Cognito Under the Hood

Andreas Wittig – 24 Mar 2021

Have you ever implemented a user database and authentication layer yourself? There are many things to get right: Hashing and salting passwords, multi-factor authentication, brute force attacks, and many more. That’s why I recommend using a production-ready service instead of building authentication yourself. That’s what Amazon Cognito is all about.

Cognito Under the Hood

Let me start with typical use cases for Cognito:

Serverless app with API Gateway

A typical Serverless application uses Cognito User Pools for authentication and authorization.

Serverless app with API Gateway

  1. The client authenticates with the User Pool.
  2. The client sends the identity or access token as a header to the API Gateway.
  3. The API Gateway verifies the token and grants access.
  4. The API Gateway adds information from the identity/access token to the context when invoking a Lambda function.

Obtain temporary AWS credentials

Cognito Identity Pool allows federated identities to access AWS resources by issuing temporary AWS access credentials. Users can use those credentials to interact with AWS APIs directly (e.g., AppSync, S3, DynamoDB, …). That allows clients to access data stores without a backend.

Andreas and Michael Wittig

Please support our work!

We have published 331 articles, 42 podcast episodes, and 15 videos. It's all free and means a lot of work in our spare time.

$6,000.00 will help us to write in-depth service reviews and comparisons in 2022! With your help, we can continue to produce independent & high-quality content focused on AWS.

$1,454.00 raised

Thanks to Alan Leech, Alex DeBrie, e9e4e5f0faef, Jaap-Jan Frans, Jens Gehring, jhoadley, Kamil Oboril, Ken Snyder, Thorsten Hoeger, Todd Valentine, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.

Support us

Obtain temporary AWS credentials

Cloud-native app with ALB

You can add authentication to any cloud-native app that sits behind an ALB. ALBs support authentication/authorization based on Cognito User Pools.

Cloud native app with ALB

We use it to add a layer of security for traditional tools like Jenkins, phpMyAdmin, etc.
You can find a working example here: https://github.com/cfn-modules/docs/tree/master/examples/fargate-alb-auth-cognito

The following video covers:

  • When to use AWS Cognito?
  • Demo: ALB + Cognito User Pool
  • User Pool vs. Identity Pool
  • Pitfall: Backup your most valuable asset!

Summary

The following table helps you to decide which option to choose.

User Pool Identity Pool
Built-in User Database ✅ Yes ❌ No
Grant access to AWS resources directly ✅ Yes in combination with an Identity Pool ✅ Yes
Social Login Google, Facebook, Amazon, Apple Google, Facebook, Amazon, Apple
SAML ✅ Yes ✅ Yes
OpenID Connect ✅ Yes ✅ Yes
Hosted UI ✅ Yes ❌ No
Costs $0.0055 per Monthly Active User (MAU) Free
Andreas Wittig

Andreas Wittig

I launched cloudonaut.io in 2015 with my brother Michael. Since then, we have published hundreds of articles, podcast episodes, and videos. It’s all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.
Have you learned something new by reading, listening, or watching our content? If so, we kindly ask you to support us in producing high-quality & independent AWS content. We look forward to sharing our AWS knowledge with you.

Support us

Feedback? Questions? You can reach me via Email, Twitter, or LinkedIn.