AWS-Cognito

Simplifying User Authentication with Amazon Cognito

Editorial Cover

When building projects, we often feel lazy about handling access control. Who can do what? How do we authorize users? AWS solved this headache with a service called Amazon Cognito.

Cognito is a fully managed service that helps you handle:

  • User authentication (sign-up, sign-in, password reset)
  • Multi-factor authentication (MFA)
  • Synchronization of user data across devices
  • Integration with social identity providers like Facebook, Google, and Amazon, so users can log in with existing accounts

Amazon Cognito Architecture

Amazon Cognito has several key components:

  1. User Pools

    • Acts as your user directory
    • Manages authentication: email/password, phone number, or social logins
    • Handles account info, multi-factor authentication, and password resets

  2. Identity Pools

    • Provides temporary AWS credentials to access AWS resources (like S3 or DynamoDB)
    • Can accept identities from:
      • User Pools
      • Social logins (Google, Facebook, Apple)
      • SAML or OpenID Connect
      • Anonymous guest access

  3. Cognito Sync

    • Synchronizes user data across devices
    • Uses S3 as backend storage

  4. Cognito Streams

    • Provides real-time updates on user data changes

More about Cognito on GeeksforGeeks

User Pools vs Identity Pools — What’s the Difference?

Here’s an easy way to remember:

FeatureUser PoolIdentity Pool
PurposeAuthentication (who you are)Authorization (what you can access)
HandlesSign-up, sign-in, MFA, password resetTemporary AWS credentials
TokensJWT tokens (ID, access, refresh)AWS credentials
Use caseManage users directlyLet users access AWS resources

When to use both:
If you want authenticated users (User Pool) to access AWS resources securely (Identity Pool), use both together.

Flow:

  1. User signs in via User Pool → receives JWT tokens
  2. Tokens are sent to Identity Pool → exchanged for temporary AWS credentials
  3. User accesses AWS resources using those credentials

When you don’t need both:

  • Only User Pool → if you just need user authentication, not AWS access
  • Only Identity Pool → if you just need social or guest access to AWS resources

Step-by-Step: Connecting User Pools and Identity Pools

Think of it as “how to connect your login system to AWS resources.”

1. Set up a User Pool

  • Go to AWS Management Console → Cognito → User Pools → Create a user pool
  • After creating it, note down:
    • User Pool ID → unique pool identifier
    • App Client ID → key for your app to use the pool

2. Set up an Identity Pool

  • Go to AWS Management Console → Cognito → Identity Pools → Create a new identity pool

3. Link User Pool to Identity Pool

  • Open your Identity Pool → User access tab → Add identity provider
  • Select Cognito User Pool and enter:
    • User Pool ID
    • App Client ID

4. Set up roles for users

  • AWS roles define what users can do
  • Options:
    • Default role → everyone gets the same permissions
    • Role with rules → assign roles based on attributes (group, email, etc.)
    • Preferred role → users can request a specific role if allowed

5. Map user attributes to principal tags (optional)

  • Tags are extra info attached to AWS credentials
  • Options:
    • Inactive → no tags
    • Default mappings → AWS uses sub (user ID) and aud (app ID)
    • Custom mappings → pick which user attributes become tags

6. Save changes

  • Click Save after configuring everything

Summary:

  • User Pool → handles login/authentication
  • Identity Pool → handles access to AWS resources
  • Linking → tells AWS which users can access which roles
  • Roles & tags → control what users can do

Official AWS guide

Feedbacks

0 feedbacks