Add End User Sign-in, User Management, and Security to Your Mobile and Web Applications with Amazon Cognito
1. 08/2017
Add End user sign-in, User management, and
Security to your Mobile and Web Applications
with Amazon Cognito
Ed Lima, Solutions Architect
AWS Mobile Week | San Francisco Pop-up Loft
4. Topics
AWS Mobile Services and Amazon Cognito
Introduction to Amazon Cognito Identity
Summary of Features
App Integration
Demo
OAuth2 Support in Cognito User Pools
Sample Use Cases
Getting Started
5. Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito
(Sync)
Amazon Cognito
(Identity)
Amazon S3
Amazon CloudFront
Store data
Amazon DynamoDB
Amazon RDS
Run Targeted Campaigns
Send push notifications
Amazon SNS
Mobile Push
Server-side logic
Lambda
Device Farm
Test your app
Build and Scale Your Apps on AWS
Amazon Pinpoint
Amazon Pinpoint
7. Identity is mission critical for your applications
Security
Revenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
8. Authentication User ManagementAuthorization
Manage user lifecycles
Store and manage
user profile data
Monitor engagement
Protect data and
operations
Provide fine-grained
access control
Sign in users
Enable federation with
enterprise identities
Enable federation with
social identities
User Identity
Identity is mission critical for your applications
9. Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
11. Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile
and web apps with a fully-managed
service that scales to support 100s of
millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
13. Cognito Federated Identities (Identity Pools)
• Exchanges tokens from
authenticated users for AWS
credentials to access
resources such as S3 or
DynamoDB
• You can defined rules for
mapping users to different
IAM roles to manage
permissions
• Provides an identity pool id to
uniquely identify users
Cognito
Identity Pool
AWS
Credentials
/ / etc
token
Mobile or web app
DynamoDB
S3
API GW
Access backend
resources
- tied to IAM
role
1
3
2
14. Your User Pools
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastructure
Serverless Authentication
and User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security
Features
Launch a simple, secure,
low-cost, and fully managed
service to create and
maintain a user directory
that scales to 100s of
millions of users
Managed User Directory
1 2 3
15. Extensive Admin Capabilities
Create and Manage
User Pools
Define Custom
Attributes
Require Submission
of Attribute Data
Set per-App
Permissions
Set up Password
Policies
Manage and Search
Users
16. Comprehensive User Flows
User Sign-Up and
Sign-In
User Profile Data Forgot Password
Token Based
Authentication
Email or Phone
Number Verification
SMS Multifactor
Authentication
18. Custom User Flows Using Lambda Hooks
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
20. Groups
Cognito User Pools
Groups and Multiple Authenticated Roles
Group A
IAM Role A
Group B
IAM Role B
…
Authenticated
User Identity
Get
Credentials
Multiple Roles for Authenticated Identities
Cognito Federated Identities
IAM Role and Policy
IAM Role and Policy
IAM Role and Policy
Backend
Resources
MaptodifferentIAMroles
API Gateway
DynamoDB
S3
ControlAccess
22. Creating Users as an Administrator
Developers or administrators can create users in a user pool and
send them an optional, customizable invitation email or SMS
message
New users sign in with a temporary password and create a new
password
User pools can be configured to only allow users created by an
administrator
23. Understanding User Status
New users start with
“Registered” status
Users must be
confirmed before
they can sign-in
Users must be
disabled before
they can be deleted
Registered
(cannot sign in)
Sign-up
Confirmed
Disabled
Admin
Confirm
Confirm via
email/phone
or
Disable
Delete
(deleted)
Lambda Trigger:
Pre Sign-up Reset Required
User import
Force Change
Password
Admin Create User
Reset password
Enable
24. Verifying Email and Phone
Your User Pools provide built-in verification of email
addresses and phone numbers
A six digit code is sent as an email message or SMS
text and is submitted via the VerifyUserAttribute
API
If both a phone number and email address are
provided at sign-up, a verification code will only be
sent to the phone
Your app can call GetUser to see if an email address
or phone number is awaiting verification, and then call
GetUserAttributeVerificationCode to initiate
the verification
Your verification
code is 938764
25. Remembered Devices
Remember the devices
associated with your users
1
How do I reduce the friction
that my users face when
having to complete the 2nd
factor challenge on every
sign-in?
How do I build logic to
associate devices with my
users to achieve my specific
business requirements?
