NICK TYSON
AWS Snr Sol Architect
TALK
Headless eCommerce and with Identity
ABSTRACT
Who TVG is and our ECommerce brands, DCX, size of our team (PG) Some fancy slides with big numbers and picture covering no. of customers, login request, credential stuffing, etc (PG) we’re a tiny bit like a bank we hold a lot of data about our business and customers behaviour Brief history of ATG and the re-platform to MACH microservices (PG) monolith to domains and events can’t impact customer journey - it doesn’t take much to deter a customer from spending actual money domains help us parallelising the work people do event help us parallelising the work services do What are the limitations of our current IDP? (PG -> FS) it’s an effing monolith!! doesn’t really know the difference between identity, customer and account (and sometime neither do we) No easy way to implement MFA for risk based step up to combat credential stuffing no easy way to differentiate between devices, customers, risk level, etc. Why we choose Cognito, what other options did we consider? Mach - headless, via API a must!! like of okta or ping are federated - social signon or embedded UI no control over UI (needed for AAA accessibility) app native Authn experience Ory was maybe closer to our perceived needs but couldn’t face yet another saas onboarding, plus Ory was nowhere ready for enterprise reqs we’re already paying for it, great relationship with AWS, and exciting roadmap Cognito user pools as a MACH compliant IdP Cognito built in vs custom flows : reality checkbuilt in stuff doesn’t cover enterprise reqs, especially not our e.g. validate both email and password, used 3rd party email/sms provider risk based authz doesn’t accept 3rd party signal Cognito as a proper enterprise IdP inc DR and ability to migrate/import/export data lambda trigger mechanism is actually very powerful for extension (with domains and event) Migrating identities on the fly, reducing friction, improving security and user experience data cleansing -> don’t migrate bad data! lessons learned so far e.g. don’t ie yourself to sub because it will stop you from migrating user pools (inc DR)