Cognito is known for authentication, authorization and user management for mobile and web applications on internet-connected devices.

‍

Authentication and how Cognito provides it

Authentication is verifying a user by their username which says who they are and their password which confirms their identity.

Users have to Sign In/Sign Up with their username and password to access any application. It’s always a never-ending process to store user credentials securely and authenticate when the user is actually logging in.
To ease this, AWS ’s Cognito has User Pool feature where it manages Sign In/Sign Up process by storing credentials to manage the authentication easily and securely. Along with that, this feature has the feasibility of using third party identity providers like Google, Facebook etc for Sign In/Sign Up process.

‍

Authorization and how Cognito provides it

Authorization is granting the user to access the resources for which the user is allowed to access after verifying the user.

After successful authentication, the user has to be authorized to access the respective resource that is accessible through the application. AWS Cognito provides Identity Pools feature to make sure that the user is accessing only user’s specific data. After successful authentication, user receives a JWT token and the same is used to authorize the user. After successful authorization, user receives temporary AWS scoped credentials to access resources.

‍

User management and how Cognito provides it

Identity Pools can manage the users by having different access levels by assigning IAM roles to each user to permit access to the resources even if they are in the same user pool.
For example, if a new user reaches an application, the user will be authenticated by Sign Up/Sign In but the user may have limited access initially and after buying premium the same application provides additional features. This user level access can be handled easily by using Identity Pools.

‍

Let’s deep dive into Cognito’s two best features, User pool and Identity Pools.

‍

User Pools

User Pool is a user directory where it stores and manages all the user’s data like username and password. Along with that, it can also manage user attributes like user ID, group membership etc. So, our application users can sign in or sign up easily through the user pool or through other well known third party identity providers like Google and Facebook or SAML-based identity providers or directly through Amazon or a combination of these. It can scale to support millions of users.

• It has built-in web UI for Sign In/Sign Up or we can also have custom web UI.
• Can migrate users from a csv file to the User Pool.
• To track/remember devices. This can list how many devices the user has logged in.
• Stores and manages user data and attributes.

‍

Identity Pools

Identity Pool is basically used to provide a temporary IAM credentials to access AWS resources by exchanging the JWT token/user pool token. This token will have the IAM permissions which has been assigned to that particular user. So, the user can only access the resources to which the user has permission for.

• Can differentiate between the users like guest, admin, developer, etc.
• Can grant temporary access to AWS resources like S3, DynamoDB, etc.
• User will have their own restrictive access to AWS resources with their own IAM permissions.

‍

How to manage users with AWS Cognito :

1. Create a user pool:

• Sign into AWS Cognito console.
• Choose “Add directories to your app” and click create user pool.

• Configure sign in experience by giving sign in options and identity providers.
• Configure password policies, MFA required or not and account recovery type.
• Configure sign up experience by enabling/disabling self sign up service and adding required attributes.
• Configure message delivery service with Cognito itself or Amazon SES.
• Give the user pool name, check the hosted UI if it is required and give the client name and check generate client secret.
• Just do a review and create the user pool.

‍

2. Register users to user pool:

‍

Users can be registered in two ways

• By adding one at a time
• By uploading a csv in a required format

‍

‍

3. Create and configure an Identity pool:

• Name your identity pool.
• Enable access to unauthenticated identities if you want guest users to access your application.
• Choose Cognito’s enhanced flow or basic flow for authentication.
• Choose authentication providers as Cognito itself or other third party providers.
• If you select Cognito, you have to mention the user pool id and client id of application, that’s how we use user pool with identity pool.
• Click create pool to create the identity pool.
• Cognito has created two default IAM roles, one for authenticated users another for unauthenticated users.
• Click allow so that pool will be created. You can even edit IAM roles created by Cognito.

‍

4. Create/Edit an IAM role:

• You can edit the IAM roles created by Cognito by adding extra access to the resources for your application or you can create new and assign.

‍

‍

5. Create user pool group:

• Under the same user pool, you can create multiple groups and assign different IAM roles to each group.

Use the below endpoints to get tokens for the above created Cognito setup.

‍

‍

Authorize Endpoint:

GET

https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?
response_type=code&
client_id=ad398u21ijw3s9w3939&
redirect_uri=https://YOUR_APP/redirect_uri&
state=STATE&
scope=openid+profile+aws.cognito.signin.user.admin

‍

‍

Token Endpoint :

POST

https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token&
Content-Type=’application/x-www-form-urlencoded’&
Authorization=Basic aSdxd892iujendek328uedj

grant_type=authorization_code&
client_id=djc98u3jiedmi283eu928&
code=AUTHORIZATION_CODE&
redirect_uri=com.myclientapp://myclient/redirect

‍

‍

Pricing:

User pool feature is free of cost up to 50,000 monthly active users. The user will be considered as an active user if he does sign in, sign up, token refresh or reset password in a calendar month. After 50,000 MAUs, the pricing will be tiered model based on number of MAUs

Identity pool has no charge.

‍