Using AWS Cognito

We’ve been using AWS Cognito during the last 10 years. Here is why we chose it for authentication and how we integrated Cognito into our architecture.

What is Amazon Cognito?

Amazon Cognito is a user authentication and authorization service that helps manage user sign-ups, sign-ins, and access control. It scales efficiently to accommodate a large number of users, which is crucial for services offering self-sign-up features. Cognito supports both user pool management and enterprise features like Single Sign-On (SSO).

Why We Chose Cognito

We decided for Cognito for the following reasons:

1. Scalability: Cognito can handle a vast number of users without performance degradation.
2. Unbeatable price: Compared to alternatives like Auth0, Cognito offers a much more cost-effective solution for our needs (for us 100x cheaper). That’s mainly because we require many users (self signup) and SSO support at the same time.
3. Reliable: We didn’t experience a single reliability issue in the 10 years of using Cognito.

How Cognito Works in Our Architecture

At the core, Cognito acts as our user database, storing usernames and passwords. It also integrates with various identity providers like Google and Apple for additional authentication methods. Here’s a simplified view of our setup:

1. User Pools: Stores user credentials and profile information.
2. Identity Providers: Allows users to authenticate through external providers (e.g., Google, SAML).
3. App Clients: Interface between our application and the identity providers.

For multi-tenancy, we have specific app clients connected to their respective identity providers. For example, a corporate tenant might use SAML for authentication, while other tenants allow only sign in with email/password or social logins.

Multi-tenant setup with SSO support

Cognito and DynamoDB Integration

Cognito handles authentication, while DynamoDB stores detailed user profiles and project memberships. This separation ensures:

1. Performance: Faster access to user profile data in DynamoDB
2. Cost Efficiency: Cheaper data storage and retrieval
3. Compliance: Clear data ownership and responsibility, especially crucial in multi-tenant Cognito accounts

Deepdive: Pre-Token Lambda Trigger

One of our critical Lambda functions, the PreToken trigger, enriches the authentication token with additional user data from DynamoDB. Here’s a high-level overview:

1. Receive Input: The trigger gets the Cognito user data.
2. Lookup DynamoDB: Retrieves user profile and project membership.
3. Enhance Token: Adds necessary claims (e.g., user ID, tenant information, project memberships) to the token.

This enhanced token simplifies authorization checks across our services, ensuring secure and efficient access control.

Various Cognito Lambda triggers

Conclusion

Amazon Cognito is the core piece of our authentication, providing scalability, cost-effectiveness, and flexibility. By leveraging AWS Lambda and DynamoDB, we have created a robust system that meets our diverse user and enterprise needs. This setup enhances performance and ensures clear data management and compliance, crucial for our multi-tenant architecture.

Happy coding!