The Basics of Serverless User Authentication
Serverless is growing in popularity, with Amazon Lambda dominating the industry as a serverless runtime. While serverless has many advantages, it also raises a variety of challenges and forces developers to do everything a bit differently. Authentication is no exception. In this article, I’ll describe modern authentication methods and show how to implement them in your serverless application with a special focus on tools from the AWS ecosystem.
What Is User Authentication?
User authentication verifies the identity of a user attempting to access a network or computing resource. Users authenticate themselves by presenting credentials—either by typing them in via a traditional login mechanism or behind the scenes using an authentication token.
Identity verification ensures that only authorized users can access the system. Secure authentication is critical to prevent unauthorized access, which can lead to compromise of trusted systems by attackers, information theft and other damage. Almost all human-computer interactions require user authentication.
What Are Common Types of Authentication?
Authentication ensures that unauthorized users cannot access resources such as databases and networks. Authentication requires the use of factors, which are categories of credentials that enable verification of a user’s identity. Here are some popular authentication methods (get more background in this in-depth article on authentication types).
Two-Factor Authentication (2FA)
This method adds a second factor to enhance security when verifying user identity. You can regard 2FA as a way to double-check identity that makes it harder for imposters to impersonate a legitimate user. In addition to the primary authentication credential (such as a password or username), the user must provide a secondary factor (such as a phone number, biometric data like a fingerprint, etc.) or a one-time password.
While 2FA may be slightly less convenient for the user than single-factor authentication, it can significantly increase security. In fact, 2FA is one of the key measures organizations can use to prevent privilege escalation.
Multi-Factor Authentication (MFA)
This method provides even higher security than 2FA because it requires more independent factors to verify users. MFA can use secondary passwords, biometrics, location-based information or device-based confirmation. MFA can also provide variance between sessions, changing the types of factors to make it harder for an imposter to penetrate.
Single Sign-On (SSO)
This method allows users to log in to a single application, extending their login credentials across multiple applications. SSO allows users to avoid keeping track of different credentials for each application, providing a seamless, convenient experience. You can establish a central domain, such as an IAM system, with secure SSO links to different resources to implement SSO.
Implementing User Authentication in Serverless Applications
You can use the following practices to implement serverless authentication.
Retain User Data
To implement authentication in a serverless project, you must enable users to identify themselves and retrieve user identity for serverless functions. You can achieve this by using sessions or user information written in JSON Web Tokens (JWTs):
- Sessions—The standard approach for retaining authentication data is to store user sessions. Users receive a token for the authentication process which sends the token to the server for each request. The token enables the system to search for information in the user database, including the session status, authentication scopes and expiration time. For serverless projects, you can store session information in a hosted datastore like DynamoDB, Amazon ElastiCache or Google Cloud Datastore, rather than the typical Memcached or Redis store. However, retrieving data from such a data store may be challenging, given the increased page load times and datastore costs resulting from higher application loads.
- JWTs—A more convenient approach for serverless applications is to write user data in JWTs. This approach is similar to the authentication mechanism of user sessions, with users receiving a token when they log in. The authentication system then returns the token to the endpoint for each request. However, while the standard approach only stores access credentials, JWTs store additional user information within the tokens. This is a major advantage. With each request, users send an entire token to the endpoint. Any information stored in the token, including access scopes and usernames, is easily accessible in each HTTP request received.
Ensure the Validity of Sessions or Tokens
You can check user credentials by verifying the content in a session or JWT for each call to a function. While this approach allows you to control the authentication flow, it can be complicated to implement.
Alternatively, you can use API gateway-supported custom authorizers. AWS Lambda, for example, allows you to easily authenticate outside your core functions. Custom authorizers let you specify separate Lambda functions to handle user authentication exclusively.
Implement User Management
Managing users involves creating and deleting user accounts and logging them in and out. In terms of implementation, you can use one of two options:
- Independent implementation—You will need a CRUD interface for the user database and a login mechanism that generates new JWT tokens or creates user sessions. You can implement each of these as a separate function.
- Hosted services—You can use a service like Amazon Cognito or Auth0 to manage the creation of users, logins and session storage. This approach is particularly useful for allowing users to log in using SAML identities or social media accounts.
In this article I explained the basics of user authentication and described three key stages of implementing authentication in a serverless application:
- Storing user information—You can manage this via user sessions or JWTs.
- Checking session or token—You can build this yourself or use custom authorizers provided by the Amazon API gateway, which is tightly integrated with Amazon Lambda.
- User management—This includes functionality like storing users, logging them in and storing sessions for future access. You can implement this with open source frameworks like Auth0 or with Amazon Cognito.
I hope this will be useful as you begin adding authentication and authorization to your serverless applications.