2
26. Importing Existing Users
Batch Imports
Import users by uploading .csv files
Users will create a new password when they first sign-
in
Each imported user must have an email address or a
phone number
One-at-a-Time Migration
Migrate users individually as they sign in
App first tries to sign in via Cognito, if user does not
exist, app signs in via prior identity system, captures
username and password, and silently creates user in
Cognito
Retains passwords, but requires app coding and
maintenance of prior system for some period
Prior
IdP
28. App Integration with User Pools - Beta
• User Pools now provide a
Hosted UI for sign up, sign in,
forgot password, etc.
• WebView for Mobile
• You can customize the UI and
domain
• Basic in beta, more advanced
coming
29. Federation with User Pools - Beta
• Cognito handles interactions with IdPs to authenticate
users and receive tokens
• Identity providers (IdPs) are configured in Cognito
• E.g., SAML metadata document, issuer URL,
identifiers/domains
• Cognito User Pools act as a universal directory
providing user profiles and authentication tokens for
federated and “native” users
• Initially supporting SAML in beta, but more IdPs are
coming
30. Why Federation with User Pools?
• Enables management of federated users with User Pool
profiles and groups
• Attributes (claims) from federated user identities can be
mapped to user pool profile attributes
• Standardizes auth across all users – Apps can simply
direct all users to our hosted UI to sign in, and they all
get the same OIDC standard User Pool tokens
32. User Pool SAML Federation
Amazon Cognito
IdPIdPIdP
Hosted
UI
Determine IdP
1
2
3
5
IdP UI 4
7
Redirect to IdP
POST back with SAML assertion
User authenticated by IdP
(SSO if active session)
Amazon Cognito tokens provided to app
Mobile or web app
<SAML>
Create/Update profile
6
OIDC
token
35. “No server is easier to
manage than no server”
Werner Vogels
CTO, Amazon.com
36. Two Ways to Federate with Amazon Cognito
Cognito User Pools Cognito Identity Pools
• Handles the IdP interactions
for you
• Provides profiles to manage
users
• Provides OpenID Connect
and OAuth2.0 standard
tokens
• Priced per monthly active
user
• IdP interactions and user
profiles handled by
application
• Provides AWS credentials for
accessing resources on
behalf of users
• Supports rules to map users
to different IAM roles
• Free
38. JSON Web Tokens (JWT)
• Compact and Self-contained way for securely
transmitting information between parties as a JSON
object
• Digitally Signed
• Once the user is logged in, each subsequent
request will include the JWT, allowing the user to
access routes, services, and resources that are
permitted with that token
• Single Sign On is a feature that widely uses JWT
nowadays, because of its small overhead and its
ability to be easily used across different domains
• Typically saved in the browser’s local storage (but
cookies can be also used), instead of the traditional
approach of creating a session in the server and
returning a cookie
• Stateless Authentication Mechanism
JWT Key Set:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
41. Why use JSON Web Tokens?
• Scalability – Unlike server-based authentication, token-based
authentication doesn’t require you to store session state on the
server side, which increases the scalability of applications
• Reusability – Multiple services or applications could leverage the
same token for authorizing
• Security – Protection against Cross Site Request Forgery
(CSRF), token expiry, and revocation capabilities
43. OAuth 2.0 Support in Cognito User Pools
• Industry standard protocol for authorization
• Permissions are defined as “scopes”
• E.g., permission to read a user profile or edit photos
• Client apps can request a set of scopes, and if
permitted, get back an access token with those scopes
• If the request is in the context of a user, the user can be
authenticated - end user consent is not yet supported
• Client apps take the access token to a resource server
to access the resources as permitted by the scopes
44. OAuth 2.0 Flows Supported in Cognito
• Authorization code
• User is authenticated
• Returns code to be used with token service to retrieve
tokens
• Avoids exposing tokens to the client
• Use PKCE for security on native apps
• Implicit (for single page web apps)
• User is authenticated
• Returns tokens directly
45. OAuth 2.0 Scopes - Standard
• Standard Scopes define what tokens and attributes
are returned:
o openid: required to get the User Pool Id token
o email: required for email and email_verified
