The Cloud

How is authentication and identity managed in AWS applications?

Authentication and authorization is a critical aspect of building modern applications.


Authentication and authorization is a critical aspect of building modern applications. With the proliferation of mobile devices and the increasing demand for seamless user experiences, developers need robust and scalable solutions to manage user identities and access controls.

What's Amazon Cognito?

Cognito is the Amazon Web Services (AWS) authentication and user management service. Here at Metal Toad, this is our tool of choice for the job, and it's become a popular choice among developers in general for building secure and scalable user authentication for applications. In this article, I'll try to cover the bedrock topics of Amazon Cognito, and highlight the various features and functionality therein.

Key Components of Amazon Cognito

Amazon Cognito consists of several key components that work together to provide a comprehensive solution for user management. These components include:

  1. User Pools:
    User Pools are the foundation of Amazon Cognito and provide a fully managed user directory to handle user registration, authentication, and user profile management. User Pools support various authentication flows, including sign-up and sign-in with email and password, social media federation (such as Facebook, Google, and Amazon), single sign-on (SSO) using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML), and more. User Pools also support multi-factor authentication (MFA) using SMS, Time-based One-Time Password (TOTP), or Universal Second Factor (U2F) devices for added security.
    tl;dr: User pools are most likely what you want for your application. These pools can be managed as you like, allowing users to either sign up or to be invited. Users in this pool have no intrinsic relation to a role or identity within the AWS account in which it is setup. If you are looking for that level of granular access to AWS resources, then you're probably looking for an Identity Pool too.

  2. Identity Pools:
    Identity Pools enable you to grant temporary, limited access to AWS services on behalf of authenticated users. Identity Pools work with User Pools to authenticate users and provide AWS credentials that can be used to access AWS resources securely. This allows you to control fine-grained access to AWS resources based on user attributes, such as group membership or custom attributes, and implement serverless authentication and authorization workflows in your applications.
    tl;dr: Identity pools grant users access to specific AWS resources based on roles and identities within said AWS account.

  3. Amazon Cognito Sync: Amazon Cognito Sync provides client libraries and backend services for synchronizing data across devices securely. With Amazon Cognito Sync, you can store and sync user data, such as app settings or game state, in the cloud and make it accessible across devices. Amazon Cognito Sync also provides a conflict resolution mechanism for handling conflicts that may arise when multiple devices try to sync data simultaneously.

Amazon Cognito diagram

Authentication Flows and Customization

Amazon Cognito supports various authentication flows to cater to different use cases and provides customization options to tailor the authentication process to your application's requirements. Some of the authentication flows supported by Amazon Cognito include:

  1. Sign-up and Sign-in with Email/Password: This is the most common authentication flow where users can sign up for a new account by providing their email address and password, and then sign in with their credentials.

  2. Social Media Federation: Amazon Cognito allows users to sign up or sign in to your application using their social media accounts, such as Facebook, Google, or Amazon. This simplifies the sign-up process and provides a seamless experience for users.

  3. Single Sign-On (SSO): Amazon Cognito supports single sign-on (SSO) using OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). This allows you to implement SSO across multiple applications and services, providing a unified authentication experience

Integrating with AWS Applications

There's a number of ways to integrate with Cognito, and one thats gotten more popular as the service has matured is AWS Amplify.

AWS Amplify really is just a set of libraries and tools to help developers scaffold and connect AWS resources quickly. It's comprised of a CLI tool, UI library, some configuration standards, and hosting for your frontend app. It integrates with a vast number of Amazon services, including Cognito. So while one doesn't need to use all the provided tools, Amplify rewards you greatly for doing so. As an example, we don't need to use the CLI if the only thing we want is hosting and the UI library. But just know that the CLI provides tools for connecting frontend components to backend resources that you will need to configure manually if you opt out of using the CLI. There may be good reason for this, perhaps you manage your backend with Terraform already and finding a delineation of whats managing what could be more cumbersome than just drinking the Kool-aid. 

Amplify UI provides components that work with a number of different front-end frameworks including:

You can find a full list here: https://docs.amplify.aws/ui/

The Authenticator Component

The most powerful component in connecting Amplify and Cognito is the Authenticator component. At Metal Toad we primarily work with ReactJS, so this is a deep link to the React component version:


https://ui.docs.amplify.aws/react/connected-components/authenticator

Authenticator component

This component is implemented in the front-end as follows (basically 😉):

import { Amplify } from 'aws-amplify';

import { Authenticator } from '@aws-amplify/ui-react';

<Authenticator>

Once we have this in place, either we run our CLI tool to create our backend and frontend configurations

amplify add auth

or we can manually configure our Auth component as follows against our Cognito resource:

Auth.configure({
    region: "REDACTED",
    userPoolId: "REDACTED",
    userPoolWebClientId: "REDACTED",
    authenticationFlowType: "USER_PASSWORD_AUTH",
});

With that your users can:

  • Login
  • Create user
  • Reset password

There are also a number of hooks you can write code to create custom responses for including:

  • idle
  • setup
  • signIn
  • signUp
  • confirmSignIn
  • confirmSignUp
  • setupTOTP
  • forceNewPassword
  • resetPassword
  • confirmResetPassword
  • verifyUser
  • confirmVerifyUser
  • signOut
  • authenticated

And of course all the Amplify UI components can be easily themed to quickly match your brand.

Once setup, there's endless customization within these services. You'll also find a tremendous amount of value out of the box preventing you from reinventing common solutions just to stay up to date!

Similar posts

Get notified on new marketing insights

Be the first to know about new B2B SaaS Marketing insights to build or refine your marketing function with the tools and knowledge of today’s industry.