploy time (which these Cloud Run services won't be) and I want to provide the user with the id token so that they can use curl or some other tool to make the auth'd request.
Cloud Run has some compelling documentation for Authenticate (sic.) but I want something between:
Authenticating users -- I have the JWT but I want to receive a Google id token for the Cloud Run service
Authenticating service-to-service which Guillaume's alternative proposal in the answer.
Rather than place your Cloud Run behind Cloud Endpoints, where you have to know the Cloud Run instances ahead of time, you can handle the request and authentication inside the Cloud Run instance itself.
To be able to handle Firebase Authentication tokens inside the Cloud Run instance, they must be setup so that they can be invoked unauthenticated. Then, inside the Cloud Run, it should launch a web server, parse the incoming request (paying attention to the Authorization header - Firebase Auth sample) and then either action or terminate the request.
To achieve this, take a look at this thread for details on how you can handle both HTTP and service-service requests. Alternatively, you could just deploy the Functions Framework image from which that thread's code is based.
If you want cleaner URLs, host multiple endpoints within a single Cloud Run instance and then place that instance behind Cloud Endpoints or you can take a more manual approach via a custom domain using a service like Firebase Hosting.

How to securely invoke a Azure Logic App from Azure Data Factory

I have a Data Factory pipeline that calls a Logic App. The URL provided by the logic app designer includes a signature in the URL. In the Data Factory pipeline I have a Web activity that uses POST method to call the Logic App. This works, the app is called.
I would either prefer to separate this signature from the URL and store it in Azure Key Vault, or use authentication. Authentication options in Data Factory include; Basic, Managed Identity or Client Certificate. I tried to follow this article to enable authentication via Azure Active Directory OAuth but do not currently see how this would work with Azure Data Factory.
I know it is possible to enable API Management Gateway to enable more sophisticated authentication to APIs including Logic Apps but am not currently convinced that I should need to do this.
The other thing I noticed in the Logic App interface is that you cannot issue authorizations to execute. This differs from other Azure services like Data Lake for example where you can issue 'use-like' authorization to read a container. There is only the Authorization pane that can be used to define claims. I had a little go but I am missing key information.
Ultimately I would not want the signature exposed to developers including myself.
I believe you could pair the Managed Identity of the Web Activity with the Azure AD OAuth feature for Logic Apps.
The required claims need to be setup on the Authorization blade for validation of the tokens.
I personally like storing the PostURL in the Azure KeyVault then doing an Azure KeyVault GET API Call in ADF, then passing the output securely in ADF to the request to trigger the logic app. It's two activities which is like nothing and it's a secure method that can just use managed identity authentication that's Native in ADF.
Here is example of how you get a value from AKV:
Getting value from AKV
Here is the URL for Azure KeyVault example secret:
https://kv-ccok-ops-#{pipeline().globalParameters.Environment}.vault.azure.net//secrets/FILESERVER-UserName?api-version=7.1
Using value from AKV
This example should be super easy to follow.

Feathersjs - how to create a custom authentication

I was wondering if there is a easy way to implement a authentication with custom fields. For ex: My app generate a code that is sent by SMS and I want to authenticate the user with this code. So I can’t use strategy local or anything.
I was thinking about create another service that when the code is received it check the database and generate a JWT token and return to the client app. But how to set that token to the app so it will use in the nexts rest and socket calls?
Any clues?
If you know the user prior to the generation of code then you can do it via local strategy by saving the generatrd code to that user and use it for authentication. You can also make use of the authentication service hooks. Or in the verifier.
See it here. https://docs.feathersjs.com/api/authentication/local.html#local-authentication
In addition to the local auth feathersjs provides, there is an additional library supporting all kinds of confirmation procedures, password reset, etc. It is only referenced in the API part of the docs somehow. Here it is.

How does Azure Active Directory authentication for Azure API Apps work?

I'm trying to call an Azure API App configured with Azure AD authentication. Assume for the purposes of this question I cannot use the Azure SDK and need to write code to get a token and insert it into the API request.*
I have established that there are two modes - 'client flow' and 'server flow', where client flow entails following at least one redirect to an issuer to get a token, and server flow where the server does this for you. Since I'm talking about doing this in code, following redirects would be possible but fiddly, so I'd prefer to use a mode where the URI or URIs to visit are known ahead of time and return content, rather than redirecting. The following diagram illustrates how the gateway routes all requests.
I think the mode I need is client flow, which would go something like:
Get an access token from the identity provider (which is what? how do I find out where this resides? what is the format of the request I have to send to the IdP?)
Pass the access token to the gateway (in what format?)
Receive another token in the gateway response
Supply this token in a header when making an API request (which header?)
How am I supposed to do this? The Azure documentation doesn't give enough detail about how it works, and expects all users to just use the SDK, which hides what is actually happening.
The actual reason is that ultimately this will need to be called from BizTalk, which uses the WCF WebHttpBinding to call restful services. I'm writing a custom behaviour to insert a token header into the request, but I need to know how this token should be acquired. It's possible to run arbitrary code in BizTalk but trying to do this makes the solution complicated, and config-only or mostly-config with minimal, loosely-coupled code is the simpler solution
Just want to understand your scenario better, Because you are going to use it from BizTalk Receive Pipeline, The scenario can be simplified by enabling a customer authentication token right ? Basic username and password for your API you have hosted on the cloud. Does BizTalk want to authenticate it self with tokens for each AD User ?
To answer some of your questions
Get an access token from the identity provider (which is what? how do I find out where this resides? what is the format of the request I have to send to the IdP?)
After you have configured your AD configuration, Once you have completed the authentication, I am assuming your are using ASP.Net here, You can find everything you need about the claims on your Thread.CurrentPrincipal, You can convert it to ClaimsPrincipal like so var claimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal; and then you will find a lot of good information on this object. Name of the user logged in, list of claims the principal has etc. I have not explored every avenue here, but this should be a good starting point.
Your API App is running on this process which means you have access to these claims in your API App code as well.
I would build a custom pipeline in BizTalk that uses Azure SDK to authenciate and build this scenario, it is a bit complicated but it will give you more control over what goes through the pipeline as well when authentication fails with permission issues and so on.