Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webinar Series

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webinar Series

PowerPoint Presentation

Tim Hunt, Sr. Product Manager, Amazon CognitoJune 30, 2016Getting Started with Your User Pools in Amazon Cognito

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

TopicsAWS Mobile Services and Amazon CognitoIntroduction to Your User PoolsSummary of FeaturesDemoDeeper Dive in a Few AreasGetting StartedQ & A

The Best Mobile Apps Run on AWS


AWS Mobile Services Eliminate the Heavy LiftingWhen developing mobile apps today, you want to focus on ...

The great stuff that makes your app unique


The heavy lifting needed to manage backend infrastructure

AWS Mobile SDKs

AWS Mobile HubAuthenticate usersAnalyze User BehaviorStore and share mediaSynchronize dataDeliver mediaAmazon Cognito (Sync)

Amazon Cognito(Identity)Amazon S3

Amazon CloudFrontStore dataAmazon DynamoDBAmazon RDS

Track Retention

Amazon Mobile AnalyticsSend push notificationsAmazon SNS Mobile Push

Server-side logicLambda

Device Farm

Test your app

Amazon Mobile AnalyticsBuild and Scale Your Apps on AWS


AWS Mobile Hub: Fastest Way to Build Apps on AWS


Manage authenticated and guest users access to your AWS resourcesFederated IdentitiesSynchronize users data across devices and platforms via the cloudData SynchronizationAdd sign-up and sign-in with a fully managed user directoryYour User Pool


Your ownauth

Amazon Cognito IdentityAmazon Cognito Sync

Amazon Cognito Identity and Sync

k/v data



Sign in with FacebookOrUsernamePasswordSign InOrStart as a guestAuthenticate via 3rd party Identity ProvidersAmazon Cognito Identity and User ExperienceGuest Access

Your User Pool in Amazon Cognito

Amazon Cognito Identity provides temporary credentials to securely access your resources


API Gateway


A Fully Managed User Directory in CognitoAdd sign-up and sign-in easily to your mobile and web appsEasy User ManagementVerify phone numbers and email addresses and offer multi-factor authenticationEnhanced Security FeaturesLaunch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of usersManaged User Directory


Comprehensive User ScenariosEmail or phone number VerificationForgot PasswordUser sign-up and sign-inUsers verify their email address or phone number prior to activating an accountUsers can change their password if they forget itUsers sign-up using email, phone number or user name and password.Users can then sign-in.User ProfileRetrieve and update user profiles, including custom attributesSMS-based MFAIf enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows

Comprehensive Administrator ScenariosManage users in a User PoolSelect Email and Phone VerificationCustomize with Lambda TriggersSetup Password PoliciesCreate and manageUser PoolsList, search and perform actions on specific user(s) in the User PoolConfigure verifications of users email addresses and phone numbers (via SMS)Create functions in AWS Lambda to customize workflowsControl password requirements like minimum length, uppercase, and inclusion of special charactersCreate, configure and delete multiple User Pools in their AWS accountDefine AttributesSelect required attributes and Define custom user attributes

Secure Sign-in Made EasyToken-based AuthenticationSecure Remote Password ProtocolSMS-based Multi-factor AuthenticationUses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standardsUses Secure Remote Password (SRP) for secure password handling end to endEnables your end users to user the text messaging functionality of a mobile phone as an extra layer of security

Customization using Lambda hooks

Lambda HookExample ScenariosPre user sign-upCustom validation to accept or deny the sign-up requestCustom messageAdvanced customization and localization of verification messagesPre user sign-inCustom validation to accept or deny the sign-in requestPost user sign-inEvent logging for custom analyticsPost user confirmationCustom welcome messages or event logging for custom analytics

Cognito User and Federated IdentitiesCognito User Identities(Your User Pool)User

1Returns Accessand ID Tokens2

Cognito Federated Identities(Identity Pool)Get AWS scoped credentials3Accessto AWS Services



API Gateway


Understanding User StatusNew users start with Registered status

Users must be confirmed before they can sign-in

Users must be disabled before they can be deletedRegistered(cannot sign in)Sign-upConfirmedDisabledVerify emailVerify phoneorDisableDelete(deleted)

Lambda Trigger:Pre Sign-up

Verifying Email and PhoneYour User Pools provide built-in verification of email addresses and phone numbersA six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute APIIf both a phone number and email address are provided at sign-up, a verification code will only be sent to the phoneYour app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification

Your verification code is 938764

Using Aliases in Amazon Cognito User PoolsSign-up and sign-in with email is very common todayAliases in Amazon Cognito support use of email, phone or preferred user name in place of the user nameA username value must be provided at sign-up, but it could be generated by the app and not exposed to the end userPhone numbers and email addresses must be unique and must be verified before they can be used to sign-in

My AppEmailPasswordSign InSign Up

Getting Started with Your User PoolsSee for links toSDKs for iOS, Android, and JavaScriptSample apps for iOS and AndroidAWS Mobile Blog article describes themDeveloper GuideAPI Reference Guide

Thank You!Visit to learn more

Q & AVisit to learn more


AWS ResourcesAuthentication Supported Providers:Authorization / Permission

Cognito User and Federated IdentitiesSocial Identity ProvidersDeveloper ProvidedEnterprise Identity Provider via SAML(coming)Authenticate users and generate identity tokensValidates identity tokens and provides credentials to access AWS resources

Cognito IdentityCognito Identity

PricingPricing is based on Monthly Active Users (MAUs) with volume-based discountingA user is counted as a MAU if there is an identity operation related to that user within a calendar month (e.g., sign-up, sign-in, token refresh, or password change)No charge for subsequent sessions or for inactive usersSMS charges are billed separately (using the SNS Global SMS feature)Pricing TierPrice per 1K MAUsFirst 50,000 MAUsFreeNext 50,000 MAUs$5.50Next 900,000 MAUs$4.60Next 9,000,000 MAUs$3.25>10,000,000 MAUs$2.50

Amazon Cognito SyncUser Data Storage andSync

Any PlatformiOS/Android/FireOSStore app data, preferences, and stateSave app and device data to the cloud and merge them after loginCross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of codeWork offlineData always stored in local SQLite DB firstWorks seamlessly with intermittent or no connectivity

k/v dataIdentity poolNo back endSimple client SDK eliminates need for server side code 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.


Push SyncSync between devices in near real-time using push instead of pollingFewer syncs = cost savingsPowered by SNSPush changes from your backend


Cognito StreamsEnables deeper analysis of dataReceive a stream of any updates to a dataset for each identity in your identity poolPublishes updates to KinesisFrom Kinesis write to other destinations such as Redshift or ElasticSearch




Cognito EventsCan be used to provide data validation (Cheating, Sanitization)Can be used to inject data (Bonuses, Content)Perform additional logic server side during a synchronize callFull control over dataset contents