Authenticating end users with Amazon Cognito
Deploying Applications on AWS
Dunieski Otano
Amazon Web Services Solutions Architect
Build your own login?
A new app needs full sign-up and sign-in
The team starts building auth from scratch
Cognito already does this securely
User pools vs identity pools
User pool
: a managed directory of end users
Handles sign-up, sign-in, and issues
tokens
Identity pool
: exchanges a login for
AWS credentials
Use them together: authenticate, then authorize AWS access
The three Cognito tokens
ID token
: who the user is (identity claims)
Access token
: what the user may call
Refresh token
: get new tokens without re-login
All three are
JWTs
you can decode and validate
Federated identity
Federation
: sign in with an external identity provider
Social: Google, Facebook, Apple
Enterprise:
SAML
and
OIDC
providers
Cognito brokers the trust and issues its own tokens
Cognito as an API Gateway authorizer
API Gateway can use a
Cognito authorizer
The client sends its token in the
Authorization header
API Gateway validates the token before the backend runs
Invalid or expired tokens are
rejected at the edge
A typical sign-in to API-call flow
User signs in to the
user pool
Receives ID, access, and refresh tokens
Client calls API Gateway with the
access token
Cognito authorizer validates, then the backend runs
Common Cognito mistakes
Sending the
ID token
where an access token belongs
Confusing user pools with identity pools
Trying to authorize
AWS access
with a user pool alone
Storing tokens insecurely on the client
Let's practice!
Deploying Applications on AWS
Preparing Video For Download...