Amazon Cognito FAQs

Amazon Cognito lets you easily add user sign-in to your mobile and web apps. Amazon Cognito enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in Amazon Web Services or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Google and Amazon) and you can also integrate your own identity provider.

With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user authentication.

Amazon Cognito is designed for developers who want to add user authentication to their mobile and web apps. Developers can use Cognito Identity to add sign-up and sign-in to their apps and to enable their users to securely access their app’s resources.

You can easily get started by visiting the Amazon Web Services Console . If you do not have an Amazon Web Services account, you can create an account when you sign in to the console. Once you have created an identity pool for federated identities, you can download and integrate the Amazon Mobile SDK with your app.

Support for Cognito is included in the optional Amazon Mobile SDK, which is available for iOS, Android, Unity, and Kindle Fire. Cognito is also available in the Amazon SDK for JavaScript.

No. Cognito exposes its control and data APIs as web services. You can implement your own client library calling the server-side APIs directly.

Yes, Cognito Identity enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in Amazon Web Services or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Google and Amazon) and you can also integrate your own identity provider.

You can use Amazon, Google and any other OpenID Connect compatible identity provider.

Identity pools are the containers that Cognito Identity uses to keep your apps’ federated identities organized. Identity Pool associates federated identities from social identity providers with a unique user specific identifier. Identity Pools do not store any user profiles. An identity pool can be associated with one or many apps. If you use two different identity pools for two apps then the same end user will have a different unique identifier in each Identity Pool.

Your mobile app authenticates with an Identity Provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token or the SAML assertion returned from the IdP is passed by your app to Cognito Identity, which returns a new Cognito ID for the user and a set of temporary, limited-privilege Amazon Web Services credentials.

Cognito Identity can integrate with your existing authentication system. With a simple API call you can retrieve a Cognito ID for your end users based on your own unique identifier for your users. Once you have retrieved the Cognito ID and OpenID Token Cognito Identity provides, you can use the Cognito Identity client SDK to access Amazon Web Services resources and synchronize user data. Cognito Identity is a fully managed identity provider to make it easier for you to implement user sign-up and sign-in for your mobile and web apps.

Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your Amazon Web Services resources so you do not have to use your Amazon Web Services account credentials. The permissions for each user are controlled through Amazon IAM roles that you create. You can define rules to choose the IAM role for each user, or if you are using groups in a Cognito user pool, you can assign IAM roles based on groups. Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated. In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.

No, your app communicates directly with the supported public identity provider (Amazon, Google, or an Open ID Connect-compliant provider) to authenticate users. Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.

No. Cognito Identity does not receive any confidential information (such as email address, friends list, etc.) from the identity providers.

No. Cognito Identity supports login through Amazon and Google, as well as providing support for unauthenticated users. With Cognito Identity you can support federated authentication and Amazon Web Services access token distribution without writing any backend code.

Cognito Identity supports the creation and token vending process for unauthenticated users as well as authenticated users. This removes the friction of an additional login screen in your app, but still enables you to use temporary, limited privilege credentials to access Amazon Web Services resources.