AWS Cognito
AWS Cognito
- Cognito is used for givin users an identity in oder to being able to communicate with a system
- Cognito offers 3 products:
- Cognito User Pools:
- Sign in functionality for the app users
- Integrates with API Gateway
- Cognito Identity Pool (Federated Identity):
- Provides AWS credentials to users which want to access AWS resources directly
- Integrates with Cognito User Pools as an identity provider
- Cognito Sync:
- Used for synchronize data from a device to Cognito
- Deprecated, replaced by AppSync
AWS Cognito User Pools
- It is a serverless database for users of an application
- it is a simple login provider: username (or email) / password combination
- Possibility to verify emails/phone numbers and add MFA
- Can enable Federated Identities (Facebook, Google, SAML, etc.). This is not the same CIP (AWS Federated Identity)!
- Sends back a JSON Web Token (JWT)
- Can be integrated with API Gateway for authentication
AWS Cognito Federated Identity Pools
- Goal:
- Provide direct access to AWS resources from the client side
- How:
- Log in to a federated identity provider - or remain anonymous
- Get temporary AWS credentials from the Federated Identity Pool
- These credentials come with pre-defined IAM policies stating their permissions
- Examples:
- Provide temporary access to write to a S3 bucket using Facebook login
AWS Cognito Sync
- Deprecated - use AWS AppSync
- Can be used for cross device synchronization from any platform: iOS, Android, etc.
- It provides some offline capabilities, synchronization will happen when the device will come online
- Requires Federated Identity Pool in Cognito (not User Pool!)
- Data is stored in datasets, each dataset can have up to 1MB of data. We can have up to 20 datasets to synchronize