© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Hunt, Sr. Product Manager – Amazon Cognito

March 30, 2017

Deep Dive on Amazon Cognito

Topics

AWS Mobile Services and Amazon Cognito Introduction to Amazon Cognito Identity Summary of Features Demo Deeper Dive in a Few Areas Getting Started Q & A

The Best Mobile Apps Run on AWS

Authenticate users

Analyze User Behavior

Store and share media

Synchronize data

Deliver media

Amazon Cognito (Sync)

Amazon Cognito(Identity) Amazon S3

Amazon CloudFront

Store dataAmazon DynamoDBAmazon RDS

Run Targeted Campaigns

Send push notificationsAmazon SNS Mobile Push

Server-side logicLambda

Device Farm

Test your app

Build and Scale Your Apps on AWS

Amazon Pinpoint

Amazon Pinpoint

AWS Mobile Hub: Fastest Way to Build Apps on AWS

Identity is mission critical for applications

Authentication User ManagementAuthorization Manage user lifecycles Store and manage

user profile data Monitor engagement

Protect data and operations

Provide fine-grained access control

Sign in users Enable federation with

enterprise identities Enable federation with

social identities

User Identity

Developing Auth Infrastructure is Difficult

• Need to develop a reliable user directory to manage identities

• Handling user data and passwords and protecting privacy

• Prioritizing scalability of your infrastructure upfront

• Implementing token-based authentication

• Support for multiple social identity providers

• Federation with corporate directories for B2E applications

1

2

3

5

6

4

Amazon Cognito Identity

Facebook

Corporate

OIDC

Sign in with

Your User PoolsYou can easily and securely add sign-up

and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users.

Federated IdentitiesYour users can sign in with third-party

identity providers, such as Facebook and SAML providers, and you can control

access to AWS resources from your app.

SAML

Sign in

Username

Password

Submit

Using Cognito User and Federated Identities

Cognito User Identities(Your User Pool)

User

Sign-in

1a

Returns Accessand ID Tokens

2a

Cognito Federated Identities(Identity Pool)

Get AWS scoped credentials

3

Accessto AWS Services

4

DynamoDBS3 API Gateway

SAMLIdentity Provider

Example: Active Directory with ADFS

1bSign-in2b Returns

Tokens

Amazon Cognito: Identity Management Scenarios

Business to Consumer

IoT Scenarios

Business to Employee

SAML Federation

EnterpriseDirectory

Partner A

Partner BBusiness to Business

AWS IoT

API Gateway with Lambda

Deny

Allow

CustomAuthorizer

Access control for AWS Resources

AWS IAM

Lambda

Cognito Cognito

Cognito

Cognito Cognito Cognito

API Gateway S3

DynamoDB

Your User Pools

Add user sign-up and sign-in easily to your mobile and web apps without worrying about server infrastructure

Serverless Authentication and User Management

Verify phone numbers and email addresses and offer multi-factor authentication

Enhanced Security Features

Launch a simple, secure, low-cost, and fully managed

service to create and maintain a user directory

that scales to 100s of millions of users

Managed User Directory

1 2 3

Comprehensive User Flows

Email or Phone Number Verification

Forgot Password

User Sign-Up and Sign-In

Require users to verify their email address or phone number prior to activating their account with a one-time password challenge

Provide users the ability to change their password when they forget it with a one-time password challenge

Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.

User Profile Data Enable users to view and update their profile data – including custom attributes

SMS Multifactor Authentication

Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow

Customize these User Flows Using Lambda

Token Based Authentication

Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend

Custom User Flows Using Lambda Hooks

13

Category Lambda Hook Example Scenarios

Custom Authentication

Flow

Define Auth Challenge Determines the next challenge in a custom auth flow

Create Auth Challenge Creates a challenge in a custom auth flow

Verify Auth Challenge Response Determines if a response is correct in a custom auth flow

Authentication Events

Pre Authentication Custom validation to accept or deny the sign-in request

Post Authentication Event logging for custom analytics

Sign-UpPre Sign-up Custom validation to accept or deny the sign-up request

Post Confirmation Custom welcome messages or event logging for custom analytics

Messages Custom Message Advanced customization and localization of messages

Extensive Admin Capabilities

Define Custom Attributes

Set per-App Permissions

Set up Password Policies

Create and manageUser Pools

Define custom attributes for your user profiles

Set read and write permissions for each user attribute on a per-app basis

Enforce password policies like minimum length and requirement of certain types of characters

Create, configure, and delete multiple user pools across AWS regions

Require Submission of Attribute Data

Select which attributes must be provided by the user prior to completion of the sign-up process

Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API

Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out

GroupsCognito User Pools

Groups and Multiple Authenticated Roles

Group AIAM Role A

Group BIAM Role B

…

Authenticated User Identity

Get Credentials

Multiple Roles for Authenticated IdentitiesCognito Federated Identities

IAM Role and Policy

IAM Role and Policy

IAM Role and PolicyBackend

Resources

Map

to d

iffer

ent I

AM

role

s

API Gateway

DynamoDB

S3

Con

trol A

cces

s

Your User Pools and Amazon API Gateway

Native Support Custom Authorizer FunctionControl access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges

Configure API Gateway to accept ID tokens to authorize users based on their existence in a user pool – User Pools works together with API Gateway to authorize API requests

1 2

Control Attribute Permissions

Choose which user attributes each app can read and write

Read Write

name

phone

custom:paid

Creating Users as an Administrator

Developers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS message

New users sign in with a temporary password and create a new password

User pools can be configured to only allow users created by an administrator

Additional User Pool Features

Customizable email addresses – Customize the "from" email address of emails you send to users in a user pool.

