AWS Cognito โ Authentication & Authorization
AWS Cognito โ Authentication & Authorization
Section titled โAWS Cognito โ Authentication & AuthorizationโAmazon Cognito is AWSโs managed authentication and user management service. It provides user registration, login, social federation, and JWT-based access control for web and mobile applications.
In Azure terms: Cognito = Azure AD B2C + aspects of Microsoft Entra External ID
Two Main Components
Section titled โTwo Main Componentsโ1. User Pools
Section titled โ1. User PoolsโA User Pool is a user directory that provides:
- User registration and sign-in (username/password, email, phone)
- Email/SMS verification and MFA
- Social identity federation (Google, Facebook, Apple, SAML, OIDC)
- Customizable UI (Hosted UI โ pre-built sign-in pages)
- JWT tokens: ID token, Access token, Refresh token
- Password policies, account recovery flows
- Lambda triggers for custom auth flows
2. Identity Pools
Section titled โ2. Identity PoolsโAn Identity Pool (Federated Identities) provides:
- Exchange a User Pool token (or any OIDC/SAML token) for temporary AWS credentials (STS)
- Allows mobile/web apps to access AWS services directly (S3, DynamoDB)
- Supports guest (unauthenticated) access
- Different IAM roles for authenticated vs unauthenticated users
How They Work Together
Section titled โHow They Work TogetherโUser signs in โ User Pool (JWT tokens) โ Identity Pool โ STS assume role โ AWS Credentials (Access Key + Secret + Session) โ App calls S3 / DynamoDB directlyCognito Tokens
Section titled โCognito TokensโAfter successful authentication, Cognito returns three JWTs:
| Token | Lifetime | Purpose |
|---|---|---|
| ID Token | 1 hour | Contains user identity claims (email, name, custom attributes) |
| Access Token | 1 hour | Used to authorize API calls; contains groups/scopes |
| Refresh Token | 30 days (default) | Refresh ID and Access tokens without re-login |
Hosted UI
Section titled โHosted UIโCognito provides a pre-built, customizable login page โ no auth UI to build:
https://your-domain.auth.us-east-1.amazoncognito.com/login ?client_id=abc123 &response_type=code &scope=openid+email+profile &redirect_uri=https://myapp.com/callbackLambda Triggers
Section titled โLambda TriggersโCustomize authentication flows with Lambda:
| Trigger | When | Use Case |
|---|---|---|
| Pre sign-up | Before user created | Block sign-ups from certain domains |
| Post confirmation | After email verified | Create user record in DynamoDB |
| Pre authentication | Before login | Check if user is allowed to log in |
| Post authentication | After successful login | Log sign-in event |
| Pre token generation | Before JWT issued | Add custom claims to tokens |
| Custom auth | Custom challenge flow | Passwordless (OTP) login |
Cognito with API Gateway
Section titled โCognito with API GatewayโProtect API Gateway endpoints using a Cognito Authorizer:
Client โ signs in via Cognito โ gets JWT Access TokenClient โ calls API Gateway with Authorization: Bearer <token>API Gateway โ validates token with Cognito User PoolAPI Gateway โ routes request to Lambda (if valid)Cognito vs Azure AD B2C
Section titled โCognito vs Azure AD B2Cโ| Feature | Cognito User Pools | Azure AD B2C |
|---|---|---|
| User registration | Yes | Yes |
| Social login | Google, Facebook, Apple, SAML, OIDC | Google, Facebook, Amazon, GitHub, etc. |
| Custom UI | Hosted UI (customizable CSS) | Custom policies + page templates |
| MFA | TOTP, SMS | TOTP, Phone, Email |
| Tokens | JWT (ID, Access, Refresh) | JWT (ID, Access, Refresh) |
| User attributes | Preset + custom | Custom via user flows |
| Lambda integration | Lambda triggers | Custom policies (XML-based) |
| OIDC/OAuth2 | Yes | Yes |
| Pricing | First 50,000 MAUs free | First 50,000 MAUs free |
CLI Examples
Section titled โCLI Examplesโ# Create a User Poolaws cognito-idp create-user-pool \ --pool-name my-user-pool \ --auto-verified-attributes email \ --policies PasswordPolicy="{MinimumLength=8,RequireUppercase=true}"
# Create a User Pool Client (app)aws cognito-idp create-user-pool-client \ --user-pool-id us-east-1_abc123 \ --client-name my-web-app \ --generate-secret
# Sign up a useraws cognito-idp sign-up \ --client-id abc123 \ --username alice@example.com \ --password MyPassword123!
# Confirm user (admin)aws cognito-idp admin-confirm-sign-up \ --user-pool-id us-east-1_abc123 \ --username alice@example.com
# Admin log in (get tokens)aws cognito-idp initiate-auth \ --auth-flow USER_PASSWORD_AUTH \ --client-id abc123 \ --auth-parameters USERNAME=alice@example.com,PASSWORD=MyPassword123!