Security Architecture of AWS Cognito

As I mentioned about the security architecture provided by the AWS Cognito in my last blog but didn’t explain there and promised to explain so this blog is about Security Architecture provided by AWS Cognito.

Amazon Cognito

Traditionally as a mobile app developer, you would embed your AWS access key and secret key within the app and if someone reversed engineered your app, they can get your access and secret keys and signup to the resources and you ended with the bill. So, in this case, Cognito helps us by providing temporary credentials. Let’s see how

Amazon Cognito helps developers to create user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. As the cloud service, it is scalable and fully managed which scale up to millions of users.

Its User Pools provide a secure user directory that scales to hundreds of millions of users and it is very easy to set up because it’s a fully managed service.

AWS Cognito provides two types of security architecture

  • Social Identities Authentication
  • Developer Authenticated Identities
  1. Social Identities Authentication
Social Identities Authentication

In this, a user comes in logs in with public authentication providers such as Facebook, Google plus, Gmail or Amazon, these providers authenticated themselves in the backend and return either an OAuth or Open ID Token, then that token get passed into the Cognito Identity Broker, so you pass the Open ID Token or OAuth, pool ID that you have to create while setting up Cognito and roles to Cognito Identity Broker, and then Cognito Identity Broker will returns a Cognito ID associated with that user and set of temporary credentials which you will use to access the different resources on AWS like AWS S3, AWS DynamoDB etc.

2. Developer Identities Authentication

Developer Identities Authentication

In Developer Authenticated Identities the flow is a little bit different. In this, your user will first connect to the backend authentication system that is created by you, then the authentication system decides whether you are a valid user or not. If you’re valid user your backend authentication system will connect to AWS Identity and request an Open ID Token, so Cognito Identity Broker will return an Open ID Token to your backend authentication system which will return to an end user and then that token passed to Cognito Identity Broker along with pool ID that you have to create while setting up Cognito and roles, and then Cognito Identity Broker will return a Cognito ID associated with that user and set of temporary credentials which you will use to access the different resources on AWS like AWS S3, AWS DynamoDB etc.

**For codes just click of Developer Identities Authentication click here

So in this way authentication works in AWS Cognito. After setting up you can sync local data through AWS Cognito Sync.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store