getting started with cognito user pools - september webinar series
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager, Amazon Cognito
September 21, 2016
Getting Started with Amazon
Cognito User Pools
Topics
AWS Mobile Services and Amazon Cognito
Introduction to Your User Pools
Summary of Features
Demo
Deeper Dive in a Few Areas
Getting Started
Q & A
The Best Mobile Apps Run on AWS
Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito
(Sync)
Amazon Cognito
(Identity)Amazon S3
Amazon CloudFront
Store data
Amazon DynamoDB
Amazon RDS
Track Retention
Amazon Mobile
Analytics
Send push notifications
Amazon SNS
Mobile Push
Server-side logic
Lambda
Device Farm
Test your app
Amazon Mobile
Analytics
Build and Scale Your Apps on AWS
AWS Mobile Hub: Fastest Way to Build Apps on AWS
Comprehensive Support for Identity Use Cases
6
Manage authenticated
and guest users’
access to your AWS
resources
Federated Identities
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Add sign-up and sign-
in with a fully
managed user
directory
Your User Pool
GuestYour own
auth
Amazon Cognito Identity Amazon Cognito Sync
Amazon Cognito Identity and Sync
k/v data
SAML
Sign in with
Or
Username
Password
Sign In
Or
Start as a guest
Authenticate via
3rd party Identity
Providers
Amazon Cognito Identity and User Experience
Guest Access
Your User Pools in
Amazon Cognito
Amazon Cognito Identity
provides temporary
credentials to securely
access your resources
DynamoDB
S3
API Gateway
Your User Pools
9
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastructure
Serverless Authentication
and User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security
Features
Launch a simple, low-cost,
and fully managed service
to create and maintain a
user directory that can scale
to 100s of millions of users
Managed User Directory
1 2 3
Comprehensive User Flows
10
Email or phone number verification
Forgot password
User registration and authentication
Users verify their email address or phone number prior to activating an account
Users can change their password if they forget it
Users can sign up and sign in using an email, phone number, or username (and
password)
User profile data User can view and update profile data – including custom attributes
SMS-based MFA Users complete Multi-Factor Authentication (MFA) by inputting a security code
received via SMS as part of the sign-in flow
Customize these user flows using Lambda
Custom User Flows Using Lambda Hooks
11
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
Custom Auth flow
12
Amazon Cognito Your
User Pools
Custom Authentication Challenges(e.g., CAPTCHA or custom 2nd factors)
1
2 5
6
34
Extensive Admin Capabilities
13
Define custom attributes
Set per-app permissions
Set up password policies
Create and manageuser pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirements for
different character types
Create, configure, and delete user pools across AWS regions
Require submission of attribute data Select which attributes must be provided by the user to complete sign-up
Search for usersSearch for users based on a full match or a prefix match of their
attributes through the console or admin API
Manage users Conduct admin actions, such as reset user password, confirm user,
enable MFA, delete user, and global sign-out
Remembered Devices
14
Remember the devices
associated with your users
1
Reduce the friction that your
users face with MFA by
suppressing the 2nd factor
challenge from remembered
devices
Build logic to associate devices
with your users to achieve
specific business requirements
such as remote device signout
2
Amazon Cognito User Pools and Amazon API
Gateway
15
Custom Authorizer FunctionNative Support
Configure API Gateway to accept
Cognito user pool ID tokens to
authorize users
Control access to your APIs by
inspecting tokens provided by
Cognito user pools
Importing Existing Users
Import users into your Cognito user pool by
uploading .csv files
Users will create a new password when they
first sign-in
Each imported user must have an email
address or a phone number
Control Attribute Permissions
Choose which user attributes
each app can read and writeRead Write
name
phone
custom:paid
Additional User Pool Features
Customizable email addresses – Customize the "from" email address of
emails you send to users in a user pool.
Admin sign-in – Your app can sign in users from back-end servers or
Lambda functions.
Global sign-out – Allow a user to sign out from all signed-in devices or
browsers.
Custom expiration period – Set an expiration period for refresh tokens.
“Building an AWS serverless platform that manages sensitive
customer data requires an authentication strategy that protects
the information from unauthorized access. Using the Amazon
Cognito user pool feature together with AWS Lambda, we’re
developing a flexible, fully integrated solution that can scale
effortlessly – a powerful tool that will be critical in keeping our
customers’ data secure.”
