Build a Secure AWS Microservice using OAuth2 Client Credentials Grant — CloudFormation

In this blog, we are going to see how to create a secure serverless web application using Cognito with OAuth 2.0 client credentials grant.

Please note that client_credential grant is not user-specific, but application-specific, commonly used for server-server interactions that must run, without immediate interaction with a user.

For this tutorial, we are using Cloudormation to create AWS resources. You can create all of this manually on the AWS console application. The task is really trivial, but there are many benefits to using CloudFormation.

Requirement

Call a secure server-side function that, in turn, will perform operations on a database.

Architecture Diagram

The application architecture uses Amazon Cognito, Amazon API Gateway, AWS Lambda, and Amazon DynamoDB as pictured below:

Request OAauth2 access token by invoking AWS Cognito with the client grant_type as client_credentials and its scopes (If no scope has been provided, the return access token will give you access to everything. It is like requesting a token with all available scopes).