What Is Amazon Cognito User Pool and How Does It Differ From a Cognito Identity Pool
--
Amazon Cognito is an AWS service that lets you easily add users’ management to web and mobile apps. It supports social identity providers, such as Facebook, Google and enterprise identity providers via SAML 2.0.
A powerful service.
At first, hard to understand.
One of the things that generate the biggest confusion is the fact that Amazon Cognito comes with two main components:
- Amazon Cognito User Pools
- Amazon Cognito Identity Pools (aka Federated Identities)
This is the first blocker because, in the common language, users and identities are almost the same things.
In this brief story, we will try to clarify real differences and what scenarios can be solved using one of these components or combining the two.
Cognito User Pool
According to the AWS official documentation:
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito […]
This means an anonymous user of our application (e.g. a mobile or a Single Page Application) can fill a registration form and then become a registered user. The chosen credentials (i.e. username and password) will be safely stored into Cognito User Pool.
In this case, Amazon Cognito acts as an Identity Provider (IdP).
When this registered user wants to log in, the User Pool will be used as the source of truth to assess the authenticity of provided credentials; if valid, a JSON Web Token (JWT) will be returned (click here, if you want to know more about JWT).
Eventually, if we have a protected API (e.g. GET /orders/42) this token can be used to authenticate requests (fig.2) through the Authorization header.
