Using Webiny as Company Intranet & Security

So we are planning on using Webiny as a company intranet site. The requirement from security is to lock Webiny down so that everything passes through Okta or at the minimum APIs use keys (I know keys are not for security).

I have figured out how to lock down the Client-Side on Cloudfront by placing a @LambdaEdge Authorizer to redirect to Okta if token is not present.

What would be your recommendation for locking down the API side (GraphQL, Images, etc)?

Hi @JCravinho, since you managed to add a LambdaEdge authorizer on the client side, I imagine the API/Images would be no different. API and images are served from the same Cloudfront distribution (so client apps have 1 distribution, and API/images have another), so you would add an Authorizer there as well, and in the client app you’d have to send the credentials with every request to the API (by using an Apollo Link to attach custom credentials to each request).

The only thing I’m not sure about is how to protect your images with the same mechanism. Service workers come to mind, to intercept requests from browser and attach credentials but we’ve never tried that.

Let us know if we can be of more help and sorry for late response.

Thanks! I will go ahead and modify the Apollo Link and let you know what I figure out. I will post my results incase others are interested in this solution.

1 Like

Great, we’d love to see different use cases, we can even add them to our docs so other users can benefit from it. Let us know how things go!

@JCravinho I’m wondering, if you use Okta, do you even need the default Cognito that comes with Webiny? Could you share some details about the setup you’re trying to achieve?

For Webiny itself, Cognito is just a plugin (on both client and API side), but you could just as well create a plugin which works with Okta instead, so once you authorize the user at the Authorizer level using Okta (I guess Okta provides a hosted login interface), you would simply exchange that Okta token for Webiny token.

There are different options with the flow, so if you share some more details maybe we could come up with a flow that suits your organization better.