Admin sign-in – Your app can sign in users from back-end servers or Lambda functions.

Global sign-out – Allow a user to sign out from all signed-in devices or browsers.

Custom expiration period – Set an expiration period for refresh tokens.

Importing Existing UsersBatch Imports Import users by uploading .csv files Users will create a new password when they first sign-in Each imported user must have an email address or a

phone number

One-at-a-Time Migration Migrate users individually as they sign in App first tries to sign in via Cognito, if user does not

exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito

Retains passwords, but requires app coding and maintenance of prior system for some period

Prior IdP

“Building an AWS serverless platform that manages sensitive customer data requires an authentication strategy that protects the information from unauthorized access. Using the Amazon Cognito user pool feature together with AWS Lambda, we’re developing a flexible, fully integrated solution that can scale effortlessly – a powerful tool that will be critical in keeping our customers’ data secure.”

Feedback from our beta customers

21

“It is critical for us to provide a secure and simple sign-up and sign-in experience for our tens of millions of end users. With Amazon Cognito, we can enable that without having to worry about building and managing any backend infrastructure.”

Demo

Demo URL

The GitHub repository for the serverless authentication sample app is available at github.com/awslabs/aws-serverless-auth-reference-app

See the Quickstart.md file for a guide to setting up and exploring the app

(We will show that URL again later in the presentation)

Understanding User Status

New users start with “Registered” status

Users must be confirmed before they can sign-in

Users must be disabled before they can be deleted

Registered(cannot sign in)

Sign-up

Confirmed

Disabled

AdminConfirm

Confirm viaemail/phone

or

Disable

Delete

(deleted)

Lambda Trigger:Pre Sign-up Reset Required

User import

Force Change Password

Admin Create User

Reset password

Enable

Verifying Email and Phone Your User Pools provide built-in verification of email

addresses and phone numbers

A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API

If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone

Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification

Your verification code is 938764

Using Aliases in Amazon Cognito User Pools

Sign-up and sign-in with email is very common today

Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name

A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user

Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in

My App

Email

Password

Sign In

Sign Up

Getting Started with Your User Pools

See aws.amazon.com/cognito/dev-resources/ for links to

Getting Started Guides

Documentation, SDKs, and Sample Apps

Videos

Presentation Slides

Blog Posts

Developer Forums

Q & A Visit aws.amazon.com/cognito/ to learn more

Find resources at aws.amazon.com/cognito/dev-resources/

Explore the sample app at github.com/awslabs/aws-serverless-auth-reference-app

Ask questions at the AWS Developer Forum or Stack Overflow (‘amazon-cognito’ tag)

Appendix

Amazon Cognito: Comprehensive Support for Identity Use Cases

Pricing for Amazon Cognito User Pools

Pricing is based on Monthly Active Users (MAUs) with volume-based discountingo A user is counted as a MAU if there is an identity operation related to that user within a

calendar month (e.g., sign-up, sign-in, token refresh, or password change)o No charge for subsequent sessions or for inactive users

SMS charges are billed separately (using the SNS Global SMS feature)

Pricing Tier Price per 1K MAUsFirst 50,000 MAUs FreeNext 50,000 MAUs $5.50

Next 900,000 MAUs $4.60Next 9,000,000 MAUs $3.25

>10,000,000 MAUs $2.50

Amazon Cognito Sync

User Data Storage andSync

Any Platform

iOS/Android/FireOS

Store app data, preferences, and stateSave app and device data to the cloud and merge them after login

Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code

Work offlineData always stored in local SQLite DB firstWorks seamlessly with intermittent or no connectivity

k/v data

Identity pool

No back endSimple client SDK eliminates need for server side code

© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.

Cognito Sync Push Synchronization

Sync between devices in near real-time using push instead of polling

Fewer syncs = cost savings Powered by SNS Push changes from your backend

Cognito Sync Streams

Enables deeper analysis of data Receive a stream of any updates to a dataset for each identity in

your identity pool Publishes updates to Kinesis From Kinesis write to other destinations such as Redshift or

ElasticSearch

RedShift

ElasticSearch

KinesisCognito

Cognito Sync Events

Can be used to provide data validation (Cheating, Sanitization)

Can be used to inject data (Bonuses, Content)

Perform additional logic server side during a synchronize call

Full control over dataset contents

LambdaCognito