What does Cognito?
Give users an identity to interact with web or mobile application
Cognito user pools:
- sign in functionality for all users
- integrate with API gateway & application load balancer
Cognito identity pools(Federated Identity):
- provides temporary AWS credentials to users so they can access AWS resources directly
- integrate with cognito user pools as an identity provider
Features:
- create a serverless database of user for your web and mobile apps
- simple login:username(or email)/password combination
- password reset
- Email and phone number verification
- MFA
- federated identities: users from facebook,google,SAML
- feature:block users if credentials are compromised elsewhere
- login sends back a JSON Web Token(JWT) Daigram:
choosing to create a user pool
Authentication can be done in 2 ways
- cognito user pool(username &password, email)
- federation identity providers(google,facebook,SAML)
password can be default or customied
Multi factor Authentication can be chosen whether it should be mandatory, option or not required
account recovery can be enable or diable
if enable, in which way we can recover through forgot password can be chosen
enabling new users to register for your app(enable self registartion)
verification
we can add the reuired attributes to the signup page(if reuired)
if any other custom attributes needs to be added we can
configure how user pool sends message to users
call back urls can be specified after successful login
can review once and can be created
In sign in experience tab if required can add identity provider
click on view hosted to create a user
this will open the login page in new tab once sign up with the page sends verification SMS to the registered mail. after successful login, navigate to the call back url page
we can specify lambda triggers for any of the functionality
cognito user pools - lambda triggers
Hosted Authentication UI
- cognito has hosted authentication UI that can be add to your own app to handle signup and sign in workflows
- using the hosted ui, your app can integrate with social login, OIDC or SAML
- can be customised with custom logo and custom CSS
Hosted UI custom domain
- for custom domains you must create ACM certificate(us-east-1)
- custom domain is defined in app integration section
JSON Web Token(JWT)
- CUP issues JWT tokens
- headers
- paload
- signature
- the signature can be verified to ensure the JWT token can be trusted
Application Load Balancer - Authenticate users
your application load balancer can securely authenticate users
- offload the work of authenticating users to load balancer
- your application can focus on the business logic
- authenticate users through:
- identity provider(IdP): OpenIDConnect(OIDC) Compliant
- cognito user pools:
- social IdP's such as amazon, facebook or google
- corporate identities using SAML, LDAP or Microsoft AD
- your application can focus on the business logic
- must use an HTTPS listener to set authenticate-oidc and authenticate-cognito rules
- onunauthenticated request- authenticate(default),deny,allow
Application Load Balancer - Cognito Auth
Application Load Balancer - OIDC Auth
Cognito Identity pools - diagram
cognito identity pools - diagram with CUP
Creating Identity pool:
we can enable the unauthenticated identities and can change the authentication flow. by default it will follow enhanced, we can change to basic flow as well
we can select authentication providers
pool id and client id needs to be copied from previous steps where we have created the user pool
after creating identity pool it will ask us to allow two IAM roles
- for authenticates identities
- unauthenticated identities
we can select the platform where we are installing the SDK and after installation if we run the below code it will generate AWS credentials
from the dashboard we can check number of authenticated and unauthenticated identities
we can customize the IAM roles by navigatin to IAM-> roles
we can see created IAM roles in previous step. by hitting on edit we can customize.
Note:- User pools are for authentication, identity pools for authorisation.
Top comments (1)
Looks quite complicated for a startup that wouldn't have much resources or complex requirements. Would you still recommend AWS Cognito in that case or something else?