Building a custom authentication flow using Amazon Cognito and MetaMask

When you build a blockchain DApp, you can use AWS services with custom logic, such as monitoring and troubleshooting your contract event logs using AWS CloudWatch. With  Amazon Cognito, you can deliver temporary, limited-privilege credentials to your application to access AWS resources.

In this article, we will introduce a cryptographically secure authentication flow using the Amazon Cognito-enhanced flow with the  MetaMask extension and Web3.

Solution Overview

By the end of this article, we will have a website that allows users to log in using MetaMask and have access to our Amazon API Gateway APIs with IAM authorization.

Here is a demo of what we are going to build:

The auth flow includes the following steps

1. User sign-in with MetaMask.
2. Get nonce from DynamoDB. Generate one if nonce doesn’t exist.
3. Sign messages off-chain with the private key of the current account.
4. Verify signature with Web3.
5. Get developer-authenticated identities.
6. Get credentials for the returned developer-authenticated identity ID.
7. Sign AWS requests with signature version 4.
8. Control access to AWS API Gateway APIs with IAM authorization.

#ethereum #serverless #aws #blockchain