Skip to content

Cognito

Table of Contents

  1. Overview

  2. Key Concepts

  3. Prerequisites

  4. Setting up Cognito User Pool

  5. Setting up Cognito Identity Pool

  6. User Authentication Flow

  7. Using Cognito in Applications

  8. Advanced Features

  9. Best Practices

  10. Summary

1. Overview

AWS Cognito is a fully managed service that provides authentication, authorization, and user management for web and mobile apps. It supports sign-up, sign-in, and access control with support for social identity providers (Google, Facebook, Apple), SAML, and OpenID Connect.

2. Key Concepts

  • User Pool: User directory to manage users and handle sign-up/sign-in.

  • Identity Pool (Federated Identities): Provides AWS credentials to users so they can access AWS services. Supports federated identities (social, SAML, user pool).

  • Tokens: JWT tokens — ID token (user info), Access token (permissions), Refresh token (renew tokens).

  • Groups: Define user roles and permissions inside a user pool.

  • Triggers: Lambda functions triggered by Cognito events (e.g., pre-signup, post-authentication).

3. Prerequisites

  • AWS Account with appropriate permissions for Cognito.

  • AWS CLI or Console access.

  • Basic knowledge of authentication flows and REST APIs.

4. Setting Up a Cognito User Pool

Step 1: Create User Pool

  • AWS Console → Cognito → Manage User Pools → Create a user pool.

  • Enter a pool name (e.g., MyAppUserPool).

Step 2: Configure Sign-in Options

  • Choose username or email as the sign-in method.

  • Enable multi-factor authentication (optional).

  • Set password strength policies.

Step 3: Configure Attributes

  • Select which user attributes are required (email, phone, etc.).

  • Enable auto-verification of email/phone if desired.

Step 4: Configure App Clients

  • Create an App client (without client secret for web/mobile).

  • Configure OAuth 2.0 settings if using hosted UI or external providers.

Step 5: Configure Triggers (Optional)

  • Attach Lambda functions to triggers such as pre-signup or post-confirmation.

Step 6: Review and Create Pool

5. Setting Up a Cognito Identity Pool

Step 1: Create Identity Pool

  • AWS Console → Cognito → Manage Identity Pools → Create new identity pool.

  • Name it (e.g., MyAppIdentityPool).

Step 2: Enable Authentication Providers

  • Link the User Pool you created earlier.

  • Optionally add social providers (Facebook, Google).

Step 3: Configure IAM Roles

  • Identity Pool automatically creates IAM roles for authenticated and unauthenticated users.

  • Customize policies to control AWS service access.

Step 4: Create Identity Pool

6. User Authentication Flow

  • Sign Up: User registers with username/email and password.

  • Confirm Sign Up: User confirms account via email or SMS verification code.

  • Sign In: User authenticates and receives JWT tokens.

  • Token Refresh: Use refresh token to get new access and ID tokens.

  • Access AWS Resources: Use Identity Pool to obtain AWS credentials.

7. Using Cognito in Applications

Web (JavaScript SDK)

Install AWS Amplify or AWS SDK:

npm install aws-amplify

Example sign-in code:

import { Auth } from 'aws-amplify';

Auth.signIn(username, password)
  .then(user => console.log('Sign in success:', user))
  .catch(err => console.error('Sign in error:', err));

Mobile (iOS / Android)

  • Use AWS Amplify libraries for iOS and Android for seamless integration.

Backend (Node.js / Python / Java)

  • Use AWS SDK to verify tokens and authenticate requests.

8. Advanced Features

  • Federated Identities: Support social logins (Google, Facebook).

  • Hosted UI: Use Cognito hosted web UI for sign-in and sign-up flows.

  • User Groups & Roles: Manage permissions and role-based access.

  • Triggers & Lambda: Customize workflows using Lambda triggers.

  • Custom Authentication Flows: Build multi-step or custom authentication flows.

  • Device Tracking & Remembering: Track devices used to sign in.

9. Best Practices

  • Use HTTPS to secure tokens during transmission.

  • Enable MFA for sensitive applications.

  • Use user groups to manage permissions clearly.

  • Secure your App client secrets and tokens.

  • Monitor user pool metrics and set alarms for suspicious activity.

  • Regularly rotate IAM roles and review permissions.

10. Summary Table

Feature Description Use Case
User Pools Manage users, sign-up/sign-in User authentication and profile management
Identity Pools Provide AWS credentials for resource access Allow users to access AWS services securely
Triggers & Lambda Customize auth flow with Lambda Custom validations, workflows
Hosted UI Pre-built authentication UI Quick integration without building UI
Federated Identity Social and enterprise login providers Easy integration with Google, Facebook