AWS Mobile Blog

Announcing Web Identity Federation

by Bob Kinney | on | Permalink | Comments |  Share

Version 2 of the AWS Mobile SDK

  • This article and sample apply to Version 1 of the AWS Mobile SDK. If you are building new apps, we recommend you use Version 2. For details, please visit the AWS Mobile SDK page.
  • This content is being maintained for historical reference.

We are very excited to announce web identity federation for use with AWS Security Token Service (STS). Web identity federation allows developers to integrate with identity services provided by Facebook, Google, and Amazon. Using web identity federation, an application end user can login with one of these identity providers, authorize the developer’s application, and in return receive temporary AWS credentials that grant permission to resources within the developer’s account. For many developers this will completely replace the Token Vending Machine for Identity Registration, freeing them from the burden of maintaining backend services and allowing them to focus on their mobile app development.

Additionally, in combination with Policy Variables, these temporary credentials can be scoped to give a user access to a small partition within the developer’s AWS account. This allows developers to isolate user data in their AWS resources, and be confident that each user can access only their own data, nobody else’s.

Sample

To demonstrate how web identity federation and policy variables work in concert, we’ve included sample code for iOS and Android, called S3PersonalFileStore. This sample uses web identity federation to give users their own personal file store within the developer’s Amazon S3 account. It is based on our previous personal file store example, but accomplishes the same functionality without the use of any server-side code.

The sample is included with both the AWS SDK for iOS and the AWS SDK for Android and is configured to use Facebook authentication by default. Instructions for optionally enabling both Google and Amazon are included with the sample.

What if I don’t use Facebook, Google, or Amazon?

While we tried to make sure the providers available would cover as large a user base as possible, they may not fit your use case. In this case, as noted in our previous post, the recommended best practice for delivering credentials to a mobile application is to use a Token Vending Machine (TVM).

Tell us what you think

We hope you are as excited as we are about web identity federation. It is the direct result of feedback from customers who were integrating the AWS Mobile SDKs into their mobile apps. We are eager for feedback about web identity federation, and we want to know what other challenges developers face when building cloud-backed mobile apps. Please feel free to leave a comment below or visit our forums to post feedback and questions.