AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
-
Upload
amazon-web-services -
Category
Documents
-
view
538 -
download
2
description
Transcript of AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Mobile Services : Deep Dive on Amazon Cognito
Stefano Buliani (@sapessi)Jinesh Varia (@jinman)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
How to build a mobile app today?
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and identity providers
Securely access cloud resources
Sync user prefs across devices
Track active users, engagement
Manage funnels, Campaign performances
Store user-generated photosMedia and share them
Automatically detect mobile devicesDeliver content quickly globally
Bring users back to your app by sendingmessages reliably
Store and query fast NoSQL dataacross users and devices
Collect real-time clickstream logs and take actions quickly
Your Mobile
App
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Introducing AWS Mobile Services
Amazon Cognito Amazon Mobile AnalyticsAmazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector
AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations)
Core Building Block Services
Mobile Optimized Connectors
Mobile Optimized Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Cross-platform, Optimized for Mobile
Amazon Cognito Amazon Mobile AnalyticsAmazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector
User identity & data synchronizationservice
Store any NoSQL data and also map mobile OS specific objects to DynamoDB tables
Fast cross-platformAnalytics & reportingService
Powerful Cross-platformPush notification service
Recorder that can handle intermittent network connection
Easily upload, download to S3 and also pause, resume, and cancel these operations
Send email reliably from device
Access distributed buffering and queuing service
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Fully Integrated AWS Mobile SDK
• Common authentication mechanism across all services
• Automatically handle intermittent network connections
• Cross-platform Support: Android, iOS, Fire OS
• Native SDKs optimized for Mobile OS, for example, uses the local offline caching architecture
• Reduced memory footprint; Pick and choose the service jars you need
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and identity providers
Securely access cloud resources
Sync user prefs across devices
Track active users, engagement
Manage funnels, Campaign performances
Store user-generated photosMedia and share them
Automatically detect mobile devicesDeliver content quickly globally
Bring users back to your app by sendingmessages reliably
Store and query fast NoSQL dataacross users and devices
Collect real-time clickstream logs and take actions quickly
Your Mobile
App
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
AWS Mobile SDK
Amazon Mobile Analytics
Deliver media
Amazon Cognito (Sync)
AWS Identity and Access Management
Amazon Cognito(Identity Broker)
Amazon S3Transfer Manager
Amazon CloudFront(Device Detection)
Store shared dataAmazon DynamoDB(Object Mapper)
Stream real-time dataAmazon Kinesis(Recorder)
Track RetentionAmazon Mobile Analytics
Send push notificationsAmazon SNS Mobile Push
Your Mobile
App
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito
Simplifies Identity and Access Management
Securely access all AWS services from
Mobile device
Cross-device and Cross-platform Sync
Implement security best practices
“Your App data is secure, available offline, and kept in sync between devices”
Synchronize user’s data across devices and
platforms
Manage users as unique identities across
identity providers
Guest Your own Auth
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Identity Providers
UniqueIdentitiesJoe Anna Bob
Any DeviceAny Platform
Any AWS Service
Helps implement security best practicesSecurely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management
Support Multiple Login ProvidersEasily integrate with major login providers for authentication.
Unique Users vs. DevicesManage unique identities. Automatically recognize unique user across devices and platforms.
Amazon Cognito Identity
Mobile Analytics
S3 DynamoDB Kinesis
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito for Unauthenticated Identities
Unique Identifier for Your “Things”“Headless” connected devices can also securely access cloud services.
Save Data to the CloudSave app and device data to the cloud and merge them after login
Guest User AccessSecurely access AWS resources and leverage app features without the need to create an account or logging in
VisitorPreferences
Cognito Store
Guest
EC2 S3 DynamoDBKinesis
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Use Case: Unique Identity across the web and mobile
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Use case: State transition
Users begin their life as guests
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Later on they register an account
• The transition should be seamless
Use case: State transition
Later on they register an account
• The transition should be seamless
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Use case: State transition
Multiple accounts can be linked
• You should have a consistent identifier
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Use case: Game State
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Getting Started with Cognito in 3 steps
Sign up for AWS Account and login to AWS Management Console
Download and integrate the Mobile SDK and store and sync user data in a dataset
Create identitypool for authenticated and unauthenticated users in the AWS Console
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Demo: Amazon Cognito Console
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito Security
Set granular access permissions on AWS resourcesGet fine-grained access control to cloud resources.
Safeguard AWS CredentialsNo need to embed credentials in the app anymore. Get least-privileged temporary credentials.
Helps implement security best practicesSecurely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine
EC2 S3 DynamoDB Kinesis
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito Security Architecture
End Users
App with AWS Mobile
SDKAccessto AWS
Services
Login OAUTH/OpenIDAccess Token
Cognito ID, Temp
Credentials
Access TokenPool ID
Role ARNs
Cognito ID(Temp
Credentials)
DynamoDB
Developer
Cognito Identity Broker
S3
Mobile Analytics
Cognito Sync Store
AWS Management
Console
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Developer-Authenticated Identities
Your own user authentication systemSeveral apps prefer to have their own username and password instead of public identity providers for authentication.
