Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
You can use identity pools and user pools separately or together.
User pools are user directories that provide sign-up and sign-in options for your app users
With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP).
- Sign-up and sign-in services.
- A built-in, customizable web UI to sign in users.
- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool.
- User directory management and user profiles.
- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
- Customized workflows and user migration through AWS Lambda triggers.
Identity pools enable you to grant your users access to other AWS services
With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:
- Amazon Cognito user pools
- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple
- OpenID Connect (OIDC) providers
- SAML identity providers
- Developer authenticated identities
To save user profile information, your identity pool needs to be integrated with a user pool.
See the diagram for a common Amazon Cognito scenario. Here the goal is to authenticate your user, and then grant your user access to another AWS service.
-
In the first step your app user signs in through a user pool and receives user pool tokens after a successful authentication.
-
Next, your app exchanges the user pool tokens for AWS credentials through an identity pool.
-
Finally, your app user can then use those AWS credentials to access other AWS services such as Amazon S3 or DynamoDB.
- Create a user directory with a user pool.
- Add an app to enable the hosted UI.
- Add social sign-in to a user pool.
- Add sign-in through SAML-based identity providers (IdPs) to a user pool.
- Add sign-in through OpenID Connect (OIDC) IdPs to a user pool.
- Install a user pool SDK.
- Customize the built-in hosted web UI sign-in and sign-up pages.
- Configure user pool security features.
- Customize user pool workflows with Lambda triggers.
- Gather data and target campaigns with Amazon Pinpoint analytics.
- Sign up and confirm user accounts.
- Create user accounts as administrator.
- Manage and search user accounts
- Add groups to a user pool.
- Import users into a user pool.
Common Amazon Cognito scenarios:
- Authenticate with a user pool.
- Access backend resources through a user pool.
- Access API Gateway and Lambda through a user pool.
- Access AWS services with a user pool and an identity pool.
- Access AWS services through a third party and an identity pool.
- Access AWS AppSync resources through a user pool or an identity pool.
You can enable your users to authenticate with a user pool. Your app users can sign in either directly through a user pool, or federate through a third-party identity provider (IdP). The user pool manages the overhead of handling the tokens that are returned from social sign-in through Facebook, Google, Amazon, and Apple, and from OpenID Connect (OIDC) and SAML IdPs.
After a successful authentication, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to retrieve AWS credentials that allow your app to access other AWS services, or you might choose to use them to control access to your server-side resources, or to the Amazon API Gateway.
After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources. You can also create user pool groups to manage permissions, and to represent different types of users.
After you configure a domain for your user pool, Amazon Cognito provisions a hosted web UI that allows you to add sign-up and sign-in pages to your app. Using this OAuth 2.0 foundation, you can create your own resource server to enable your users to access protected resources.
You can enable your users to access your API through API Gateway. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.
You can use groups in a user pool to control permissions with API Gateway by mapping group membership to IAM roles. The groups that a user is a member of are included in the ID token provided by a user pool when your app user signs in.
You can submit your user pool tokens with a request to API Gateway for verification by an Amazon Cognito authorizer Lambda function.
After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool.
