Authentication using AWS

Authentication using AWS

AWS: The process of user authentication, authorization and user management is integral for almost all of the web applications these days.

There are several ways to implement these functionalities ranging from the creation of an in house solution to adopt third-party solutions for authentication.

This is where Cognito finds a place for itself by architecting a framework like infrastructure for all the three solutions and also by integrating the access management to AWS services also to it.

AWS Cognito provides a great platform to manage user access/authentication and support authentication via various mediums like Google, Facebook, SAML etc

In this article, let us have a familiarisation with Cognito, the services it offers and also minimal hands-on exercise on the same.

The major highlights of the Cognito user and identity management are the following two pools:

1. User Pool

As per Amazon documentation, user pool is defined as :
Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.

Let me explain the user pool in a much more practical scenario. Consider we are building a web application, where we have the functionalities such as signup, login, authentication, and account recovery.

Cognito’s user pools do the handling of the above-mentioned functionalities with great levels of customization.

2. Identity Pool

The identity pools or the federated identities are defined as:

Amazon Cognito Federated Identities enables developers to create unique identities for your users and authenticate them with federated identity providers.

With federated identity, you can obtain temporary, limited-privilege AWS credentials to securely access other AWS services such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway.

Identity pools are basically the authorization and pooling for users in order to make the AWS services accessible for them. In practice, we will have a single root account for AWS and then we will enable to access to multiple users (with many different levels of accessing the services, like a set of users would be allocated with full permissions for using S3, while other sets of users might be allocated only read access only).

Creating a user pool

In this article, we will concentrate on creating a user pool in the AWS within the Cognito with a lot of customization. Then in the follow-up blog to this, we will see the integration of the created user pool with the javascript SDK to make it functional.

1. Manage User Pools.

Under the AWS services, select Cognito and then in the Cognito landing page, there will be a button called “Manage User Pools”. Clicking up on that, we see there are no user pools to manage and hence on the top right corner there is a button called “create user pool” as shown below:


2. Naming the pool

After the above step, you will be redirected to the page where the configurations are on. The various configurations are split into several tabs (can be seen on the left sidebar in the below figure):


3. Attributes

In this section, we can specify how should be the authentication be done, like via email or mobile, or using both (section 01 in the below diagram). We can also select what all attributes have to be collected from the user (section 02 of the below diagram).

At last, there is an option where we can add custom attributes (section 03 of the below diagram). In the custom attributes, I have added the field name as “role” which is of the datatype “string”


4. Password criteria and signup management

In this section we can define rules for password strength (section 01), choose how the accounts can be created, that is whether an admin is required to create a new account or a user can create a new one (section 02) and finally the expiry considerations (section 03) as shown in the figure below:


5. Multi Factor authentication enabling

Multi factor authentication is for increasing the security of the application by enabling the authentication via mobile/emails. For this app, we are not enabling the MFA as we intend to keep this a simple app.


6. Message Authentication

Cognito offers customisation of messages, right from the invitation mail to the verification messages as shown in the below screen:


7. Tags addition

We can add tags for better identification of the app in Cognito as below:

aws Tags addition

8. Remember Devices

We can configure Cognito to remember the user’s device by enabling the option. In this tutorial, we are not enabling this option.

aws Remember Devices

9. App clients

In the screen “App clients”, we need to click the “add an app client” option which will result in a screen like below”

aws App clients

Now we create an app client (here I have named the app client as “test_app_client”). The creation of app client will get us the client Id and this is used to communicate with the user pool from the code.

10. Triggers

We can add several trigger lambda functions to further add business logic to the entire login/signup process. The settings can be found under the trigger tab:

aws Triggers

11. Review and create

Now as the last step there is an option to review the entered configuration. After the reviewal, click on the “create user pool” button to create the user pool.


In this blog, we have created a user pool in Cognito with the bare minimum configurations. Now I recommend you to create the user pool by yourself by signing up for a free account with AWS in UK. In the follow up blog to this, we will use the Javascript SDK to communicate with the user pool and see the actual working.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>