How Authn/Authz work in AWS if I already have my users on okta-CodePudding

Please pardon me if my question does not completely make sense as I'm a newbie into this world of AWS and cloud. Our organisation currently uses Okta as the identity store for some users and we have another set of users using our internally developed OIDC/OAuth compliant IDP for authentication. The users can be differentiated based on email domain by Okta.

Today our web applications use OIDC authorization code flow with Okta for authentication and okta internally knows to federate the call to the appropriate external IDP for authentication. All this is good on premises.

Now we plan to host one of our web application and REST API on the cloud in AWS and we are wondering how can we leverage our current okta setup in AWS so that all this can happen. Please note that we do not want our user experience to change as of today where their landing login page is okta. Also, please note that we want our users automatically provisioned to access our services in AWS based on this authentication. What it means is we will not create users explicitly in AWS using IAM but rather they should get access to our UI and API automatically based on the authentication.

Can anyone help?

Thanks

CodePudding user response：

Okta can easily interact with a service on AWS. The key is to be able to pass in the JWT that Okta generates to your service code so you can validate it and know who is logging in. It's not clear exactly what your environment looks like but the way I've done it is "lazy creation". I store my users in my AWS RDS but create them on demand. So, when a user comes in I validate the token and get the "sub" (subject) out of the token. This becomes a key into my database to indicate who the user is. Okta has assigned this value to each user.

When a user token comes in I check to see if I already have the user based on the subject. If so it's fine. If they are new then I'll create them in the database using the data in the token and/or the /userinfo endpoint from Okta.

CodePudding user response：

I don't think I fully understand your requirements around AWS. The simplest thing is to use AWS only as a hosting platform for your application, while having your users authenticated by Okta. The simplest scenario, if users don't do anything to your AWS (managing or using objects which are protected by AWS policies).

If you need the latter one, then you need to create a Cognito pool, which is integrated with Okta. Then all access inside AWS will be based on Cognito pool permissions.