Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
Cognito User Pools (CUP)¶
- Serverless identity provider (provides sign in functionality for app users)
- Sends back a JSON Web Token (used to verify the identity of the user)
- MFA support
- Supports Federated Identities allowing users to authenticate via third party identity provider like Facebook, Google, SAML, etc.
- Seamless integration with API Gateway & ALB for authentication
Cognito Identity Pools (CIP)¶
- Provides temporary credentials (using STS) to users so they can access AWS resources
- Integrates with CUP as an identity provider
- Example use case: provide temporary access to write to an S3 bucket after authenticating the user via FaceBook (using CUP identity federation)
- Can't use S3 pre-signed URL as we need to provide access to a bucket location and not an single object
Last updated: 2022-05-17