Amaon cognito

What does Cognito?
Give users an identity to interact with web or mobile application
Cognito user pools:

• sign in functionality for all users
• integrate with API gateway & application load balancer

Cognito identity pools(Federated Identity):

• provides temporary AWS credentials to users so they can access AWS resources directly
• integrate with cognito user pools as an identity provider

Features:

• create a serverless database of user for your web and mobile apps
• simple login:username(or email)/password combination
• password reset
• Email and phone number verification
• MFA
• federated identities: users from facebook,google,SAML
• feature:block users if credentials are compromised elsewhere
• login sends back a JSON Web Token(JWT) Daigram:

choosing to create a user pool
Authentication can be done in 2 ways

1. cognito user pool(username &password, email)
2. federation identity providers(google,facebook,SAML)

password can be default or customied

Multi factor Authentication can be chosen whether it should be mandatory, option or not required

account recovery can be enable or diable
if enable, in which way we can recover through forgot password can be chosen

enabling new users to register for your app(enable self registartion)

verification

we can add the reuired attributes to the signup page(if reuired)

if any other custom attributes needs to be added we can

configure how user pool sends message to users

call back urls can be specified after successful login

can review once and can be created

In sign in experience tab if required can add identity provider

click on view hosted to create a user

this will open the login page in new tab once sign up with the page sends verification SMS to the registered mail. after successful login, navigate to the call back url page

we can specify lambda triggers for any of the functionality

cognito user pools - lambda triggers

Hosted Authentication UI

• cognito has hosted authentication UI that can be add to your own app to handle signup and sign in workflows
• using the hosted ui, your app can integrate with social login, OIDC or SAML
• can be customised with custom logo and custom CSS

Hosted UI custom domain

• for custom domains you must create ACM certificate(us-east-1)
• custom domain is defined in app integration section

JSON Web Token(JWT)

• CUP issues JWT tokens
  • headers
  • paload
  • signature
• the signature can be verified to ensure the JWT token can be trusted

Application Load Balancer - Authenticate users
your application load balancer can securely authenticate users

• offload the work of authenticating users to load balancer
  • your application can focus on the business logic
    • authenticate users through:
    • identity provider(IdP): OpenIDConnect(OIDC) Compliant
    • cognito user pools:
      • social IdP's such as amazon, facebook or google
      • corporate identities using SAML, LDAP or Microsoft AD
• must use an HTTPS listener to set authenticate-oidc and authenticate-cognito rules
• onunauthenticated request- authenticate(default),deny,allow

Application Load Balancer - Cognito Auth

Application Load Balancer - OIDC Auth

Cognito Identity pools - diagram

cognito identity pools - diagram with CUP

Creating Identity pool:

we can enable the unauthenticated identities and can change the authentication flow. by default it will follow enhanced, we can change to basic flow as well

we can select authentication providers

pool id and client id needs to be copied from previous steps where we have created the user pool

after creating identity pool it will ask us to allow two IAM roles

1. for authenticates identities
2. unauthenticated identities

we can select the platform where we are installing the SDK and after installation if we run the below code it will generate AWS credentials

from the dashboard we can check number of authenticated and unauthenticated identities

we can customize the IAM roles by navigatin to IAM-> roles

we can see created IAM roles in previous step. by hitting on edit we can customize.

Note:- User pools are for authentication, identity pools for authorisation.

Comments

[vdelitz]

Looks quite complicated for a startup that wouldn't have much resources or complex requirements. Would you still recommend AWS Cognito in that case or something else?