AWS Mobile Services: Amazon Cognito - Identity Broker and Synchronization Service - Jinesh Varia
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
-
Upload
amazon-web-services -
Category
Technology
-
view
626 -
download
3
Transcript of Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager – Amazon Cognito
March 30, 2017
Deep Dive on Amazon Cognito
Topics
AWS Mobile Services and Amazon Cognito Introduction to Amazon Cognito Identity Summary of Features Demo Deeper Dive in a Few Areas Getting Started Q & A
The Best Mobile Apps Run on AWS
Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito (Sync)
Amazon Cognito(Identity) Amazon S3
Amazon CloudFront
Store dataAmazon DynamoDBAmazon RDS
Run Targeted Campaigns
Send push notificationsAmazon SNS Mobile Push
Server-side logicLambda
Device Farm
Test your app
Build and Scale Your Apps on AWS
Amazon Pinpoint
Amazon Pinpoint
AWS Mobile Hub: Fastest Way to Build Apps on AWS
Identity is mission critical for applications
Authentication User ManagementAuthorization Manage user lifecycles Store and manage
user profile data Monitor engagement
Protect data and operations
Provide fine-grained access control
Sign in users Enable federation with
enterprise identities Enable federation with
social identities
User Identity
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
Amazon Cognito Identity
Corporate
OIDC
Sign in with
Your User PoolsYou can easily and securely add sign-up
and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users.
Federated IdentitiesYour users can sign in with third-party
identity providers, such as Facebook and SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
Using Cognito User and Federated Identities
Cognito User Identities(Your User Pool)
User
Sign-in
1a
Returns Accessand ID Tokens
2a
Cognito Federated Identities(Identity Pool)
Get AWS scoped credentials
3
Accessto AWS Services
4
DynamoDBS3 API Gateway
SAMLIdentity Provider
Example: Active Directory with ADFS
1bSign-in2b Returns
Tokens
Amazon Cognito: Identity Management Scenarios
Business to Consumer
IoT Scenarios
Business to Employee
SAML Federation
EnterpriseDirectory
Partner A
Partner BBusiness to Business
AWS IoT
API Gateway with Lambda
Deny
Allow
CustomAuthorizer
Access control for AWS Resources
AWS IAM
Lambda
Cognito Cognito
Cognito
Cognito Cognito Cognito
API Gateway S3
DynamoDB
Your User Pools
Add user sign-up and sign-in easily to your mobile and web apps without worrying about server infrastructure
Serverless Authentication and User Management
Verify phone numbers and email addresses and offer multi-factor authentication
Enhanced Security Features
Launch a simple, secure, low-cost, and fully managed
service to create and maintain a user directory
that scales to 100s of millions of users
Managed User Directory
1 2 3
Comprehensive User Flows
Email or Phone Number Verification
Forgot Password
User Sign-Up and Sign-In
Require users to verify their email address or phone number prior to activating their account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-time password challenge
Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor Authentication
Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
Custom User Flows Using Lambda Hooks
13
Category Lambda Hook Example Scenarios
Custom Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-UpPre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
Extensive Admin Capabilities
Define Custom Attributes
Set per-App Permissions
Set up Password Policies
Create and manageUser Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain types of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission of Attribute Data
Select which attributes must be provided by the user prior to completion of the sign-up process
Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API
Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
GroupsCognito User Pools
Groups and Multiple Authenticated Roles
Group AIAM Role A
Group BIAM Role B
…
Authenticated User Identity
Get Credentials
Multiple Roles for Authenticated IdentitiesCognito Federated Identities
IAM Role and Policy
IAM Role and Policy
IAM Role and PolicyBackend
Resources
Map
to d
iffer
ent I
AM
role
s
API Gateway
DynamoDB
S3
Con
trol A
cces
s
Your User Pools and Amazon API Gateway
Native Support Custom Authorizer FunctionControl access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges
Configure API Gateway to accept ID tokens to authorize users based on their existence in a user pool – User Pools works together with API Gateway to authorize API requests
1 2
Control Attribute Permissions
Choose which user attributes each app can read and write
Read Write
name
phone
custom:paid
Creating Users as an Administrator
Developers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS message
New users sign in with a temporary password and create a new password
User pools can be configured to only allow users created by an administrator
Additional User Pool Features
Customizable email addresses – Customize the "from" email address of emails you send to users in a user pool.
