In Cognito we trust
Need to control your web or mobile app users sign-up and log-in and what they can do once they’ve logged in? Have you considered using Amazon’s Cognito?
Cognito is an Amazon Web Service that enables you to sign-up your users, allow them to log in and then control what they can do once they’ve logged in to your web or mobile app. Your users can also make use of Social Identity providers such as Facebook and Twitter to log in. It’s free to use under AWS’s free tier option after which the rates are very reasonable as you pay only for what you use.
There are two components to Cognito:
- User pools which saves your user profile attributes, providing sign-up and sign-in options for them
- Identity pools which grant users access to other AWS services
You can use the two options separately or together.
Pool the pools: using User pools and Identity pools together
You would integrate User pools with Identity pools if you wanted to authenticate your users and then grant them access to another AWS service.
This is how it works:
- The user signs in through a user pool and receives user pool tokens after authentication
- The user pool tokens are then exchanged for AWS credentials through the Identity pool
- The user can then use the credentials to access other AWS services (for example S3 where you can store files and images or DynamoDb a non-relational database)
Pools are cool
User pools are user directories in Cognito containing signed-in user profiles. User pools enable your users to sign-in to your web or mobile app through Cognito or third party identity providers. All users, including federated users (those signed in through third party identity providers like Facebook) will have a directory profile containing their attributes.
User pools provide:
- A sign-up, sign-in service
- Built-in, customizable UI for users to sign in so you can build your own register and login forms
- Social sign-in with Facebook, Twitter, etc.
- User directory management and user profiles so you can search for users under email, username, etc.
- Security features such as, multi factor authentication (MFA), compromised credential checks, account takeover protection as well as phone and email verification
- Customized workflows and user migration through AWS Lambda triggers. You can use Lambda to migrate existing users into your user pool or send an email on sign-up for example
Identity pools provide users with temporary credentials to access AWS services (S3 or DynamoDB). Identity pools also support anonymous guest users as well as the following identity providers:
- Amazon Cognito user pools
- Social sign-in
- OpenID Connect providers
- SAML identity providers
- Developer authenticated identities
Just so you know
- You must integrate your Identity pool with your User pool if you want to save your user profile information
- Amazon Web Services have data centres in different regions of the world. You can choose in which region you would like to create your pools
- Federated Identities. Cognito Identity pools combine all users from recognized identity providers into one identity pool and then issues these users with a unique identity and temporary credentials. So users from a Cognito User pool, Twitter, Facebook, Amazon, etc. are combined or federated into a single pool. No user profile information is saved.
Authenticating with a User pool
You can enable your signed-up users as well as third party identified users to sign in to your app using your user pool. Your user pool handles the tokens provided by the third party identity providers.
Once signed in to Cognito, your app will then receive user pool tokens from Cognito. You can use these tokens to access your own resources or the Amazon API Gateway (but not AWS services for which you need temporary credentials which are supplied by an Identity pool).
Cognito implements ID, Access and refresh tokens as defined by OIDC and Cognito’s client side SDK manages the tokens.
Accessing AWS Services with a User pool and Identity pool
You can exchange the user pool tokens that you received on successful log-in for temporary credentials with your Identity pool. You then use the temporary credentials to access other AWS Services.
Signing-in with a Third party identity provider and then access AWS Services with an Identity pool
The third party identity providers, such as Facebook, provide you with an IdP token (an access token). The identity pool then exchanges this for temporary AWS credentials that you can use to access other AWS services.
Unauthenticated guests can also be provided with temporary credentials.