Get Started with Amazon Cognito

Q: What is Amazon Cognito?
Amazon Cognito lets you easily add user sign-in to your mobile and web apps. Amazon Cognito enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Google and Amazon) and you can also integrate your own identity provider.

With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user authentication.

Q: Who should use Amazon Cognito?
Amazon Cognito is designed for developers who want to add user authentication to their mobile and web apps. Developers can use Cognito Identity to add sign-up and sign-in to their apps and to enable their users to securely access their app’s resources.

Q: How do I start using Amazon Cognito?
You can easily get started by visiting the AWS Console. If you do not have an Amazon Web Services account, you can create an account when you sign in to the console. Once you have created an identity pool for federated identities, you can download and integrate the AWS Mobile SDK with your app.

Q: Which platforms does Amazon Cognito support?
Support for Cognito is included in the optional AWS Mobile SDK, which is available for iOS, Android, Unity, and Kindle Fire. Cognito is also available in the AWS SDK for JavaScript.

Q: Do I have to use the AWS Mobile SDK?
No. Cognito exposes its control and data APIs as web services. You can implement your own client library calling the server-side APIs directly.

 

Q: Can I use Cognito Identity to federate identities and secure access to AWS resources?
Yes, Cognito Identity enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Amazon Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Google and Amazon) and you can also integrate your own identity provider.

Q: Which public identity providers can I use with Amazon Cognito Identity?
You can use Amazon, Google and any other OpenID Connect compatible identity provider.

Q: What is an Identity Pool?
Identity pools are the containers that Cognito Identity uses to keep your apps’ federated identities organized. Identity Pool associates federated identities from social identity providers with a unique user specific identifier. Identity Pools do not store any user profiles. An identity pool can be associated with one or many apps. If you use two different identity pools for two apps then the same end user will have a different unique identifier in each Identity Pool.

Q: How does the login flow work with public identity providers?
Your mobile app authenticates with an Identity Provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token or the SAML assertion returned from the IdP is passed by your app to Cognito Identity, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.

Q: Can I register and authenticate my own users?
Cognito Identity can integrate with your existing authentication system. With a simple API call you can retrieve a Cognito ID for your end users based on your own unique identifier for your users. Once you have retrieved the Cognito ID and OpenID Token Cognito Identity provides, you can use the Cognito Identity client SDK to access AWS resources and synchronize user data. Cognito Identity is a fully managed identity provider to make it easier for you to implement user sign-up and sign-in for your mobile and web apps.

Q: How does Cognito Identity help me control permissions and access AWS services securely?
Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your AWS resources so you do not have to use your AWS account credentials. The permissions for each user are controlled through AWS IAM roles that you create. You can define rules to choose the IAM role for each user, or if you are using groups in a Cognito user pool, you can assign IAM roles based on groups. Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated. In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.

Q: When using public identity providers, does Amazon Cognito Identity store users’ credentials?
No, your app communicates directly with the supported public identity provider (Amazon, Google, or an Open ID Connect-compliant provider) to authenticate users. Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.

Q: Does Cognito Identity receive or store confidential information about my users from the identity providers?
No. Cognito Identity does not receive any confidential information (such as email address, friends list, etc.) from the identity providers.

Q: Do I still need my own backend authentication systems with Cognito Identity?
No. Cognito Identity supports login through Amazon and Google, as well as providing support for unauthenticated users. With Cognito Identity you can support federated authentication and AWS access token distribution without writing any backend code.

Q: What if I don’t want to force my users to log in?
Cognito Identity supports the creation and token vending process for unauthenticated users as well as authenticated users. This removes the friction of an additional login screen in your app, but still enables you to use temporary, limited privilege credentials to access AWS resources.