By Charles Christopher,Cloud Solution Architect — DXC Technology
By Dhiraj Thakur, Solutions Architect — AWS

DXC Technology

DXC’s client has a requirement to automatically register users’ credentials by utilizing a combination of the user’s unique reference number and other personal information transferred from the government site to the client’s portal. This process is designed to offer a seamless customer journey from the external portal to the client’s website, eliminating the need for manual re-registration. Upon successful auto-registration, users should receive a registration email, and the system should allow for re-login to the portal using the registration details. To comply with regional regulatory requirements in certain countries, such as PIPL (Personal Information Protection Law), the system must also ensure consent management to obtain the user’s consent for collecting personal information before registering them into the system.

The user’s registration data contains personally identifiable information (PII). It is crucial that the personal data be managed and disposed of responsibly to comply with relevant data protection regulations. The client system must adhere to the data retention and purging policy defined by the external portal. The user’s registration data must be automatically purged seven days after the completion of the last step of the visa processing lifecycle, after which the customer will no longer have access to the client application.

This blog provides insights into the dynamic registration of users in Amazon Cognito. It explains how their authentication occurs during subsequent logins, the process of token generation in Cognito, and how these tokens are validated by Amazon API Gateway before reaching the respective microservices. The blog guides on registering users on the fly and generating tokens to access backend microservices.

DXC Technology is an AWS Premier Tier Services Partner and Managed Service Provider (MSP) with more than 9,000 AWS Certifications enabling the company to help customers using Amazon Web Services (AWS) harness the power of innovation and drive their business transformation.

Existing Challenges with the Legacy System

The legacy application has a significant security flaw due to the absence of a robust user management solution. Online users can register directly into the database without proper verification or authorization. Once a user’s credentials are authenticated at the database level, they can log into the application and access backend services without further authorization. This lack of comprehensive security measures poses a substantial risk to the integrity and confidentiality of the application and its data.

Inadequate User Management: The absence of a proper user management system means there is no control over who registers and accesses the application. Anyone can create an account and register their details in the database. Without verification mechanisms such as email verification or multi-factor authentication, it’s impossible to ensure that users registering are legitimate. This open-door policy can lead to fake or malicious accounts, which can exploit the system.

Database-Only Authentication: Once users register, their credentials are stored in the database. When they log in, the application only checks these credentials against the database to authenticate the user. This single-layer authentication process is inherently insecure because it doesn’t involve any external authentication service or Amazon API Gateway. These could provide additional security layers, such as rate limiting, IP whitelisting, and threat detection. The absence of these measures makes it easier for attackers to breach the system.

Solution architecture

For the solution, we select AWS native services due to their collective advantages of scalability, dependability, and seamless interoperability:-

• Amazon EKS : For deploying application services
• Amazon API Gateway: To secure the calls to backend services from UI application and external applications
• AWS Lambda : For serverless compute, reducing operational overhead.
• Amazon S3 used for UI application deployment and for cost-effective, scalable, and highly availability.
• Amazon Aurora MySQL : For high performance and scalability
• Amazon DynamoDB : for storing the encrypted token received from external application
• Amazon Cognito For secure user authentication and management.
• Amazon MQ : For asynchronous communication
• Amazon CloudFront : A fast content delivery network (CDN) service that securely delivers data
• Amazon WAF : Helping mitigate security vulnerabilities SQL injection and XSS
• Amazon Shield : A managed DDoS protection service that safeguards applications

The following diagram illustrates the solution architecture.

Figure 1 – Solution design

The following describes the application workflow:

