-------OAuth2-------

What: Authorization provider

Why: 1. Scalable  2. Separate of concerns  => 3. Cloud compatible: 12 factor apps + serverless

How: http://sivatechlab.com/secure-rest-api-using-spring-security-oauth2/

Bundled solution: OpenID Connect

Cloud solution: AWS Cognito

-------Cognito-------

AWS cognito ads:
https://www.youtube.com/watch?v=abTy-Yyo6lI

Creating cognito user pool + federation agency: https://console.aws.amazon.com/cognito/code/?region=us-east-1&pool=us-east-1:7fa2bb23-5485-43ae-bd40-5f23a523c774&response=%7B%22authRole%22%3A%22arn%3Aaws%3Aiam%3A%3A113688755533%3Arole%2FCognito_googleclientAuth_Role%22%2C%22unauthRole%22%3A%22arn%3Aaws%3Aiam%3A%3A113688755533%3Arole%2FCognito_googleclientUnauth_Role%22%7D

Developer guide: http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html

---------Demo---------
Protected S3 resource will be accessible after authentication + authorization

http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html#getting-started-browser-create-bucket

Explain steps: 1. Only give index.html public access. 2. Access other files has to go through JavaScript. (Click file link will fail) 3.Demo list other users object will fail

----------vars------------
S3 bucket name: cognito-demo-shawn
  bucket region: us-east-1
    bucket URL: https://s3.amazonaws.com/cognito-demo-shawn/index.html
    # note: don't use non-https URLs (eg. S3 website host URL http://cognito-demo-shawn.s3-website-us-east-1.amazonaws.com/)
Facebook app ID: 149302952278784
IAM policy name: facebook-auth-per-object
  IAM role name: facebook-auth-per-object-user
    role ARN: arn:aws:iam::113688755533:role/facebook-auth-per-object-user


## Safety explained:

Facebook loads in separate browser tab, credential is safe
Popup window Oauth2 is only safe if user verifies the URL. Browser treat cookies from different domain as totally separated context scope
Should use https to access index.html