AWS Cognito – Your User management Companion

AWS Cognito – Your User management Companion

April 22, 2019 / Nirav Shah

These Days every other App/Website provides an option to create an account and log-in into the same to get personalized offers/services based on their previous consumption of services and other activities.

As much as this feature sounds good and is applied widely, it is almost a headache to setup the backend functionalities and infrastructure to make it work flawlessly for the end user. Security is also a major concern.

The base requirements start at :-

• Having a “Database” were all the accounts’ Username/Passwords are stored
• Another Database where every individual accounts’ previous and current activities logs/data is stored so that it can be analyzed and interpreted to predict unique habits and possible services every account can/might consume.
• Then you need to provide another functionality of integrating third-party accounts sign-in/log-in so that those who don’t want to create another new account can log-in/sign-in using their existing Google, Facebook, Amazon Accounts.
• The list just does not end, there is so much that you can provide above this and end user demands just keep on increasing.

Now, to fulfill these requirements, previously either Developers used to manually code these functionalities in their apps/websites and manage these Databases or used stock written code provided by some providers like :-

• Oauth
• OneLogin
• Microsoft Active Directory

These were the only best alternatives that Developers had, the first one gave the Developer total control over every tiny feature that he can provide but increased the time it would take the Developer to bring his/her idea in Action and the latter ones’ already had this initial work done for you but would not allow any customization or fundamental changes in their code or charge hefty price for custom requirements.

And then, on 10 July, 2014 AWS officially announced and launched Amazon Cognito

a Service that focused on all the above requirements with no work pressure on the Developer and the least configuration required to setup all requirements.

Some highlighted features :-

• Helps to securely manage and synchronize app/website data for users across their Devices.
• Can create unique identities for users through a number of public login providers like Google, Facebook, Amazon accounts as well as supports unauthenticated guests.
• Can save app data locally on users’ devices allowing applications to work even when the devices are offline.
• Can save any kind of data in the AWS Cloud, such as app preferences or game state, without writing any backend code or managing any infrastructure.

In the end, AWS Cognito takes care of all the user management related requirements so that the developer can focus on creating great app/website experiences instead of having to worry about building and managing a backend solution to handle identity management, network state, storage, and sync.

The TWO main components of Amazon Cognito are :-

• User pools :- user directories that provide sign-up and sign-in options for app users.
• Identity pools :- grant users access to other AWS services.

You can both use identity pools and user pools separately or together.

User Pools :-

• A user pool is a user directory in Amazon Cognito.
• With a user pool, users can sign in to web or mobile app through Amazon Cognito, or federate through a third-party identity provider.
• Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
• User pools provide :-
• Sign-up and sign-in services.
• A built-in, customizable web UI to sign in users.
• Social sign-in with facebook, google, and login with amazon, and through SAML and OIDC identity providers from your user pool.
• User directory management and user profiles.
• Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
• customized workflows and user migration through AWS Lambda triggers.

Identity Pools :-

• User can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB.
• Support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools :
• User pools provide :-
• Amazon Cognito user pools.
• Social sign-in with facebook, google, and Login with Amazon
• OpenID Connect (OIDC) providers.
• User directory management and user profiles.
• SAML identity providers.
• Developer authenticated identities.
• To save user profile information, your identity pool need to be integrated with a user pool.

Conclusion

The whole idea behind cognito service is to showcase how simple it is to set up our own authentication flows for our Applications. There are many options that can be and need to be done but were not discussed due to the depth of the options like :- adding MFA authentication, adding functionality of remembering logins between devices, etc.

We encourage the readers to try cognito service as it really shifts the burden from the developers shoulders to AWS Infrastructure.