Security with AWS Cognito: Building Your First User Pool

One of the most important features of any application is** user authentication**. It's also almost always the first feature you create when building an application. Yes, you could go about building your authentication and authorization for your web app, but building a secure authentication service is complex and time-consuming and exposes your app and your users to unnecessary risks.

This is where 3rd-party authentication services come in. It provides secure authentication, scalability, and a positive user experience. So many services are on the market right now, but we will focus on Amazon Cognito and see what it has to offer.

But before all that, why choose Amazon Cognito?

Amazon Cognito is an excellent and secure way into user authentication for web and mobile applications, especially when you're already heavy in the AWS ecosystem, since it interacts well not only with API Gateway but also with IAM. Additionally, Cognito is an AWS managed service, so you do not have to worry about your infrastructure or security maintenance, and it scales automatically to handle your growing user base. In terms of pricing, on the other end, for levels of low to medium users, Cognito offers a free tier. If you are just getting started, that would probably be perfect for you.

What is Amazon Cognito?

Amazon Cognito is the identity platform for web and mobile apps. It's a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials. It represents a secure, scalable, and customizable authentication service with easy integration of other AWS services. Let Cognito do the heavy lifting for authentication and authorization, freeing you up to build the important parts of your application.

Amazon Cognito is composed of building blocks such as User Pools and Identity Pools.

An Amazon Cognito user pool is a completely managed user directory through which authentication and authorization of users to either web or mobile applications is made quite easy. It stores user information in a secured manner, manages user signup and sign-in, and resets passwords. In addition, it supports MFA and social identity provider integration, which enhances security and improves user experience. Conversely, with Cognito User Pools, one would be offloading some complexity in user management and focusing on core features of the application.

On the other hand, the Amazon Cognito Identity Pool is a service that provides easy and secured authentication and authorization into web or mobile applications. It allows for user identity management temporary AWS credentials and provides for flexible access control to AWS resources. Users can use your application without an account or log in with their social identities via Google, Facebook, Amazon, or Apple. With Cognito, you handle users efficiently and add an extra layer of security, so you can focus on the core features of your app.

Creating your first user pool

Note: This tutorial is intended for beginners, as such we’ll be utilizing the AWS Console instead of the CLI. Additionally, I am expecting that you already have your AWS Account ready for use.

Of course, Cognito also allows for use with other frameworks and technologies such as React and Flutter. But aside from the these, Amazon Cognito also boasts a Hosted UI Service. This hosted UI service is a pre-built user interface provided by Amazon Cognito to handle user authentication and authorization tasks. We will use this feature to test out the Cognito service for the first time.

1. Go to your AWS Console, and look for Cognito.
2. Click on Create User Pool.

1. On Step 1, ensure that for authentication providers Cognito User Pool is selected. Also, click on Username and email for the sign-in options.

1. In Step 2, ensure that Cognito defaults are chosen for the password policy. For MFA, choose Optional MFA, and allow for Authenticator apps and SMS. Also enable self-service account recovery, with email only chosen.

1. For Step 3, keep everything as default.
   Enable self-registration, and allow Cognito to automatically send messages to verify and confirm. For attributes to verify, choose Send email message, and verify email address. For verifying attribute changes, ensure that Keep original attribute value active when an update is pending is checked. For required attributes, ensure that email is chosen by default.

2. For Step 5, pick Send email with Cognito. This is appropriate since we are just testing out the features, but Amazon SES is recommended for use for enterprise-level workloads.
   For SMS messages, Create a new IAM Role, and name it CognitoSMS or whatever you prefer.

1. For Step 6, configure a pool name, you can name it MyFirstUserPool or whatever you prefer. Afterwards, click on Use Cognito Hosted UI. Then, configure a Cognito domain that you would like to use.

For the app client, ensure that the Public client is chosen. For the client name, you can choose the same name for your pool name, or something else. Click on Do not generate client secret. For your callback URL, use https://[your domain name].auth.us-west-2.amazoncognito.com/auth-callback (This won't work since we do not have an application, and the information goes nowhere. We're just using this as a placeholder so Cognito allows us to create the user pool.

1. Lastly, review your choices and click on Create user pool.

Once your User pool has been created, you can click on it and navigate to App integration. Once you're there, scroll down to your App clients and click on your App client. Navigate to the Hosted UI segment and click on View Hosted UI.

Populating your user pool

1. Once in your Hosted UI, click Sign Up and fill out your email, username, and password.

1. Cognito will send you a verification code in your email, look for it and enter it on the verification page.

1. Once verified, it will redirect you to the callback URL (which, as mentioned earlier won't do anything).
2. Go back to your Cognito console, and click on your user pool.
3. Check the user's tab, and look at the user that you signed up earlier.

Note: Signing in will not give any response, as we didn't handle our callbacks properly.

Congrats! You just made your first Amazon Cognito user pool using it's Hosted UI service.

---

This walkthrough introduced you to Amazon Cognito's user pools and hosted UI service, which is just the beginning of your journey through the Amazon cloud. While this tutorial focused on manual configuration in the console, like with many AWS services, Cognito also covers SDKs and integrations with other frameworks, such as React and Flutter. For more information, you can refer to the official documentation here.

Comments

[Y]

masked email mentioned 🚀👽👾🐼🐊🦖🦕🐳🤺