1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Using Amazon Cognito to Manage Authentication & Authorization to your Mobile and Web Apps

User Pools

Contents

keyboard_tab
Intro & Overview
1
Introduction
PREVIEW1m 47s
Course Summary
10
Wrap Up
1m 19s

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
19m
Students
683
Ratings
5/5
starstarstarstarstar
Description

This course explores Amazon Cognito and how it can be used to manage authentication and authorization to your apps. We'll start with a general overview of Amazon Cognito and when to use it. Then we move on to user pools and identity pools. We round off the course by looking at how Amazon Cognito can be integrated with mobile and web apps and how to sync your app's user data across various platforms.

Learning Objectives

  • Create your own authentication mechanisms using Amazon Cognito
  • Create your own customized UI for user sign in
  • Create a secure user directory for all your applications and users

Intended Audience

This course is intended for anyone who is trying to understand what mechanisms are available for user authentication within AWS and specifically, those who want to use third-party identity providers, such as Apple, Facebook, Google, and Amazon.

Prerequisites

  • A decent understanding of cloud computing and cloud architectures, specifically with Amazon Web Services
  • Familiarity with basic security terminology, IAM, user authentication, and federation
  • It is helpful to know about Active Directory and other AD type services
Transcript

The primary concern of Cognito User Pools is to create and maintain a directory of your users for your mobile or web applications. This means dealing with both signing up, and signing in, your new and returning users. 

When signing up new users, Cognito lets you customize what is important for you and your application. And there is a lot of information you can have your perspective users submit when they are signing up.

If you want all of your new user to submit their emails, addresses, pictures, what have you - you can set that all up while creating your user pool. 

You also can create custom attributes if you need something specific from your users. A custom attribute can be a string or a number and allows you to set minimum and maximum values you will accept.

This information is all stored within the Cognito User pool and can be accessed by your application when you need it.

You can also specify how stringent you want to be with your passwords that users can create. 

Cognito gives you all the normal password functionality like min length, requiring numbers, special characters, upper and lowercase. Yadda yadda.

Amazon Cognito also has the functionality to require multi-factor authentication(MFA), which I would recommend for any financial services, or high-value information like medical, credit card, or anything really with in-app purchases that a user might have invested a significant amount of money towards.

The service even includes account recovery features that can be quite annoying to set up on your own, and would normally require another backend service to handle for you: Including email and phone.

Additionally, if you don't want your users to have to go through all that hassle, Cognito User Pools gives you the ability to have social sign-in. This means your users can also sign in for your application by using third-party ID providers.

This path does require you (the application developer) to first set up a developer account with those external third-party providers and set up your application with them. It's not a particularly difficult task, but it can be time-consuming.

Take a look over here for a step by step walkthrough of the process: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html

Finally, You can also sign in with any SAML (Security Assertion Markup Language)  identity provider.  In case you are unaware of SAML, It is a XML-based markup language for security assertions. It is an important tool for single sign-on through the web. For example, your SAML ID provider might be an active directory federation service. This provider could be your on-premises AD or one you are even hosting on an EC2 server.

Please be aware that if you do use this route you will need a domain name that you own.

The service also provides a way to create your own customizable web UI to handle the Sign in and sign up services. Using this customizable UI provides you with an OAuth 2.0 compliant authorization server. OAuth is an open-standard authorization protocol that helps regulate how servers or services can safely allow authenticated access to each other, without sharing SSO credentials.

The user experience of the provided web UI is customizable and allows you to add your own brand logos and to change the look and feel of the webpage.

You don't have to use this of course and can create your own UI. You would just in charge of calling the appropriate API calls for the service yourself, and running your own OAuth server - which can be difficult for some people, and might be out of scope for what you are trying to achieve.

User pools also have integrations with AWS lambda and gives you the option to trigger functions based on user flow.

For example, if you wanted a lambda function to trigger right after a user has successfully signed up - maybe to send an email, or to create some backend functionality for that user, you have that ability. Or whenever someone successfully signs in, you could have lambda check some backend information about that user, and prepare their environment based on that.

As a final note: you can also add an entire listing of users and accounts via CSV file if you already have that information available.

I think the big thing to notice about this service in general, is that it is just trying to remove all of the extra obstacles out of the way and let you just get into developing your application.

There are plenty of steps required to make even simple sign and authentication work with modern applications, so to have all of these extraneous things dealt with for you is super powerful.

About the Author
Avatar
Will Meadows
Senior Content Developer
Students
4298
Courses
24

William Meadows is a passionately curious human currently living in the Bay Area in California. His career has included working with lasers, teaching teenagers how to code, and creating classes about cloud technology that are taught all over the world. His dedication to completing goals and helping others is what brings meaning to his life. In his free time, he enjoys reading Reddit, playing video games, and writing books.