With the proliferation of smartphones in our connected world, more and more developers are quickly deploying their applications on the cloud. One of the first challenges in developing applications is allowing users to log in and authenticate on your applications. There are multiple stages involved in user verification and most of these are not visible from the end-user. AWS provides an easy solution for this situation.
User Identity verification is at the core of Amazon Cognito. It provides solutions for three key areas of user identification:
- Authentication – provides users sign-up and sign-in options. Enables support for federation with Enterprise Identities (Microsoft AD), or Social Identities (Amazon, Facebook, Google, etc.)
- Authorization – sets of permission or operations allowed for a user. It provides fine-grained access control to resources.
- User Management – allows management of user lifecycles, such as importing users, onboarding users, disabling users, and storing and managing user profiles.
In this post, we’ll talk about Cognito User Pools and Identity Pools, including an overview of how they are used to provide authentication and authorization functionalities that can be integrated on your mobile app.
Amazon Cognito User Pools are used for authentication. To verify your user’s identity, you will want to have a way for them to login using username/passwords or federated login using Identity Providers such as Amazon, Facebook, Google, or a SAML supported authentication such as Microsoft Active Directory. You can configure these Identity Providers on Cognito, and it will handle the interactions with these providers so you only have to worry about handling the Authentication tokens on your app.
With Cognito User Pools, you can provide sign-up and sign-in functionality for your mobile or web app users. You don’t have to build or maintain any server infrastructure on which users will authenticate.
This diagram shows how authentication is handled with Cognito User Pools:
- Users send authentication requests to Cognito User Pools.
- The Cognito user pool verifies the identity of the user or sends the request to Identity Providers such as Facebook, Google, Amazon, or SAML authentication (with Microsoft AD).
- The Cognito User Pool Token is sent back to the user.
- The person can then use this token to access your backend APIs hosted on your EC2 clusters or in API Gateway and Lambda.
If you want a quick login page, you can even use the pre-built login UI provided by Amazon Cognito which you just have to integrate on your application.
On the Amazon Cognito User Pool page, you can also manage users if you need to. You can reset the password, disable/enable users, and enroll/delete users or other actions needed for User Management.
Cognito Identity Pools (Federated Identities) provides different functionality compared to User Pools. Identity Pools are used for User Authorization. You can create unique identities for your users and federate them with your identity providers. Using identity pools, users can obtain temporary AWS credentials to access other AWS services.
Identity Pools can be thought of as the actual mechanism authorizing access to AWS resources. When you create Identity Pools, think of it as defining who is allowed to get AWS credentials and use those credentials to access AWS resources.
This diagram shows how authorization is handled with Cognito Identity Pools:
- The web app or mobile app sends its authentication token to Cognito Identity Pools. The token can come from a valid Identity Provider, like Cognito User Pools, Amazon, or Facebook.
- Cognito Identity Pool exchanges the user authentication token for temporary AWS credentials to access resources such as S3 or DynamoDB. AWS credentials are sent back to the user.
- The temporary AWS credentials will be used to access AWS resources.
You can define rules in Cognito Identity Pools for mapping users to different IAM roles to provide fine-grain permissions.
Here’s a table summary describing Cognito User Pool and Identity Pool:
|Cognito User Pools||Cognito Identity Pools|
|Handles the IdP interactions for you||Provides AWS credentials for accessing resources on behalf of users|
|Provides profiles to manage users||Supports rules to map users to different IAM roles|
|Provides OpenID Connect and OAuth standard tokens||Free|
|Priced per monthly active user|
Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.
This article is authored by: Kenneth Samonte, our resident AWS whiz/contributor.