AWS Cognito

Most if not all apps offered to clients use authentication, and nowadays almost all the apps provide authentication in different ways, allowing users to login by username/email and password, login using their facebook accounts, login their gmail accounts, etc. As almeta “ملخاص” is one of these apps, so we have to deal with user authentication and management too.

Because this feature is recurring and due to the fact that cloud providers offer this type of features which is repetitive and demanded in order to increase the speed of apps development, they implement it. So we just need to create the required resources on the cloud, and dig into our app implementation. We don’t have to worry about these stuffs anymore, especially its security, as you know, security must be top-priority in any system.

There are many cloud providers out there: AWS, GCP, Azure, etc. The one we mainly use is AWS. AWS offers a cool managed service called Cognito which is dedicated to handle this aspect of authentication. In short and as stated in AWS Cognito:

“Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.”

As you see, the two main components are user pools and identity pools. Let’s dig into them and discuss their pros and cons.

User Pools

A user pool is a user directory allowing you to store your users’ profile attributes depsite of being on mobile or web app. It also offers you high flexibility and configurability, you can select which attributes are mandatory and which are not, configure reset password mechanism, user verficiation using phone number or e-mail address, and of course the flow of the authentication: for example, users can sign up by themselves or you create accounts for them, and much more.

It also offers the ability to authenticate with an external IDP so users can use their facebook or gmail accounts, for example. It’s not just these two IDPs but any public IDP that supports OpenIDP.

One another cool feature in User Pools is triggers. Yes, you have the ability to add triggers in the authentication flow: pre sign up, post sign up, pre login, post login, and more. These triggers are of Lambda form. Consequently, you create Lambda functions to do some job, then attach it with one or more of these triggers.

After creating your user pools, you have to provide your users with a user interface in order to login, sign up, reset password, etc. Luckily, AWS Cognito also offers Hosted UI which allows all the aforementioned points in addition to integrating with other IDPs and not to mention its customizability.

Identity Pools

Identity pool provides a temporary AWS credentials for users so it grants AWS services access to your users. In other words, if users need access to S3 for example, you can allow them to do so by making use of identity pool which in its turn gives them IAM role that must have the ability to access S3, this role is provided by you in the configurations.

It’s highly flexible as it allows editing most of its configurations, you can assign IAM role for guest users and assign different roles for authenticated users.

Features

Infrastructure as Code (IaC)

We’re big in IaC in Almeta. To be honest, because developers love Infrastructure as Code aka IaC. Cloud Platforms have implemented such thing. In AWS case it’s called CloudFormation.

And to make life easier, Serverless Framework (sls), which we use in Almeta, is a treat for this: You write yml file that’s converted to CloudFormation understandable by AWS. Consequently, Serverless Framework supports User Pools and Identity Pools. Here is a simple example for demonstration purpose that shows how to create User Pool:

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # Generate a name based on the stage
      UserPoolName: ${self:custom.stage}-user-pool
      # Set email as an alias
      UsernameAttributes:
        - email
      AutoVerifiedAttributes:
        - email

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      # Generate an app client name based on the stage
      ClientName: ${self:custom.stage}-user-pool-client
      UserPoolId:
        Ref: CognitoUserPool
      ExplicitAuthFlows:
        - ADMIN_NO_SRP_AUTH
      GenerateSecret: false

# Print out the Id of the User Pool that is created
Outputs:
  UserPoolId:
    Value:
      Ref: CognitoUserPool

  UserPoolClientId:
    Value:
      Ref: CognitoUserPoolClient

As you see, it’s that easy to create User Pool and attach it with User Pool Client. For more information about CloudFormation with Cognito, please visit this page.

Hosted UI

As we said earlier, you can use AWS Cognito Hosted UI with your User Pool. You just take the URL of the hosted UI and display it to the end user. You will have all the work done for you as you specified in your User Pool.

For example, if you have linked your User Pool with Google and Facebook IDPs, and specificed that your users can sign up and login using username and password combination, and using the default style provided by Cognito, you would have a UI as in the image below.

One missing feature is supporting different languages. Currently, Hosted UI only supports English, but supporting different languages is on AWS roadmap as stated in their forum.

Cognito SDK

As most of aws services, Congito also offers SDK. This sdk provides the ability to manage Cognito on your behalf the way you like. You can create new user pool, delete existing identity pool, fetch user, change user’s password, etc.

If your preferred language is one of the AWS official supported languages which you can find here, go ahead, download the corresponding SDK, and start digging.

Cognito Sync

Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data. You can use it to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and if you set up push sync, notify other devices immediately that an update is available.

User Pool vs Identity Pool

As we mentioned before, User Pool is to manage your users: sign up, login, logout, etc. whereas Identity Pool is to assign IAM roles to your users.

So if you want user management, you should go with User Pool. But if you want your users to access AWS resources, Identity Pool is the way. If you need both, then use them together.

For more info about the difference, you can read this amazing article.

Conclusion

Amazon Cognito is a fascinating service, it manages your users, grants access to your AWS resources, syncs the users’ data, and provides a Hosted UI.

In almeta.io, we rely on Congito to do user management for us as it speeds up the development process and handles all the authentication process with its security and integration with external IDPs.

Do you know that we use all this and other AI technologies in our app? Look at what you’re reading now applied in action. Try our Almeta News app. You can download it from google play: https://play.google.com/store/apps/details?id=io.almeta.almetanewsapp&hl=ar_AR

Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *