Amazon Cognito is an AWS directory service provided by amazon for easy and fast web/mobile application development. This service helps you manage your authentication, authorization and user management functions so that you can focus on your application management rather than managing users and authentication.
Amazon Cognito is an Amazon Web Services product that controls user authentication and access for mobile applications on internet-connected devices. The service saves and synchronizes end-user data, which enables an application developer to focus on writing code instead of building and managing the back-end infrastructure. This can accelerate the mobile application development process.
Cognito service offers an auto-scaled sign on/sign up using your own user pool and provide easy integration with social identity providers like Google, Facebook, Amazon or you can integrate with your own identity provider using SAML 2.0.
Amazon Cognito collects a user’s profile attributes into directories called user pools that a mobile app or web app uses to configure limited access to AWS resources. An identity pool consolidates end-user information, which client access platforms, devices and operating systems receive to organize federated identity groups.
Data synchronizes with AWS when a device is online, allowing an end user to access the same information on another device. Data can also be saved locally to a SQLite database while offline before reconnecting. Amazon Cognito associates data sets with identities and saves encrypted information as key or value pairs in the Amazon Cognito Sync store. Each user can save a maximum of 20 MB of data, with each individual data set containing up to 1 MB.
A developer can configure Amazon Cognito to accept streams of events as data is updated and synchronized. A mobile developer can also query data through other AWS cloud services, such as an Amazon Redshift database, Relational Database Service (RDS) instance or an Amazon Simple Storage Service (S3) file.
Why Use Cognito?
Cognito offers sign in and sign-up to you as a platform service so that you can focus more on building your application features. Below are some of the features
- Cognito provides S3 benefits: Simple, Secure, and Scalable.
- Low-cost directory service.
- Easy-open id and SAML 2.0 based connectivity.
- Federated access management.
- Hosted UI to focus on application development.
- Built-in integration with AWS resources for access control.
- Encryption and multifactor authentication support.
- All user management functions at ease, including, creation deletion, activation, deactivation, forget password flows, verification, etc.
Common Use Cases of Amazon Cognito:
1. Enable your users to authenticate with a user pool.
2. After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources.
3. Access resources with API Gateway and Lambda with a User Pool. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.
4. After a successful user pool authentication, your app will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with an identity pool.
5. Enable your users access to AWS services through an identity pool. In exchange, the identity pool grants temporary AWS credentials that you can use to access other AWS services.
6. Grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (from a user pool or an identity pool).
Amazon Cognito is also commonly used together with AWS Amplify, a framework for developing web and mobile applications with AWS services.
Amazon Cognito Components:
Amazon Cognito consists of User pool and Identity pool as below:
User pools are user directories that provide sign-up and sign-in options for your app users.
Users can sign in to your web or mobile app through Amazon Cognito or federate through a third-party identity provider (IdP).
You can use the aliasing feature to enable your users to sign up or sign in with an email address and a password or a phone number and a password.
User pools are each created in one AWS Region, and they store the user profile data only in that region. You can also send user data to a different AWS Region.
Tokens provided through user pools:
Access tokens contain scopes and groups and are used to grant access to authorized resources. Access tokens can be configured to expire in as little as five minutes or as long as 24 hours.
Refresh tokens contain the information necessary to obtain a new ID or access token. Refresh tokens can be configured to expire in as little as one hour or as long as ten years.
A User Pool is like a directory of users.
- After you create a user pool, you can create, confirm, and manage users accounts.
- Amazon Cognito User Pools groups lets you manage your users and their access to resources by mapping IAM roles to groups.
- User accounts are added to your user pool in one of the following ways:
- The user signs up in your user pool’s client app, which can be a mobile or web app.
- You can import the user’s account into your user pool.
- You can create the user’s account in your user pool and invite the user to sign in.
- Sign up authflow
Use this feature if you want to federate users to your AWS services.
Identity pools support anonymous guest users, as well as the following identity providers:
- Amazon Cognito user pools
- Social sign-in with Facebook, Google, and Login with Amazon
- OpenID Connect (OIDC) providers
- SAML identity providers
- Developer authenticated identities
To save user profile information, your identity pool needs to be integrated with a user pool.
Amazon Cognito Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider.
The permissions for each authenticated and non-authenticated user are controlled through IAM roles that you create.
Once you have an OpenID Connect token, you can then trade this for temporary AWS credentials via the AssumeRoleWithWebIdentity API call in AWS Security Token Service (STS). This call is no different than if you were using Facebook, Google+, or Login with Amazon directly, except that you are passing an Amazon Cognito token instead of a token from one of the other public providers.
Synchronizing user data with AWS Cognito Sync:
The Amazon Cognito Sync store is a key/value pair store linked to an Amazon Cognito identity. There is no limit to the number of identities you can create in your identity pools and sync store. Each user information store can have a maximum size of 20MB. Each data set within the user information store can contain up to 1MB of data. Within a data set you can have up to 1024 keys. With Cognito Streams, you can push sync store data to a Kinesis stream in your AWS account.
AWS Cognito Sync synchronizes user profile data across mobile devices and web applications. The feature allows users to obtain a normalized user ID and credentials with Amazon Cognito.
The service supports both Android and iOS devices with high-level client libraries that cache user data locally. The latter makes data available even if a device itself is offline.
User data is persisted in a data set. This data is accessible only to the credentials assigned to a particular identity. To provide user identities, Cognito Sync requires an Amazon Cognito identity pool.Therefore, to use Amazon Cognito Sync, an organization needs to first set up an identity pool.
Amazon Cognito pricing:
If you are using Cognito Identity to create a User Pool, you pay based on your monthly active users (MAUs) only. A user is counted as a MAU if, within a calendar month, there is an identity operation related to that user, such as sign-up, sign-in, token refresh or password change.
The Cognito Your User Pool feature has a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools or through social identity providers, and 50 MAUs for users federated through SAML 2.0 based identity providers. The first 50,000 MAUs are free. Thereafter, the pricing is based on a tiered model based on the number of MAUs.
You pay an additional fee when you enable advanced security features for Amazon Cognito. Amazon Cognito uses Amazon SNS for sending SMS messages for Multi-Factor Authentication (MFA) and phone number verification, so there are associated SNS costs as well.
Charges for Cognito Sync are based on the number of synchronization operations and the amount of data in the Cognito sync store. With the AWS free tier, an enterprise can store 10 GB of data and perform 1,000,000 sync operations in a month, for up to 12 months. Once the free tier is exhausted, Amazon Cognito charges 15 cents per GB of sync storage per month, and 15 cents for every 10,000 sync operations.