6 Level up your API
This chapter covers
- How authentication and authorization work in serverless applications
- Implementing authentication and authorization in your serverless application
- Identifying your users through social identity providers
Authentication and authorization are one of many challenges you face when developing distributed applications. The challenge lies in distributing the authorized user, along with its permissions, across all application distributed services and properly integrating third-party authentications.
This chapter shows you how to implement authentication and authorization in your serverless application by enabling it for Aunt Maria’s customers and their pizza orders. You’ll learn the difference between authentication and authorization in a serverless environment and how to implement a web authorization mechanism using AWS Cognito. Then you’ll learn how to identify your users using a social provider—specifically, Facebook.
6.1 Serverless authentication and authorization
Aunt Maria and Pierre, her mobile developer whom you so fondly remember from the previous chapter, have informed you that your API call for pizza orders is showing all pizza orders to everyone, no matter who is asking. Only employees should be able to see all orders. Customers should be able to see only their own orders. Non-customers and non-employees should not be able to see any order.
Here’s how you’ll correct this issue: