Welcome to aspire softserv blogs, today we will discuss basic overview of Amazon Cognito and its components.
Why Amazon Cognito?
Developing Authentication Infrastructure is Difficult as following points need to concern with it:
- Need to develop a reliable user directory to manage identities
- Handling user data and passwords and protecting privacy
- Implementing token-based authentication
- Support for multiple social identity providers
What is Amazon Cognito?
- Amazon Cognito is an Amazon Web Services (AWS) product, which lets to you add user sign-up, sign-in, and access control to your web and mobile apps.
- Provides authentication, authorization, and user management for your web and mobile apps.
- Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
- A mobile app developer can use a software development kit (SDK) to integrate with Cognito or directly access server-side APIs.
Features of Amazon Cognito
- Secure and scalable user directory
Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users. As a fully managed service, User Pools are easy to set up without any worries about server infrastructure. User Pools provide user profiles and authentication tokens for users who sign up directly and for federated users who sign in with social and enterprise identity providers.
- Social and enterprise identity federation
With Amazon Cognito, your users can sign-in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory using SAML.
- Standards-based authentication
Amazon Cognito uses common identity management standards including OpenID Connect, OAuth 2.0, and SAML 2.0.
- Security for your apps and users
Amazon Cognito helps you meet multiple security and compliance requirements, including those for highly regulated organizations such as healthcare companies and merchants.
- Advanced security features to protect your users
Using advanced security features for Amazon Cognito helps you protect access to user accounts in your applications. These advanced security features provide risk-based adaptive authentication and protection from the use of compromised credentials. With just a few clicks, you can enable these advanced security features for your Amazon Cognito User Pools.
- Access control for AWS resources
Amazon Cognito provides solutions to control access to AWS resources from your app. You can define roles and map users to different roles so your app can access only the resources that are authorized for each user.
- Built-in customizable UI to sign in users
- Easy integration with your app
With a built-in UI and easy configuration for federating identity providers, you can integrate Amazon Cognito to add user sign-in, sign-up, and access control to your app in minutes. You can customize the UI to put your company branding front and centre for all user interactions.
- Adaptive authentication
Using advanced security features for Amazon Cognito to add adaptive authentication to your applications helps protect your applications’ user accounts and user experience. When Amazon Cognito detects unusual sign-in activity, such as sign-in attempts from new locations and devices, it assigns a risk score to the activity and lets you choose to either prompt users for additional verification or block the sign-in request. Users can verify their identities using SMS or a Time-based One-time Password (TOTP) generator, such as Google Authenticator.
- Protection from compromised credentials
Advanced security features for Amazon Cognito helps protect your application users from unauthorized access to their accounts using compromised credentials. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.
AWS Cognito Components
1. User Pools
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in
to your web or mobile app through Amazon Cognito, or federate through a third-party identity
provider (IdP). Whether your users sign in directly or through a third party, all members of
the user pool have a directory profile that you can access through an
User pools provide:
- Sign-up and sign-in services.
- A built-in, customizable web UI to sign in users.
- Social sign-in with Facebook, Google, and Login with Amazon, and through SAML and OIDC identity providers from your user pool.
- User directory management and user profiles.
- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
- Customized workflows and user migration through AWS Lambda triggers.
After successfully authenticating a user, Amazon Cognito issues JSON web tokens (JWT) that you can use to secure and authorize access to your own APIs, or exchange for AWS credentials.
2. Identity pools
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the third-party identity providers that you can use to authenticate users for identity pools.
Amazon Cognito identity pools support the following identity providers:
- Public providers: Login with Amazon, Facebook, Google.
- Amazon Cognito User Pools
- Open ID Connect Providers
- SAML Identity Providers
- Developer Authenticated Identities
An Amazon Cognito user pool and identity pool used together
In a common Amazon Cognito scenario, the goal is to authenticate your user, and then grant your user access to another AWS service.
- In the first step your app user signs in through a user pool and receives user pool tokens after a successful authentication.
- Next, your app exchanges the user pool tokens for AWS credentials through an identity pool.
- Finally, your app user can then use those AWS credentials to access other AWS services such as Amazon S3 or DynamoDB.