Admin sign-in – Your app can sign in users from back-end servers or Lambda functions.
Global sign-out – Allow a user to sign out from all signed-in devices or browsers.
Custom expiration period – Set an expiration period for refresh tokens.
Importing Existing UsersBatch Imports Import users by uploading .csv files Users will create a new password when they first sign-in Each imported user must have an email address or a
phone number
One-at-a-Time Migration Migrate users individually as they sign in App first tries to sign in via Cognito, if user does not
exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito
Retains passwords, but requires app coding and maintenance of prior system for some period
Prior IdP
“Building an AWS serverless platform that manages sensitive customer data requires an authentication strategy that protects the information from unauthorized access. Using the Amazon Cognito user pool feature together with AWS Lambda, we’re developing a flexible, fully integrated solution that can scale effortlessly – a powerful tool that will be critical in keeping our customers’ data secure.”
Feedback from our beta customers
21
“It is critical for us to provide a secure and simple sign-up and sign-in experience for our tens of millions of end users. With Amazon Cognito, we can enable that without having to worry about building and managing any backend infrastructure.”
Demo
Demo URL
The GitHub repository for the serverless authentication sample app is available at github.com/awslabs/aws-serverless-auth-reference-app
See the Quickstart.md file for a guide to setting up and exploring the app
(We will show that URL again later in the presentation)
Understanding User Status
New users start with “Registered” status
Users must be confirmed before they can sign-in
Users must be disabled before they can be deleted
Registered(cannot sign in)
Sign-up
Confirmed
Disabled
AdminConfirm
Confirm viaemail/phone
or
Disable
Delete
(deleted)
Lambda Trigger:Pre Sign-up Reset Required
User import
Force Change Password
Admin Create User
Reset password
Enable
Verifying Email and Phone Your User Pools provide built-in verification of email
addresses and phone numbers
A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API
If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone
Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification
Your verification code is 938764
Using Aliases in Amazon Cognito User Pools
Sign-up and sign-in with email is very common today
Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name
A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user
Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in
My App
Password
Sign In
Sign Up
Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
Getting Started Guides
Documentation, SDKs, and Sample Apps
Videos
Presentation Slides
Blog Posts
Developer Forums
Q & A Visit aws.amazon.com/cognito/ to learn more
Find resources at aws.amazon.com/cognito/dev-resources/
Explore the sample app at github.com/awslabs/aws-serverless-auth-reference-app
Ask questions at the AWS Developer Forum or Stack Overflow (‘amazon-cognito’ tag)
Appendix
Amazon Cognito: Comprehensive Support for Identity Use Cases
Pricing for Amazon Cognito User Pools
Pricing is based on Monthly Active Users (MAUs) with volume-based discountingo A user is counted as a MAU if there is an identity operation related to that user within a
calendar month (e.g., sign-up, sign-in, token refresh, or password change)o No charge for subsequent sessions or for inactive users
SMS charges are billed separately (using the SNS Global SMS feature)
Pricing Tier Price per 1K MAUsFirst 50,000 MAUs FreeNext 50,000 MAUs $5.50
Next 900,000 MAUs $4.60Next 9,000,000 MAUs $3.25
>10,000,000 MAUs $2.50
Amazon Cognito Sync
User Data Storage andSync
Any Platform
iOS/Android/FireOS
Store app data, preferences, and stateSave app and device data to the cloud and merge them after login
Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code
Work offlineData always stored in local SQLite DB firstWorks seamlessly with intermittent or no connectivity
k/v data
Identity pool
No back endSimple client SDK eliminates need for server side code
© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Cognito Sync Push Synchronization
Sync between devices in near real-time using push instead of polling
Fewer syncs = cost savings Powered by SNS Push changes from your backend
Cognito Sync Streams
Enables deeper analysis of data Receive a stream of any updates to a dataset for each identity in
your identity pool Publishes updates to Kinesis From Kinesis write to other destinations such as Redshift or
ElasticSearch
RedShift
ElasticSearch
KinesisCognito
Cognito Sync Events
Can be used to provide data validation (Cheating, Sanitization)
Can be used to inject data (Bonuses, Content)
Perform additional logic server side during a synchronize call
Full control over dataset contents
LambdaCognito