Manage mappings easilyCognito manages the mappings across login systems (public or private) using a unique Cognito ID
Easily integrate with existing systemsImplement GetOpenIdTokeForDeveloperIdentity() using our server-side SDKs like Java, Python, Ruby etc.
UsernameAnd Password
Your User Authentication
System
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Developer Authenticated Identities
Cognito ID(Temp
Credentials)
DynamoDB
End Users
Developer
App with AWS Mobile
SDK
Accessto AWS
Services
Cognito Identity Broker
Get OpenID Token
Username password
Cognito ID, Temp Credentials
S3
Mobile Analytics
Cognito Sync Store
AWS Management
Console
OIDC TokenPool ID
Role ARNs
User Authentication System
(Running on AWS or not)
OIDC Token
OIDC Token
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito: Authorize Access using AWS IAM
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito (Identity Broker)
Identitypool
Identity Providers
Pool of identities that share the same trust policy
Access Policy
Access to AWS
Servicesidentitypool
Unauthenticated Identities
authenticated identities
AWS IAM Roles
AWS Account
Web Identity Federation
S3
DynamoDB
Get Delete Put
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Access Policy for the IAM Role{ "Effect":"Allow", "Action":["s3:*"], "Resource":"*"} { "Effect": ”Deny", "Action": ["dynamodb:*"], "Resource": "*"}
{ "Effect": "Allow", "Action": [”cognito-sync:*"], "Resource": "*"}
AllowActions:
All S3, Sync store Operations
Resource:All resources within these services
DenyActions:
All DDB Operations
Resource:All resources
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Access Policy Restriction{ "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject",
"s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/*"} { "Effect":"Allow", "Action":["s3:ListBucket","s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME"}{ "Effect": "Allow", "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:PutItem"], "Resource" : [ "arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME",
"arn:aws:dynamodb:REGION:123456789:table/TABLE_NAME/index/INDEX_NAME" ]
}
AllowActions:
Certain operations
Resource:One bucket, table ..
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Access Policy Restriction
{ "Effect":"Allow”,"Action” ["s3:PutObject","s3:GetObject","s3:DeleteObject”,”s3:ListMultipartUploadParts","s3:AbortMultipartUpload"], "Resource":"arn:aws:s3:::BUCKET_NAME/Bob/*"} { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"arn:aws:s3:::BUCKET_NAME", "Condition":{"StringLike":{"s3:prefix":”Bob/"}}}{ "Effect":"Allow", "Action":["s3:ListBucketMultipartUploads"], "Resource":"arn:aws:s3:::BUCKET_NAME"}
AllowActions:
Certain operations
Resource:Within a bucket with specific prefix (user)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Access Policy Restriction (Policy Variables)
AllowActions:
All sync operations
Resource:Only to that identity
{"Effect": "Allow”,"Action": ["s3:GetObject”,"s3:PutObject”],"Resource": ["arn:aws:s3:::
myBucket/amazon/snakegame/${cognito-identity.amazonaws.com:sub}"]
}
{"Effect":"Allow","Action":"cognito-sync:*", "Resource":["arn:aws:cognito-sync:us-east-1: 123456789012:identitypool/
${cognito-identity.amazonaws.com:aud}/identity/
${cognito-identity.amazonaws.com:sub}/*"] }
AllowActions:
S3 Get/Put operations
Resource:Only to a specific part of bucket to that identity
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Synchronize data across devices : Amazon Cognito (Sync)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
What have customers told us about “Synchronized Profile”
People have multiple devices and want to transition between devices. Implementing a user profile that syncs across devices, OS, apps is hard. It not only has to work when offline, but easy to integrate with existing apps.
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito Sync
User Data Storage andSync
Any Platform
iOS/Android/FireOS
Store App Data, Preferences and StateSave app and device data to the cloud and merge them after login
Cross-device Cross-OS Sync Sync user data and preferences across devices with one line of code
Work OfflineData always stored in local SQLite DB first. Works seamlessly when intermittent or no connectivity
k/v data
Identity pool
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito Sync
Offline: The client SDK manages a local SQLite data store to allow the app to work even when connectivity is not available.
Fast: The methods to read and write data only interact with the local SQLite database.
Intelligent Sync: The sync method compares the local version of the data to the cloud sync store, pushes up deltas and pulls down new changes.
Flexible Conflict resolution: The sync method first reads the changes then writes its local changes to the cloud sync store By default Cognito assumes that the last write wins. Developers can override and implement their own conflict resolution programmatically
Local SQLite Cache
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Sync Data Model
Identity Pool: Pool of app users. Can be shared across apps.
Identity: An individual user. Consistent across identity providers. Can be a guest user.
Dataset: Per user grouping of data. The most granular level of sync. Up to 1MB.