Feedback from our beta customers
19
“It is critical for us to provide a secure and simple sign-up
and sign-in experience for our tens of millions of end
users. With Amazon Cognito, we can enable that without
having to worry about building and managing any backend
infrastructure.”
Demo
Understanding User Status
New users start with “Registered”
status
Users must be confirmed before
they can sign-in
Users must be disabled before
they can be deleted
Registered(cannot sign in)
Sign-up
Confirmed
Disabled
Verify email Verify phoneor
Disable
Delete
(deleted)
Lambda Trigger:
Pre Sign-up
Password
Reset Required
Reset password
User import
Verifying Email and Phone
Your User Pools provide built-in verification of email
addresses and phone numbers
A six digit code is sent as an email message or SMS
text and is submitted via the VerifyUserAttributeAPI
If both a phone number and email address are
provided at sign-up, a verification code will only be
sent to the phone
Your app can call GetUser to see if an email address
or phone number is awaiting verification, and then call
GetUserAttributeVerificationCode to initiate
the verification
Your verification
code is 938764
Using Aliases in Amazon Cognito User Pools
Sign-up and sign-in with email is very common
today
Aliases in Amazon Cognito support use of email,
phone or preferred user name in place of the
user name
A username value must be provided at sign-up,
but it could be generated by the app and not
exposed to the end user
Phone numbers and email addresses must be
unique and must be verified before they can be
used to sign-in
My App
Password
Sign In
Sign Up
Cognito User and Federated Identities
Cognito User
Identities(Your User Pool)
User
Sign-in1
Returns Access
and ID Tokens2
Cognito Federated
Identities(Identity Pool)
Get AWS scoped
credentials
3
Access
to AWS Services
4
DynamoDBS3 API Gateway
Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
SDKs for iOS, Android, and JavaScript
Sample apps for iOS and Android
AWS Mobile Blog article describes them
Developer Guide
API Reference Guide
Monday, October 24, 2016
JW Marriot Austin
https://aws.amazon.com/events/devday-austin
Free, one-day developer event featuring tracks,
labs, and workshops around Serverless,
Containers, IoT, and Mobile
Q&AIf you want to learn more, register for
our upcoming AWS DevDay Austin!
Appendix
Visit aws.amazon.com/cognito/ to learn more
AWS Resources
Authentication – Supported Providers:
Authorization / Permission
Cognito Functional Diagram
Social Identity Providers Developer
ProvidedEnterprise
Identity
Provider
via SAML
Authenticate users
and generate identity
tokens
Validates identity
tokens and provides
credentials to access
AWS resources
Cognito
User Pool
Cognito Federated Identities (Identity Pool)
Pricing
Pricing is based on Monthly Active Users (MAUs) with volume-based discounting
A user is counted as a MAU if there is an identity operation related to that user within a
calendar month (e.g., sign-up, sign-in, token refresh, or password change)
No charge for subsequent sessions or for inactive users
SMS charges are billed separately (using the SNS Global SMS feature)
Pricing Tier Price per 1K MAUs
First 50,000 MAUs Free
Next 50,000 MAUs $5.50
Next 900,000 MAUs $4.60
Next 9,000,000 MAUs $3.25
>10,000,000 MAUs $2.50
Amazon Cognito Sync
User Data
Storage and
Sync
Any Platform
iOS/Android/FireOS
Store app data, preferences, and stateSave app and device data to the cloud and merge
them after login
Cross-device / Cross-OS Sync Sync user data and preferences across devices
with a few lines of code
Work offlineData always stored in local SQLite DB first
Works seamlessly with intermittent or no
connectivity
k/v data
Identity pool
No back endSimple client SDK eliminates need for server
side code
© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Push Sync
Sync between devices in near real-time
using push instead of polling
Fewer syncs = cost savings
Powered by SNS
Push changes from your backend
Cognito Streams
Enables deeper analysis of data
Receive a stream of any updates to a dataset for each identity in
your identity pool
Publishes updates to Kinesis
From Kinesis write to other destinations such as Redshift or
ElasticSearch
RedShift
ElasticSearch
KinesisCognito
Cognito Events
Can be used to provide data validation (Cheating, Sanitization)
Can be used to inject data (Bonuses, Content)
Perform additional logic server side during a synchronize call
Full control over dataset contents
LambdaCognito