Authenticating end users with Amazon Cognito

Deploying Applications on AWS

Dunieski Otano

Amazon Web Services Solutions Architect

Build your own login?

  • A new app needs full sign-up and sign-in
  • The team starts building auth from scratch
  • Cognito already does this securely

Choosing managed Amazon Cognito authentication instead of building a custom login

Deploying Applications on AWS

User pools vs identity pools

Cognito User Pool as a user directory issuing tokens on the left, Identity Pool exchanging a validated token for temporary AWS credentials in the center, AWS services on the right

  • User pool: a managed directory of end users
  • Handles sign-up, sign-in, and issues tokens
  • Identity pool: exchanges a login for AWS credentials
  • Use them together: authenticate, then authorize AWS access
Deploying Applications on AWS

The three Cognito tokens

  • ID token: who the user is (identity claims)
  • Access token: what the user may call
  • Refresh token: get new tokens without re-login
  • All three are JWTs you can decode and validate

Three Cognito JWT tokens side by side: ID token with identity claims, access token with API permission scopes, refresh token labeled long-lived for silent renewal

Deploying Applications on AWS

Federated identity

  • Federation: sign in with an external identity provider
  • Social: Google, Facebook, Apple
  • Enterprise: SAML and OIDC providers
  • Cognito brokers the trust and issues its own tokens

Cognito federation: user chooses a social provider (Google, Facebook) or enterprise SAML/OIDC provider, Cognito validates the external login and issues its own standard tokens

Deploying Applications on AWS

Cognito as an API Gateway authorizer

API Gateway Cognito authorizer: client sends Authorization header with access token, gateway validates against user pool before Lambda runs, invalid tokens rejected with 401

  • API Gateway can use a Cognito authorizer
  • The client sends its token in the Authorization header
  • API Gateway validates the token before the backend runs
  • Invalid or expired tokens are rejected at the edge
Deploying Applications on AWS

A typical sign-in to API-call flow

  • User signs in to the user pool
  • Receives ID, access, and refresh tokens
  • Client calls API Gateway with the access token
  • Cognito authorizer validates, then the backend runs

Sign-in to API-call flow: user signs in to user pool and receives tokens, client sends access token to API Gateway, Cognito authorizer validates it, backend Lambda executes

Deploying Applications on AWS

Common Cognito mistakes

  • Sending the ID token where an access token belongs
  • Confusing user pools with identity pools
  • Trying to authorize AWS access with a user pool alone
  • Storing tokens insecurely on the client

Common Cognito mistakes: sending ID token to an API instead of access token, confusing user pool and identity pool, and storing tokens insecurely on the client

Deploying Applications on AWS

Let's practice!

Deploying Applications on AWS

Preparing Video For Download...