AWS Cognito is the friendly, AWS-resident, managed authentication service I've chosen to use to ensure that the website I develop stays secure. I don't want anyone to be able to log in and use it unless I've set them up personally to do so. This requirement made the choice easy. I'm not an IAM guru with interest in managing an enterprise-scale Active Directory through Directory Services, so that's a bit over the top for my use case. I'm also not necessarily looking to create custom authorizers for the API's that I call from my frontend, so Cognito fits right into what I need for this use case.
Cognito User Pools provide you a means to leverage other identity providers like GitHub for federation of identities and assign access to them according to their scope/role, or by using locally managed identities managed in the user pool. User Pools can have application clients, which is what I've used to power the single-page application I'm building. It's also capable of supporting the M2M authentication utilizing OAuth 2.0, which if you're looking into agentic applications, can be beneficial for securely managing access to specific tooling available to your agents.
Once the User Pool is established, you can use that as an identity provider for an Identity pool used to grant access to AWS resources if needed. My use case does not require the use of an identity pool to grant authenticated users access directly to AWS Services, so I will not be implementing one for my website.
In my case, I'm going to be using the opportunity to test out the use of HTTP API Gateway endpoints to see if I can manage that. I've only done REST API's so far with API Gateway so this is yet another opportunity to stretch a little bit in my learning. With this, I'll need to set up Cognito user pool app client to be a JWT token generator for my API. I used the blog post here to make the magic happen.
Here's a summary of how this Cognito user pool works:
1) Admin creates a user in the console and places them in one of the pre-defined groups.
2) When the user gets notified (using the default Cognito email and SMS configuration) then they can log in and reset their password
3) The Cognito user pool allows these type of authentication flows:
4) The App client I created for this environment, does not have a client secret generated.
Necessary environment vars for getting this to work:
# Cognito Authentication Configuration
# Cognito User Pool Domain (without the .auth.region.amazoncognito.com part)
VITE_COGNITO_DOMAIN=your-cognito-domain
# Cognito User Pool App Client ID
VITE_COGNITO_CLIENT_ID=your-cognito-client-id (ex. 1a2b3c4d5e6f7g8h9i0j1k2l3m)
# AWS Region (optional - defaults to us-east-1)
VITE_AWS_REGION=us-east-1
# Redirect URI after successful login (optional - defaults to current origin)
VITE_COGNITO_REDIRECT_URI=http://localhost:3000
# For production: VITE_COGNITO_REDIRECT_URI=https://your-domain.com
Top comments (0)