Cognito Service
Instead of building own user management, AWS offers much simpler solution with Cognito. It used for
AuthN&AuthZ(sign-in/sign-up/access control)
Table of Content
Typical Use Cases
- User Sign-Up and Sign-In: For mobile and web applications requiring user registration and login.
- Access Control: Managing user-specific access to certain features or areas of an application.
- Federation: Allowing users to sign in through external identity providers like Google or corporate identities.
- Guest User Access: Providing limited access to unauthenticated users.
- Temporary access to write to S3 bucket using Facebook login (Social Login)
Other Cognito Benefits
- Anonymous Login or MFA
- Data Synchronization
- Account Recovery
- Post Sign-in process
- Cognito supports SAML Federation
Cognito Pools
Cognito comprises two services - User Pools, Identity Pools
User Pools
- User Pools are for Authentication (identity verification)
- User directory that provides sign-in, sign-up, group management
- API Gateway and Lambda can be accessed by user pool
Identity Pools
- Identity Pools are for Authorization (access control)
- You want to allow user-a to upload file to S3
- Mapping of users to different IAM roles are set here
- If you want to use Web IdPs like Google, Amazon, you set it here
# Finding UserPoolId
aws cognito-idp list-user-pools --max-results 10
# Finding IdentityPoolId
aws cognito-identity list-identity-pools --max-results 10
# Finding App ClientId
aws cognito-idp list-user-pool-clients --user-pool-id us-east-1_ttddaXuA0S3 Bucket Access Process
sequenceDiagram
autonumber
App->>UserPool: Authentication Request
UserPool->>UserPool: Verify Credentials
UserPool->>App: JWT
App->>IdentityPool: JWT
IdentityPool->>STS: Assume Role
STS->>App: AWS Credentials (access key, secret key)
App->>S3: S3 bucket access with AWS Credentials
- The process starts with the user interacting with the client application. The user enters their credentials to initiate an authentication request. Authentication with Cognito User Pool:
- The client application sends an authentication request to Amazon Cognito User Pool.
- Cognito User Pool verifies the credentials provided by the user. If the credentials are correct, Cognito User Pool generates three tokens: ID Token, Access Token, and Refresh Token.
- Token Handling: These tokens are then passed to the client application. The ID Token is used to assert the identity of the user, the Access Token is used to access allowed resources, and the Refresh Token is used to get new tokens when the current ones expire.
- Exchange Tokens for AWS Credentials: The client application then uses these tokens to interact with the Cognito Identity Pool. The tokens are exchanged for temporary AWS credentials by making a request to Cognito Identity Pool.
- Temporary AWS Credentials: The Cognito Identity Pool communicates with AWS Security Token Service (AWS STS) to request temporary AWS credentials.
- Access S3 Bucket: AWS STS validates the request and issues temporary security credentials (which include an access key ID, a secret access key, and a security token). (These temporary security credentials are then sent back to the client application.
- The client application uses the temporary AWS credentials to sign a request to the S3 bucket to access the desired resources.
- S3 Bucket Access/Response: Once the request reaches S3, AWS checks the temporary credentials and if they are valid and authorize the operation, the S3 bucket processes the request.
- The client application receives a response from the S3 bucket, such as data retrieval or a confirmation of a successful upload.
This process ensures secure access to S3 resources by using AWS Cognito for user authentication and temporary credentials for authorizing access to AWS resources. This also follows the best practice of not embedding long-term AWS credentials within the client application.
Cognito Token Process
