AWS folds Facebook, Google credentials into new ID federation tools

Amazon Web Services aims at mobile apps with new dev tools to support third-party ID credentials

Amazon Web Services Wednesday added Web-based identity federation to its list of authentication services for developers and included support for Facebook and Google log-in credentials.

AWS introduced its Login with Amazon service for authentication as an addition to its already established AWS Identity and Access Management (IAM) that supports federation between corporate directories and AWS.

Login with Amazon is "a new service you can use to securely connect your websites and apps with millions of customers," Jeff Wierer, principal product manager on the AWS IAM team, said in his blog.

Login with Amazon is compatible with Websites and Web services platforms along with Android and iOS. The Web-based federation play, therefore, is as much about mobile integration as it is about the Web.

AWS's web identity federation introduces a new AWS Security Token Service API, called AssumeRoleWithWebIdentity, which lets developers off-load authentication duties for their mobile apps built on top of AWS.

A security token service is a trusted switching service that takes in authentication requests and issues software-based security tokens.

App developers will be able to give end-users the option of logging in with Amazon, Facebook or Google credentials and swap tokens from those providers for a short-lived AWS security credential.

The temporary credential provides access to resources such as Amazon Simple Storage Service (S3) objects, DynamoDB tables, or Amazon Simple Queue Service queues.

Developers will not have to write any server-side code or store any user security credentials as part of their application.

Normally, requests to access AWS services must be signed, which requires both an access key ID and a secret access key, according to the AWS documentation.

AWS is now recommending that developers do not distribute long-term AWS security credentials for apps that are downloaded to a user's device or computer.

The idea is to make authentication integration easier for developers, who no longer have to manage identities, or distribute and manage credentials.

AWS is not breaking any new ground here. They are following in the footsteps of Yahoo, Google, Facebook and others who have been accepting each other's credentials as part of a trend called social log-ins. For example, users of Facebook-based applications are familiar with this authentication flow.

In addition, AWS is tapping into support for the OAuth 2.0 framework Facebook and Google have adopted in their authentication services APIs. Amazon log-in services also implements OAuth 2.0.

OAuth 2.0, and its derivatives including OpenID Connect and System for Cross-Domain Identity Management (SCIM), are quietly becoming foundational elements for identity federation that can scale to the Internet's billions of users.

Last week, Google developer advocate Tim Bray made a passionate plea for developers to begin using emerging web-based identity protocols, namely OAuth 2.0 and OpenID Connect, and to get out of the password business.

"This is an opportunity for Amazon to become a trusted identity provider as users trust it to store and maintain more personal information about them than Google, Facebook and others," said Patrick Harding, CTO of Ping Identity. "That could include credit card, billing address, shipping addresses, real name and preferences."

Building itself into an identity provider would align AWS with the ecosystem model of the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC effort is rallying around many of the same standards-based identity protocols and frameworks. So far, however, AWS and Amazon are not part of the NSTIC work, which largely has been taken over by the private sector.

Disclosure: Patrick Harding and John Fontana both work for the same employer