Secure Your App with Cognito

Building applications for cloud has never been easier than it is now. All the cloud service providers are in a battle of continuously adding new services to make the application building process easier, or, in other words, to make developers’ life easy.
Early days it took a lot of time to get the groundwork of an application done despite the fact it doesn’t add much of a business value. One such component is authentication and authorization. It is a required and important component for most of the applications which doesn’t add much of a business value.
So, many vendors publish different frameworks/services to add the authentication and authorization to an application easily. And here what I am going to explain in brief is a reference architecture using one such service offered by Amazon Web Services named Cognito. In AWS’s terms

With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and sync across devices

AWS Cognito Landscape (Source: https://aws.amazon.com/cognito/)

You are not convinced enough, are you? You probably should be thinking that this isn’t a big deal and can be developed easily without using an external service. Trust me I had the same thought and I have also implemented it from the scratch for a couple of times (obviously by then a service like Cognito was not there 😉). And I kind of understand the real pain in it. However, before I move into the solution, let’s have a look at the requirements typically an application would demand in terms of user management and authentication. But note that these can vary depending on the nature of the application.

  • Allowing users to sign up/sign in via social identity providers (Facebook, Google etc.).
  • Allowing users to sign up/sign in using email/passwords.
  • Storing all users in a single database despite the signup mechanism they use.
  • In case of email/passwords signup, verifying the email address.
  • Assigning different levels of privileges to users.
  • Admin console to manage users manually (add, update, delete, suspend).
  • Once logged in, using a unified authorization mechanism to access the secured services.
  • Viewing user base related reports (growth rate, new signups, frequency of logins etc.).
  • Getting notified when a new user signs up/signs in.

So, what you think? Does it still sound simple? Your application mightn’t need all above, but I think in most of the cases the above are obvious requirements. However, the great news is that all above is already done for you in Cognito. It’s only a matter of configuring it to your application.

Okay enough with boasting, let’s move to the real deal of setting AWS Cognito for your application. There are different ways to use Cognito, and the following is one such solution architecture suitable for a web + mobile application with a RESTful backend.

Here I have basically used the following AWS services and components

  • API Gateway
  • IAM Roles
  • Cognito User Pools
  • Cognito Identity Pools
User Authentication Flow

Let’s go through the steps and see what happens at each step.

  1. Log in using the preferred identity provider and receive identity token and/or access token.

a.) Facebook

b.) Google

c.) Email/Password via Cognito User Pools

2. Create an identity in the Cognito Identity Pool using the token received from the identity provider.

3. Receive temporary IAM credentials with pre-configured privileges.

4. Call API gateway endpoints using the IAM credentials received in step 3.

Additionally to the steps above there is one other step which is not shown in the diagram. That is signing up with Email/Password. It’s not simple as it sounds, it’s a separate module which comes with its own scope.

  • Register new users via Email/Password.
  • Verify the user email addresses.
  • Create new users in a user store on successful registration.
  • Recover passwords if the user doesn’t remember it.
  • Administrative actions on users (add, update, delete, suspend etc. ).

Feels the pain already 🤒 ? Not to worry, Cognito User Pools has been designed exactly to address these requirements. All the necessary functions to support all above are included within it. You only have to call them in your frontend.

Wait, there’s more good news, Cognito User Pools now comes with a built-in UI which you can use straightaway as your application’s sign up/sign in page. (More details on this are coming up on a later post 😎)

Amazon is continuously improving Cognito to give the best developer and consumer experience. So, we can expect more features coming up in the near future. Finally, what I suggest to you is that when there is a requirement, have a look at services like this before you jump into developing them on your own, it can save a lot of your time and money!

Leave a Comment

Your email address will not be published. Required fields are marked *