Amazon Cognito is a service provided by AWS that makes it easy for developers to handle user identity verification and authentication for their applications. It provides a range of features that can be used to handle the different stages of user verification, including Authentication, Authorization, and User Management.
Authentication: Cognito User Pools are used to provide sign-up and sign-in options for users, and it enables support for federation with various enterprise identities like Microsoft AD or social identities like Amazon, Facebook, and Google.
Authorization: Cognito Identity Pools allow developers to set permissions or operations that are allowed for a user. It provides fine-grained access control to resources, allowing you to control who can access what resources.
User Management: Cognito also provides tools for managing the user lifecycle, such as importing users, onboarding users, disabling users, and storing and managing user profiles. Overall, Amazon Cognito simplifies the process of user identity verification and authentication for developers, allowing them to focus on building their applications without having to worry about the underlying infrastructure.
Authentication and authorization functionalities that can be integrated into your mobile app will be covered in this post’s discussion of Cognito User Pools and Identity Pools.
Cognito User Pools on Amazon
For authentication, Amazon Cognito User Pools are used. You should provide a method for users to log in using usernames and passwords, federated login using identity providers like Amazon, Facebook, or Google, or a SAML supported authentication method like Microsoft Active Directory, in order to verify your users’ identities. You can set up these Identity Providers on Cognito, and it will handle interactions with them, leaving you free to focus on managing Authentication tokens for your app.
With Amazon Cognito User Pools, users can sign up and sign in to your mobile or web app using their username and password, or through federated login using Identity Providers such as Amazon, Facebook, Google, or Microsoft Active Directory. When a user attempts to authenticate, the request is sent to the Cognito User Pool. The User Pool then verifies the identity of the user or sends the request to the appropriate Identity Provider for verification. Once the user’s identity is confirmed, the Cognito User Pool generates an Authentication token and sends it back to the user. The user can then use this token to access your backend APIs, hosted on EC2 clusters or in API Gateway and Lambda. With Cognito User Pools, developers do not have to build or maintain any server infrastructure for user authentication.
When a user attempts to authenticate, the request is sent to the Cognito User Pool. The User Pool then verifies the identity of the user by checking its own user database or by sending the request to an Identity Provider for verification. Once the user’s identity is confirmed, the Cognito User Pool generates an Authentication token and sends it back to the user. This token can then be used to access the backend APIs of the application, which can be hosted on EC2 clusters or in API Gateway and Lambda. Additionally, Cognito User Pools provide pre-built login UI that developers can easily integrate into their application for a quick login experience for the users.
Amazon Cognito User Pools also provide a user management feature where you can manage your users on the User Pool page. You can perform actions such as resetting passwords, disabling or enabling users, and enrolling or deleting users. These actions can be useful for maintaining the security and integrity of your user data, and can be done through the Amazon Cognito User Pools Management Console, AWS SDKs or by using the AWS CLI.
Amazon Cognito Identity Pools
Provides a way to authorize access to AWS resources for your users. It allows you to create unique identities for your users and federate them with your identity providers. Once a user is authenticated by an identity provider, Cognito Identity Pools will generate temporary AWS credentials for them, which can be used to access other AWS services.
Identity Pools are used for user authorization and are the mechanism that grants access to AWS resources. When you create an Identity Pool, you are defining who is allowed to obtain AWS credentials and use them to access your resources. This allows you to control access to your resources and ensure that only authorized users can access them. Identity Pools can be integrated with Cognito User Pools to provide a complete authentication and authorization solution for your application.
The diagram shows how authorization is handled with Amazon Cognito Identity Pools.
- The web app or mobile app sends its authentication token to Cognito Identity Pools. The token can come from a valid Identity Provider, like Cognito User Pools, Amazon, or Facebook.
- Cognito Identity Pool exchanges the user authentication token for temporary AWS credentials that can be used to access resources such as S3 or DynamoDB. These AWS credentials are then sent back to the user.
- The user can then use these temporary AWS credentials to access the appropriate AWS resources.
- Additionally, you can define rules in Cognito Identity Pools that map users to different IAM roles, providing fine-grained permissions to access the resources. This allows you to have more control over which users have access to which resources and at what level of access.
Cognito Identity Pools is a great way to provide secure and efficient access to AWS resources for your users, by authenticating them through an identity provider and then providing them with temporary AWS credentials.
| Cognito User Pools | Cognito Identity Pools (Federated Identities) |
|---|---|
| Authentication | Authorization |
| Handles user registration and sign-in | Handles granting access to AWS resources |
| Provides user management features | Provides temporary AWS credentials for authenticated users |
| Returns an authentication token after successful sign-in | Returns temporary AWS credentials after successful authentication |
| Integrated with Identity providers | Integrated with Cognito User Pools and other identity providers |
In summary, Cognito User Pools are used for user authentication while Cognito Identity Pools (Federated Identities) are used for user authorization. User Pools handle user registration and sign-in, and provide user management features. Identity Pools handle granting access to AWS resources by providing temporary AWS credentials to authenticated users. Both User Pools and Identity Pools can be integrated with various identity providers.