Record: Key/Value pair user data
AWS Account
Dataset
IdentityIdentityIdentity
DatasetDataset
Identity
Pool
1:60
1:n
1:20
DatasetDatasetRecord
1:1024
You
Your App
Your App Users
User Data Container
User Data
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Sync Data Model - Example
Userpreferences
Developer has two apps: a game and a
productivity app
Game state
Identitypool1
Productivity App
GameApp
AWS Account
Dataset
IdentityIdentityIdentity
DatasetDataset
Identity
Pool
1:60
1:n
1:20
DatasetDatasetRecord
1:1024
You
Your App
Your App Users
User Data Container
User Data
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Integrating Cognito Sync functionality is dead simple
Initialize the CredentialsProvider and CognitoClient
Call synchronize on the dataset
Create or open Dataset and Add Key Values
provider = new CognitoCachingCredentialsProvider (context, AWS_ACCOUNT_ID, COGNITO_POOL_ID, COGNTIO_ROLE_UNAUTH,
COGNITO_ROLE_AUTH, Regions.US_EAST_1);
cognito = new CognitoSyncManager (context, COGNITO_POOL_ID, Regions.US_EAST_1, provider);
dataset.synchronize(new SyncCallback(){..});
cognito.openOrCreateDataset(datasetName);dataset.put(key, value);
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Integrating Cognito Sync functionality is dead simple
Initialize the AWSCognitoSyncClient
Call synchronize on the dataset
Create or open Dataset and Add Key Values
DataSet *dataset = [syncClient openOrCreateDataSet:@"myDataSet"];NSString *value = [dataset readStringForKey:@"myKey"];[dataset putString:@"my value" forKey:@"myKey"];
AWSCognitoSyncClient *syncClient = [[AWSCognitoSyncClient alloc] initWithConfiguration: configuration];
[dataset synchronize];
iOS
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Simple and predictable pay as you go pricing
Amazon Cognito
Free Tier (for first 12 months):1 Million syncs/month + 10GB of storage for Amazon Cognito
Thereafter:$0.15 for 10K Syncs$0.15 per GB for storage
Number of monthly sync operations
1,000,000
Monthly sync charge (1,000,000 / 10,000) * $0.15 = $15
Sync store space 4.77GB
Monthly sync store charge
4.77 * $0.15 = $0.72
Total charge $15.72
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Summary
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Store shared data
Stream real-time dataTrack Retention
Send push notifications
Manage users and identity providers
Securely access cloud resources
Sync user prefs across devices
Track active users, engagement
Manage funnels, Campaign performances
Store user-generated photosMedia and share them
Automatically detect mobile devicesDeliver content quickly globally
Bring users back to your app by sendingmessages reliably
Store and query fast NoSQL dataacross users and devices
Collect real-time clickstream logs and take actions quickly
Your Mobile
App
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authenticate users
Authorize access
Analyze User Behavior
Store and share media
Synchronize data
AWS Mobile SDK
Amazon Mobile Analytics
Deliver media
Amazon Cognito (Sync)
AWS Identity and Access Management
Amazon Cognito(Identity Broker)
Amazon S3Transfer Manager
Amazon CloudFront(Device Detection)
Store shared dataAmazon DynamoDB(Object Mapper)
Stream real-time dataAmazon Kinesis(Recorder)
Track RetentionAmazon Mobile Analytics
Send push notificationsAmazon SNS Mobile Push
Your Mobile
App
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Key Takeaways
Amazon Cognito Amazon Mobile AnalyticsAmazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector
AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations)
Core Building Block Services
Mobile Optimized Connectors
Mobile Optimized Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Key Takeaways: Amazon Cognito
Amazon Cognito Amazon Mobile AnalyticsAmazon SNS Mobile Push
Kinesis Connector DynamoDB Connector S3 Connector SQS ConnectorSES Connector
AWS Global Infrastructure (10 Regions, Availability Zones, 51 Edge Locations)
Core Building Block Services
Mobile Optimized Connectors
Mobile Optimized Services
Your Mobile App, Game or Device App
AWS Mobile SDK, API Endpoints, Management Console
Compute Storage Networking Analytics Databases
Integrated SDK
Cross Platform and Optimized
for Mobile
FlexibilityAnd Freedom
of Choice
Fully integratedand easy to get
started
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon Cognito
Free Tier (for first 12 months):1 Million syncs/month + 10GB of storage
Get Started Today With Cognito for Free!
http://aws.amazon.com/mobile
Cognito developer forum: https://forums.aws.amazon.com/forum.jspa?forumID=173
AWS Mobile blog: http://mobile.awsblog.com/
AWS Mobile SDK: http://aws.amazon.com/mobile/sdk/
Amazon Cognito: http://aws.amazon.com/cognito/
FAQ: http://aws.amazon.com/cognito/faqs/
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Thank You!
Jinesh Varia, Stefano Buliani@jinman, @sapessi