How to start using AWS Cognito

Introduction

Does AWS provide any service which will offload my sign-up, login, user management responsibility?

What if I told you, AWS has a service that does all of the above and also provides a hosted web UI that you can use? And, what if I also told you, that it even provides data sync across devices, making sure everything is perfectly secure? Well, it’s all possible, and I will help you understand everything you need to know about this service.

If you, as a developer, have wished to focus only on the functionality or business logic of an application you are developing and you want to leave the worries of sign-up, login, user management, data sync across devices safely and securely, and only pay based on the number of users per month – then AWS has answered your wish.

As per AWS:

You can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and sync across platforms and devices.

Let’s jump right into the enticing world of AWS Cognito!

What Is Amazon Cognito?

The official definition from AWS:

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps.

The most important concept in the above definition is authentication & authorization. This is provided using two components in AWS Cognito:

• AWS Cognito User Pool
• AWS Cognito Identity Pool

Originally, AWS Cognito was used for mobile developers who could use AWS Cognito for its authentication and authorization capabilities along with the user management.

However, AWS Lambda and ServerLess architecture have given a new dimension to use AWS Cognito – developers can now offload user management of their application to an AWS Managed service. AWS Cognito provides developers with a fully managed, scalable, and cost-effective sign-up/sign-in service.

Before you jump into learning about User Pool and Identity Pool, you should have a general understanding of the terms authentication & authorization. You may also need to understand federation.

Basics of Identity and Access Management (IAM)

There is a great article by Okta that explains about IAM. Since you are here, I will summarize it.

Authentication

This is the first step in the security process of identity and access management.

Authentication is the act of validating that users are who they claim to be.

The most common ways to authenticate user are:

• User Name and password combination
• OTPs
• Biometrics
• SSO (Social Sign-On)

Authentication tells the application, who you are.

Authorization

Authorization in system security is the process of giving the user permission to access a specific resource or function.

Once a person is Authenticated, you have to provide him with relevant access; even a Guest user can be provided with minimum access.

You can divide your users, into four categories:

• Admin of the application
• Authenticated User
• Premium user (Paid)
• Guest user

An Administrator can have a different view of the application than the normally authenticated user.

An authenticated user can be a free user or a premium user, but, depending on the type, the view of your application may be different. Basically, the type of experience you want to provide your user decides the level of access.

Let’s understand this concept used by an analogy present in most of companies:

Most companies in pre-covid times used to give an RFID access card to its employee. Authentication is the process of an individual receiving a RFID Access card. Once you receive your RFID access card, depending on the authorization of the employee, he may or may not have access to different parts of the office buildings.

Hopefully you are now clear on the following:

• What is Authentication? --> This answers the question “Who am I?”
• What is Authorization? --> This answers the question “What I can use?”

There is a third variable in this equation called the Federation. Let’s understand what this is.

Federation

The word federation means a united and trusted relationship between two or more entities. To understand federation properly, you have to understand a few other concepts:

• Identity Federation
  • It is a system of trust between two parties that authenticates users and also conveys the information required to give authorization.
• Identity provider
  • The party in identity federation that stores user information, is responsible for user authentication.
• Service Provider
  • The party in identity federation that provides a service based on the authentication and authorization provided by an Identity provider.
• Open Standards
  • Identity federation is possible because of these open standards:
    • OIDC (OpenID Connect)
    • SAML (Security assertion markup language) 2.0
    • OAuth 2.0

When you book a movie ticket online, you are authenticated by an online entity who takes your money and gives you a ticket. However, when you go to the actual theater, you are granted entry based on the ticket you purchased online. In this case, the online ticket vendor is the Identity provider, the theater is the service provider, and the bi-party arrangement is the Identity Federation.

Learn more!

• What is user pool in AWS Cognito?
• What is the Python code for AWS Cognito?
• What is identity pool in AWS Cogntio?