Amazon Cognito

Amazon Cognito provides authentication, authorization and user management for web or mobile apps.

User Pools and Identity Pools

User Pools

c03 cognito userpools architecture

User Pools allow you to sign-in and get a JSON Web Token (JWT) on successful autentication from existing users and users from social login (Facebook, Apple, Google, others) and SAML. This integrates with API Gateway and the Application Load Balancer.

These cannot be used to authenticate against most AWS services! They don’t provide actual AWS credentials.

They’re used for sign-in, sign-up, allow for customizable web UI, MFA, password reset, account takeover protection, phone/mail auth, check for compromised credentials and other security features.

You can also use Lambda Triggers to perform customized workflows and user migration.

Their purpose is to offer a joined-up user management (a user directory).

Identity Pools

c03 cognito identitypools architecture

Their purpose is to swap external identites or users from a User Pool with a set of temporary AWS CREDENTIALS.

Identities:

  • Unauthenticated identities for guest access: you may want read-only access for your mobile application on records in a DynamoDB table

  • Federated identities: Google, Facebook, Twitter, SAML 2.0 and User Pool

Swapping an IDP (like Google) with an IAM Role temporary credentials is known as Identity Federation.

The temporary credentials are actually IAM roles.

You can reference identities in IAM for DynamoDB while restricting access with an identity-based policies.

{
  "Version": "...",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "dynamodb:GetItem" ],
      "Resource": "arn:aws:dynamodb:someregion:123456789012:table/mytable",
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub" ]
        }
      }
    }
  ]
}

You can only have one IDP per configuration which would create a lot of admin overhead.

Combining User and Identity Pools

c03 cognito userpools identitypools jointarchitecture

To overcome this problem you can handle IDP tokens with User Pools and use JWT to access Identity Pools to swap credentials. This allows to abstract away from the used identity provider, Identity Pools now only manage JWT credentials, because their only IDP is the User Pool.