Category
認証・認可(Cognito / OIDC / JWT)の実装ガイド
認証・認可は「クライアントを信じない」ことが出発点です。トークンは必ず署名と claims を検証し、認可はUIのif文ではなくサーバー/DBで強制する。Cognito・Auth0・Clerk・Supabase Authの選定軸から、JWT検証の落とし穴、カスタム認証フロー、エンタープライズSSO(SAML/OIDC)まで、本番で破綻しない設計を扱います。
7 articles in total
Foundational guide
Foundational guide (start here)
How to choose an authentication platform in 2026: an in-depth comparison of Cognito, Auth0, Clerk, and Supabase Auth, plus an implementation and migration guide
For decision-makers unsure about selecting an authentication platform, an in-depth comparison of Cognito, Auth0, Clerk, and Supabase Auth by evaluation axes. From B2B SSO (SAML/OIDC), MAU billing, data sovereignty, Next.js implementation, and JWT verification to user migration (lazy migration), explained with real-project design decisions.
Related practical articles
- AWSCognito認証セキュリティPython
AWS Cognito Custom Authentication Flow Implementation Guide: OTP/Passwordless with the CUSTOM_AUTH Challenge, Store the PIN Safely with PBKDF2
An implementation guide for implementing OTP, passwordless, and LINE authentication with Cognito's CUSTOM_AUTH challenge (the Define/Create/Verify Lambda triggers), and storing a card PIN safely with PBKDF2-HMAC (high iterations, CSPRNG salt, constant-time comparison). Explained with real code, down to the post-confirmation hook and log masking.
25 min read - AWSCognitoJWTセキュリティPython
Correctly Verifying AWS Cognito's JWT (RS256): The Pitfalls of JWKS, kid, and token_use, and a Production Implementation
An implementation guide to correctly verifying AWS Cognito's JWT (RS256) in the backend. We explain — in real code (Python/TypeScript) — JWKS fetching and kid matching, RS256 signature verification, verification of iss/aud/exp/token_use, JWKS caching and periodic refresh, two-layer verification with the API Gateway authorizer, and pitfalls like alg=none and not verifying token_use.
21 min read - AWSCognitoSAMLOIDCSSO
The Complete Guide to Implementing Enterprise SSO with AWS Cognito: SAML/OIDC Integration (Azure AD, Okta, Google) and USER_AUTH Choice-Based Authentication
The 2026 latest guide to implementing enterprise SSO (Azure AD/Okta/Google) and passwordless authentication (passkeys/OTP) with AWS Cognito User Pools. SAML/OIDC integration, USER_AUTH choice-based authentication, the Lambda triggers of custom authentication flows, multi-tenant design, and JWT verification — explained with official-docs-compliant real code.
22 min read - OAuth2OIDC認証JWTNext.js
ID Token vs. Access Token: The Complete Guide to Not Getting OIDC/OAuth2 Wrong in Implementation
ID tokens (OpenID Connect) and access tokens (OAuth2) differ in role, destination, and verification method. Conflate them and your API lets authorization slip through — a serious vulnerability. Understand the difference from first principles via 'whom is it addressed to (audience),' and learn the real Authorization Code + PKCE flow, JWT verification with jose, and token storage in a BFF, with production-grade real code.
23 min read - 認証基盤OIDCNext.jsTypeScriptアーキテクチャ設計
Building your own auth hub that bundles multiple AI tools: BFF × OIDC × back-channel logout (PKCE required, PII encryption, audit logs)
Dissecting the auth hub (BFF) of an internal platform that bundles multiple AI tools of differing nature into a single SSO, with real code as the single source of truth. At the implementation level it explains a homemade OIDC provider, short-lived JWTs narrowed to a per-tool audience, mandatory PKCE S256, auto-POST that doesn't put tokens in the URL, HMAC-signed back-channel logout, and PII encryption with AES-256-GCM and audit logs.
13 min read - AWS CognitoTerraform認証設計B2B SaaSセキュリティ
Complex Authentication / Authorization Design Realized with AWS Cognito + Terraform: An Enterprise-SaaS Practice Managing 8 Kinds of User Attributes
Explains how to realize the complex per-user-attribute authentication / authorization essential to B2B SaaS with AWS Cognito. Publishes practical design patterns: 8 kinds of user attributes, page-level / API-level access control, pre-signed URLs, and full automation with Terraform IaC.
9 min read