Difference between revisions of "AWS Cognito"
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{:AWS Cognito, context}} | |||
== What is it? == | == What is it? == | ||
=== User pools === | === User pools === | ||
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign indirectly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. | A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign indirectly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. | ||
| Line 19: | Line 19: | ||
* SAML identity providers | * SAML identity providers | ||
* Developer authenticated identities | * Developer authenticated identities | ||
To save user profile information, your identity pool needs to be integrated with a user pool. | |||
[[File:Cognito6.png|center|800x800px]] | |||
== Important notions about Cognito == | == Important notions about Cognito == | ||
| Line 38: | Line 40: | ||
== How does Cognito work? == | == How does Cognito work? == | ||
[[File:Cognito1.png | [[File:Cognito1.png]] | ||
== The services provide by Cognito == | == The services provide by Cognito == | ||
[[File:Cognito4.png]] | |||
== References == | |||
<references /> | |||
'''Most of the information shown on this page come from the AWS documentation: | |||
[https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html AWS Cognito - Developer Guide] | |||
Latest revision as of 18:54, 16 August 2021
Cognito provides authentication, authorization, and user management for your web and mobile apps. Users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together. You can find more details about both features here.
It also features some important functions for security and user flow, like:
- Forgot password
- Verify email address and phone number
- MFA with SMS verification or time-based one-time password verification (TOTP).
- Manage user account and their right
- Secure authentication using OAuth 2.0 standard
There are much more features that you can see on AWS Cognito - Cognito features
What is it?
User pools
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign indirectly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. User pools provide: Sign-up and sign-in services. A built-in, customizable web UI to sign in users. Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool. User directory management and user pool User directory management and user profiles Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. Customized workflows and user migration through AWS Lambda triggers.
Identity pools
With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:
- Amazon Cognito user pools
- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
- Open ID Connect (OIDC) providers
- SAML identity providers
- Developer authenticated identities
To save user profile information, your identity pool needs to be integrated with a user pool.
Important notions about Cognito
The authentication method: OAuth 2.0
Cognito uses the OAuth 2.0 technology to authenticate. OAuth 2.0 is an open standard for authorization commonly used as a way for internet users to authorize websites or applications to access their information on other websites but without giving them the passwords.
Some information about OAuth 2.0
- OAuth is not an API or a service: it is an open standard ratified in October 2012 for authorization and any developer can implement it.
- OAuth flows provide client applications with "secure delegated access".
- OAuth authorizes Devices, APIs, Servers, and Applications with access tokens rather than credentials.
- OIDC vs OAuth2:
- OAuth2 = broad specification for authorization.
- OIDC = detailed specification for identity on top of
The tokens
Authenticate users and grant access to resources with tokens. Tokens have claims, which are pieces of information about the user. There are different types of tokens:
- the ID token contains claims about the identity of the authenticated user, such as name and email.
- the Access token contains claims about the authenticated user, a list of the user's groups, and a list of scopes.
Amazon Cognito also has tokens that you can use to get new tokens or revoke existing tokens. Refresh a token to retrieve a new ID and access tokens. Revoke a token to revoke user access that is allowed by refresh tokens.
How does Cognito work?
The services provide by Cognito
References
Most of the information shown on this page come from the AWS documentation: AWS Cognito - Developer Guide
