Ref: https://learn.cantrill.io/courses/1820301/lectures/41301412

• Summary:
• Contents:

Amazon Cognito - Overview

• 🔧 Core identity product in AWS: authentication, authorization, and (serverless) user management for web/mobile apps
  • 2 core functionalities:
    1. User pools → sign-in to get a JSON Web Token (JWT)
    2. Identity pools → access to temporary AWS credentials
    • 💡 User pools & identity pools are very different! Terrible naming! :(
• ❗Cognito allows using unlimited amount of users → much more than 5000 IAM user limit
  • 👍 Great for large scale web and mobile apps

Amazon Cognito - User Pools

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Cognito-1.png

• 🔧 User directory (collection of users, think of a DB of users)
  • Offers a common sign-up/sign-in experience, authenticated entities get a JSON Web Token (JWT)
  • Other features: user directory management & profiles, customizable web UI for sign-up/sign-in, MFA, and other security features
  • Users can be internal to the app or external (e.g. users coming from social IDPs like Google, Facebook…)
• JWT (aka user pool token) proves that the identity has been used to sign in to Cognito → user of the Cognito user pool
  • Can be used to access self-managed servers or DBs
  • APIGW can accept JWTs directly for authentication
    • 💡 Other services that also only require JWTs: IAM Identity Center (provided that those JWTs come from a trusted token issuer), and ALBs
  • ‼️ Can NOT be used to access most AWS resources!!! (in general, that requires AWS credentials)

Amazon Cognito - Identity Pools

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Cognito-2.png

• 🔧 Offer access to AWS resources, usually by swapping a token from an ID provider (IDP) for temporary AWS credentials
  • Unauthenticated identities → guest identities that access AWS resources
  • Federated identities → swap an external identity (Google, Facebook, X/Twitter, SAML2.0… or Cognito user pool's JWT) for temporary AWS credentials, can then access AWS resources
    • 💡 The same external identity directories used in Cognito user pools can be used for Cognito identity pools too, which is why this can get confusing… 😖
• Neither AWS nor your app ever have access to 3rd-party credentials, because they are given by the external social IDP
  • 3rd-party IDP gives a token to user (proves the user is an authenticated user from them)
• Cognito Identity Pools can exchange identification tokens for AWS credentials
  • Allows federated identities to access AWS resources in an account
  • Supported IDP tokens include social IDPs (Google token, Facebook token…)
    • ❗ Yes, JWTs granted by authenticating to a Cognito user pool ALSO supported!
  • ❗To support an IDP, you must have a configuration for it within Cognito identity pools
  • If credentials expire, your app can renew them via Cognito
• Cognito assumes a role and returns temporary AWS credentials to app
  • Required: at least one role for authenticated/federated identities, and at least one role for unauthenticated/guest identities