1. Token Transmission: An external application securely communicates with AWS Lambda via CloudFront and API Gateway by initially sending an HTTPS request to the CloudFront distribution, which ensures that data is encrypted in transit. CloudFront is essential in this process as it enforces SSL/TLS to secure the connection. This layered approach effectively safeguards the communication and protects backend resources, including AWS Lambda. An API Key is used to verify that the client is authorized. If a request is sent to AWS API Gateway without the API key in the header, API Gateway blocks it from reaching the Lambda function, effectively preventing any potential cost-related attack vectors.
2. Lambda Function Processing: In AWS Lambda, the token is decrypted using a key provided by the external customer, securely stored in the Lambda environment variables. If the decryption process fails, an error is returned to the external application. AWS Lambda also performs essential token validations, including checking specific header information. If the headers do not meet the validation criteria, the data is considered invalid and ignored by Lambda, as it may be incorrect or malicious. After the token successfully passes all validations, it is securely stored in Amazon DynamoDB for auditing purposes.
3. Reference Number Retrieval: The reference number associated with the token is retrieved from Amazon DynamoDB for further processing.
4. Flow Direction Determination: Based on the country flag within the token, AWS Lambda determines whether to route the flow to the older or newer application. The reference number is then sent from Amazon DynamoDB to the Routing UI hosted on Amazon S3.
5. Routing UI Processing: Upon page load, the Routing UI forwards the reference number to the Application microservice deployed on Amazon EKS via the Amazon API Gateway.
6. Token Retrieval and Validation: The Application microservice retrieves the token from Amazon DynamoDB based on reference number, decrypts it using the customer’s key, and performs necessary validations. Personal and non-personal information is extracted, with personal data being encrypted using the base64 algorithm for secure storage.
7. Master Data Retrieval: Some master data is fetched from an external Master Data Management (MDM) system to validate and compare IDs.
8. Data Storage: The encrypted personal and non-personal data, along with the master data retrieved from the MDM system, are stored in their respective tables within Amazon Aurora MySQL.
9. User Registration in Cognito: The Application microservice sends the applicant ID (username) and email(password), extracted from the token to an identity microservice for registration in Amazon Cognito using the AWS SDK. If the user is already registered, this step is bypassed. Upon successful registration, a Cognito token is obtained using the applicant ID and email from Amazon Cognito.
10. Welcome Message Preparation: The Application microservice prepares a welcome message and sends it to Amazon MQ once the user registration is successful in Amazon Cognito. A notification worker service deployed on Amazon EKS consumes this message to send emails.
11. Data Rendering: After successful registration, the Application microservice returns a response to the Routing UI, which then redirects to the dashboard UI to display the application data.
12. Security layers: AWS CloudFront, AWS WAF, AWS Shield are used for any DDos inject, SQL Injection and XSS. User interface has been deployed in AWS S3 as a static web hosting
13. For subsequent logins, the applicant provides their username and password on the login page, which are authenticated against Amazon Cognito using the client ID, pool ID, and web client ID.
14. Upon successful authentication, Cognito provides a token, which is sent to the Amazon API Gateway for backend service access.
15. The Amazon API Gateway authorizes the token using Cognito’s authorizer process. If the token is valid, the request is allowed to access the backend services; otherwise, the Gateway returns a forbidden or unauthorized message to the UI.

A purge scheduler periodically deletes users registered in Amazon Cognito based on business logic.

Setup and Configuration

• To set up Amazon Cognito and connect it to your application, start by configuring the Cognito User Pool. First, create a user pool in Amazon Cognito to handle user registration and generate a client ID for integrating with your application. Next, set up the backend of your microservice by installing the appropriate AWS SDK for your programming language and adding it to your project.
• For online registration, use the AWS SDK to register users by providing details such as their applicant id, email ID, and user pool ID.
• Implement functionality for dynamic token generation to authenticate users using the AWS SDK.
• To implement user deletion in Amazon Cognito, use the AWS SDK with the necessary username and user pool ID to remove users.
• To authenticate users from the user interface, import the Amplify library into your application and configure it with your Amazon Cognito User Pool ID and User Pool Web Client ID. Utilize the Amplify library to implement the sign-in method for authenticating users and managing the authentication state within your application.
• Finally, to secure your API, configure Amazon API Gateway to use Amazon Cognito as the authorizer, ensuring it validates the tokens generated by Amazon Cognito for API requests. This setup will enable secure user authentication and authorization for your application.

Customer Benefits

This solution enables the seamless registration of unlimited users online in real-time, eliminating the need for any manual intervention. It offers a secure and scalable approach to user authentication during login and authorization when accessing backend application services. Powered by the highly available, serverless Amazon Cognito, it ensures reliable user registration and sign-in without the risk of system downtime or failover. The pay-as-you-go pricing model allows customers to optimize costs based on actual usage, making it an affordable and flexible option for businesses of all sizes. Additionally, the solution maintains data integrity by allowing the creation of separate user pools for different user groups, ensuring organized and secure management of user data.

Conclusion

This post describes DXC’s solution for online user registration, security authentication, and access restriction to application services, ensuring only authorized users gain access. The solution demonstrates how customers can easily register new users, authenticate them before they access the application, and authorize user tokens before calling application services. It also emphasizes the benefits and scalability of Amazon Cognito. By utilizing this solution, customers can streamline their user management process, reduce manual work, and enhance security. The automated registration and authentication process ensures a seamless user experience, while the robust authorization mechanisms safeguard sensitive data and application integrity. Amazon Cognito’s scalability enables the system to accommodate more users as the organization expands without compromising performance. This approach allows organizations to concentrate on their core activities rather than managing user access and security.

In summary, the solution enhances user registration and authentication, guarantees secure access to application services, and utilizes Amazon Cognito for its robust and scalable features. Ultimately, this assists customers in offering a superior and more secure experience for their users.

Contact DXC Technology | Partner Overview | AWS Marketplace | Case Studies