COGNITO Flashcards
USER POOL
Create Serverless Database of Users for MObile and Web apps
Simple Login
Password Reset features
Email and phone number verification
MFA
Federated identified: Facebook google etc
Login sends JSON Web Token (JWT)
USER POOL LOGIN PROCESS
MOBILE OR WEB APPLICATION:
Sends Login request to User POOL:
JWT (Jason web token sent from User Pool)
JWT sent back to Web mobile etc
Federated identity provider can also solicit login
IDP: Identity Provider
Google, facebook, SAML, OPENID
Interal Databse of users is stored into CUP, Cognito User Pool.
USER POOL INTEGRATION INTO ALB/API GATEWAY
CUP: Cognito User Pool
ALB: Application Load Balancer
API GATEWAY:
User: Authenticate with CUP and get JWT from it
User: Sends acquired JWT to API gateway
API gateway: verifies JWT with CUP
After verification API gateway has access to backend.
ALB:
User Reaches ALB first, via listener and rules
User is authenticated with CUP
After verified, user is given access to backend directly.
USER POOL and Triggers: Authentication Lambda Triggers: Pre Authentication Post Authentication Pre token generation:
Pre Authentication : Custom validation to accept or deny sign in
Post Authentication: Event logging for custom analytics
Pre token generation: Augment/Suppress token claims
USER POOL and Triggers: Signup Lambda Triggers: Pre Sign up Post confirmation Migrate User
Pre Sign up: Custom validation to accept or deny signup request
Post confirmation: Welcome message or analytics
Migrate User: migration of users from existing elsewhere
Ability to transfer from preexisting directory to AWS
USER POOL and Triggers: Messages
Custom message lambda trigger
Lambda Triggers:
advanced customization and localization of messages
USER POOL and Triggers: Token Creation
Pre Token Generation v2
Add or remove attributes in ID tokens
USER POOL: Hosted Authentication UI
Handle Signup/Signin Workflows
possible integration with OIDC or SAML
Customize Logo with custom CSS
OIDC SAML
OpenID Connect is an open standard that organizations use to authenticate users. … SAML is an XML-based standard for exchanging authentication and authorization data between IdPs and service providers to verify the user’s identity and permissions, then grant or deny their access to services.
SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) are the most widely used federation protocols for web based single sign-on. … It shows the control flow when a user tries to login to a application (SP — sp.example.com) using a SAML or a OIDC flow.Jul 10, 2018
Cognito Identity Pools
Federated Identities
Used to allow direct access into AWS
Identity pool allows users temporary access to AWS Credentials
possible origins:
Public providers: Google Users and Amazon Cognito user pool : CUP OpenID connect providers / SAML Developer authenticated identities : Custom Login server Unauthenticated access of guests!
ACCESS VIA API Gateway:
IAM policies applied to credentials defined in Cognito
Customized based on User_id for fine grain control
Cognito Identity Pools
Flow overall
Users:
Login and obtain token from CUP or Federated identity provider / SAML/ OpenID
Token will be traded by user for AWS TEMPORARY CREDENTIALS via the CIP (cognito Identity pool). CIP will verify Identity with the Identity provider, whether CUP or Federated.
CIP will talk to STS, they get Temp credentials for the user
User now uses STS Temp access to access resources like S3 or DynamoDB
Cognito Identity Pools
Flow CUP
USER: sends request to CUP
Cup will use database or have a federated connection to get identity. Cup returns a Token to user.
User sends JWT token to CIP (Cognito Identity Pool), CIP then validates with CUP and after validation
After validation, CIP reaches out to STS for Temporary AWS credentials.
User has direct access to AWS services with temporary credentials.
CIP Cognito Identity Pools: IAM ROLES
Can set Default Roles for Authenticated and Guest users
Or/ALso
Can also define rules for choosing which role goes to which user based on User ID.
Partition user access via Policy Variables.
Policy variables: a feature that lets you specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the context of the request itself.
Roles must have a “Trust” policy of cognito Identity pools.
Policy Variable
a feature that lets you specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the context of the request itself.
(Cognito-identity.amazonaws.com:sub)
*So if ID matches this variable above we can have custom permissions based on context of whose requesting information. certain features are unlocked for X user based on login information user id.
Can access based on user ID a certain item, with this we can have row based access in things like Dynamo DB
USER POOL CUP
VS
IDENTITY POOL CIP
CUP: Authentication Database of users for mobile and web app Allows federation of login Custom hosted UI for authentication: Logo etc Triggers in lambda for auth flow
CIP Authorization Credentials Credentials are obtained here Login via Federated sources also CUP users can be guests unauthenticated Mapped to IAM roles and policies, can be leveraged against policy variables.
CUP + CIP = Manage user/ password + Access to AWS services
