Authentication using AWS
AWS: The process of user authentication, authorization and user management is integral for almost all of the web applications these days.
There are several ways to implement these functionalities ranging from the creation of an in house solution to adopt third-party solutions for authentication.
This is where Cognito finds a place for itself by architecting a framework like infrastructure for all the three solutions and also by integrating the access management to AWS services also to it.
AWS Cognito provides a great platform to manage user access/authentication and support authentication via various mediums like Google, Facebook, SAML etc
In this article, let us have a familiarisation with Cognito, the services it offers and also minimal hands-on exercise on the same.
The major highlights of the Cognito user and identity management are the following two pools:
1. User Pool
As per Amazon documentation, user pool is defined as :
Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.
Let me explain the user pool in a much more practical scenario. Consider we are building a web application, where we have the functionalities such as signup, login, authentication, and account recovery.
Cognito’s user pools do the handling of the above-mentioned functionalities with great levels of customization.
The identity pools or the federated identities are defined as:
Amazon Cognito Federated Identities enables developers to create unique identities for your users and authenticate them with federated identity providers.
Identity pools are basically the authorization and pooling for users in order to make the AWS services accessible for them. In practice, we will have a single root account for AWS and then we will enable to access to multiple users (with many different levels of accessing the services, like a set of users would be allocated with full permissions for using S3, while other sets of users might be allocated only read access only).
1. Manage User Pools.
Under the AWS services, select Cognito and then in the Cognito landing page, there will be a button called “Manage User Pools”. Clicking up on that, we see there are no user pools to manage and hence on the top right corner there is a button called “create user pool” as shown below:
After the above step, you will be redirected to the page where the configurations are on. The various configurations are split into several tabs (can be seen on the left sidebar in the below figure):
In this section, we can specify how should be the authentication be done, like via email or mobile, or using both (section 01 in the below diagram). We can also select what all attributes have to be collected from the user (section 02 of the below diagram).
At last, there is an option where we can add custom attributes (section 03 of the below diagram). In the custom attributes, I have added the field name as “role” which is of the datatype “string”
In this section we can define rules for password strength (section 01), choose how the accounts can be created, that is whether an admin is required to create a new account or a user can create a new one (section 02) and finally the expiry considerations (section 03) as shown in the figure below:
Multi factor authentication is for increasing the security of the application by enabling the authentication via mobile/emails. For this app, we are not enabling the MFA as we intend to keep this a simple app.
Cognito offers customisation of messages, right from the invitation mail to the verification messages as shown in the below screen:
We can add tags for better identification of the app in Cognito as below:
We can configure Cognito to remember the user’s device by enabling the option. In this tutorial, we are not enabling this option.
9. App clients
In the screen “App clients”, we need to click the “add an app client” option which will result in a screen like below”
Now we create an app client (here I have named the app client as “test_app_client”). The creation of app client will get us the client Id and this is used to communicate with the user pool from the code.
We can add several trigger lambda functions to further add business logic to the entire login/signup process. The settings can be found under the trigger tab:
11. Review and create
Now as the last step there is an option to review the entered configuration. After the reviewal, click on the “create user pool” button to create the user pool.