amazon-quicksight-embedding-sample icon indicating copy to clipboard operation
amazon-quicksight-embedding-sample copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

Pass JWT through to Lambda

Open Nomad-Go opened this issue 5 years ago • 6 comments

The embedding requires a re-authentication every 10 hours. This means that from our UI the user has to put in their password to access a dashboard, frequently. Is there a way to pass the JWT from a web app that the user might already be logged into? This way the experience for end customers using our dashboard is better. They don't have to re-input their password to view different dashboards. They should just be able to log into our web app, see a list of available dashboards, then click on the one they want to view. Also, I think the embed URL will return faster this way.

Nomad-Go avatar Apr 10 '19 20:04 Nomad-Go

For more context, we maintain a DB of dashboard records that have the ID. We have rule based auth on our server to control who can see dashboard objects in our DB from our web app.

Nomad-Go avatar Apr 10 '19 20:04 Nomad-Go

Hi @Nomad-Go, one of the ways I can think of is by doing much of the Cognito related work in your front-end.

Most of the things here: https://github.com/aws-samples/amazon-quicksight-embedding-sample/blob/master/lambda/index.js#L81-L100 can be moved out of the lambda to your web app. The JWT token returned from the auth result can be stored in your browser (local storage, session storage or maybe even a cookie). So instead of making a call to the lambda with username or password, you can modify it by just passing the essentials required here: https://github.com/aws-samples/amazon-quicksight-embedding-sample/blob/master/lambda/index.js#L101-L110.

This way, you would not need to re-authenticate the user each time, but use the result of authentication (JWT token + session name) stored in the browser cache to fetch a new embed url. Hope this suggestion helps!

ajkulkarni avatar Apr 10 '19 21:04 ajkulkarni

Ok great. This was the direction I was header. Could you help me clarify two things? First, I can't find API documentation for the amazon-cognito-identity-js module. I'm looking for an equivalent of the AWS JavaScript SDK API documentation.

Second, I want to clarify this line:

var sessionName = result.getIdToken().payload.sub;

Since I can't find the documentation for the amazon-cognito-identity-js module I just assume we are looking at the "subject" of the "claims" section of a JWT?

Nomad-Go avatar Apr 11 '19 00:04 Nomad-Go

Check this page for details about amazon-cognito-identity-js.

The sub here refers to the userid of your cognito user. You could change it to the email if you want, or anything else that helps to uniquely identify a user. You can find the structure of the payload here under a section called ID Token Payload.

Let me know if these links help!

ajkulkarni avatar Apr 11 '19 17:04 ajkulkarni

Roger. Thank you again for the clarification. I didn't realize that, that library was separate from the actual Javascript AWS SDK.

I know decoding a JWT is slightly involved. However, I could just pass the JWT and decode the sub out of the claims section rather then pass it though as a param? I know it's easily accessible from the SDK on the client side so why bother decoding it in the Lambda when you can just pass it. Unless there is some security risk in passing it as a param. Maybe instead of putting the JWT in the params I could to an Authorization: Bearer <JWT> header?

Nomad-Go avatar Apr 11 '19 17:04 Nomad-Go

That sounds like a reasonable approach.

cherukum-Amazon avatar Jul 26 '19 17:07 cherukum-Amazon