I am building a web application based on microservice architecture. I am currently considering several ways to stream user authentication. I predict the following, for example, user roles:

• admin - the ability to create content, upload files, etc. (an administrator account can only be created by another administrator).
• unauthorized user - can view the contents
• authorized user - can comment on the content

This is how I thought about the authentication flow:

• authentication service - have access to the database with user credentials and permissions
• api gateway - retrieves requests from the user, checks if the user is registered (i.e. checks the OAuth2 access token using the auth service) and passes the stream to other services based on the user request (attaches the JWT token with some basic user information)
• another service - accepts only requests from the api gateway and trusts user data from the JWT token (no connection to the auth service is required to obtain information about the user).

After deploying some AWS infrastructure components, my mindset has changed a bit. As far as I understand, AWS products (Lambda - server applications and API gateway), I have to implement the authentication flow as follows:

• - , dynamoDB cookie JWT,
• - JWT, .

:

AWS Cognito ? - ? , Cognito (facebook, twitter ..). AWS Cognito , , /webservices impelementation?

Cognito authentication service - , impelemnt Cognito, SDK amazon, - JavaScript SDK / . ?