o phone: required for phone and phone_verified
o profile: required for non phone/email attributes
o aws.cognito.signin.user.admin: required to use the
access token with the User Pool (e.g., to call getUser)
• Scopes can be used in combination, separated by spaces
• Scopes must be enabled for each client app
• If no scopes are requested, Cognito will apply all scopes
enabled for the app client
46. • An Identity Layer on top of the OAuth 2.0 protocol – authentication
• Request and receive information about authenticated sessions and end-
users
48. Cognito User Pool as a Standalone IdP
Username
Password
Sign In
Cognito
User Pool
CUP
Token
Backend
resources
Authenticate with a
user pool via our SDK
or hosted UI (beta)
Access backend
resources
• Cognito User Pools can be
used as standalone IdPs
• User Pools provide
OpenID Connect and
OAuth2.0 standard tokens
that can be used for
authorizing access to
your APIs / backend
CUP
Token
API GW
1
2
3
49. Business to Consumer
Sign in with
Facebook
Or
Username
Password
Sign In
Authenticate with
Facebook via their
SDK
FB
Token
Cognito
User Pool
CUP
Token
Exchange user tokens
for AWS credentials
tied to an IAM role
Cognito
Identity Pool
CUP/FB
Token
Authenticate with a
user pool via our SDK
DynamoDB
S3
API GW
Access backend
resources
1b
1a
2
3
• User Pools provide a
directory for users to
sign up and sign in
• Identity Pools provide
AWS credentials to
access backend
resources
50. Business to Business/Employee with SAML
Get AWS credentials
Cognito
Identity Pool
DynamoDB
S3
API GW
Access backend
resources
SAML IdP
(e.g., ADFS)
Cognito
User Pool• User Pools authenticate
users and returns OpenID
Connect and OAuth2.0
standard tokens
• Identity Pools provide
AWS credentials to
access backend resources
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
CUP
Token
4
5
51. Business to Business/Employee with SAML v2
SAML IdP
(e.g., ADFS)
Cognito
User Pool• User Pools authenticate
users and returns OpenID
Connect and OAuth2.0
standard tokens
• User Pool tokens can be
used for authorizing
access to your APIs /
backend
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
Backend
resources
Access backend
resources
CUP
Token
API GW
4
52. Your User Pools and Amazon API Gateway
Native Support Custom Authorizer Function
Control access to your APIs using bearer
token authentication strategies, such as
OAuth or SAML – API Gateway’s custom
authorizer feature uses bearer tokens to
determine access privileges
Configure API Gateway to accept ID tokens
to authorize users based on their existence
in a user pool – User Pools works together
with API Gateway to authorize API requests
1 2
53. Amazon Cognito
User Pools
Amazon API
Gateway
Lambda Hooks
Lambda Function
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Mobile apps
Amazon Cognito
Federated Identities
(IAM)
Lambda
Custom Authorizer
AWS Proxy
External HTTP/S
Backend
Amazon Cognito and Amazon API Gateway
54. Cognito User Pool
(CUP)
Amazon API
Gateway
Google
User A
User B
User C
Cognito Identity Pool
(CIP)
A
B
C
A
B
/google
/cip
/cup
AWS Lambda Amazon
DynamoDB
A
B
C
Token
AWS Credentials
User A
Data
User B
Data
User C
Data
IAM
Authorization
IAM
Authorization
Cognito UP
Authorizer
API Resources
https://github.com/awslabs/aws-cognito-apigw-angular-auth
Amazon Cognito and Amazon API Gateway
55. Amazon Cognito and AWS IoT
Username
Password
Sign In
Cognito
User Pool
CUP
Token
Exchange user tokens
for AWS credentials
tied to an IAM role
Cognito
Identity Pool
CUP
Token
Authenticate with a
user pool via our SDK
Access IoT/Device
resources
1
2
3
• User Pools provide a
directory for users to
sign up and sign in
• Identity Pools provide
AWS credentials to
access IoT resources
• AttachPrincipal
Policy API call
attaches Cognito ID
to IoT Policy
AWS IoT
57. Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
Getting Started Guides
Documentation, SDKs, and Sample Apps
Videos
Presentation Slides
Blog Posts
Developer Forums
58. Useful Links
• Amazon Cognito User Pools supports federation with SAML - http://amzn.to/2uCB6hJ
• Amazon Cognito User Pools App Integration and Federation - http://amzn.to/2uxbnqb
• Amazon Cognito Federation for User Pools Server Contract Reference -
http://amzn.to/2tzLLVy
• Amazon Cognito User Pools OAuth2 Flows and Scopes- http://amzn.to/2tAu08i
• Customizing Amazon Cognito User Pool Authentication Flow - http://amzn.to/2vbVlQg
• Passwordless Login Demo - https://youtu.be/8DDIxqIW1sM?t=2212
• SAML for Your Serverless JavaScript Application - http://amzn.to/2mRmKEX and
http://amzn.to/2w4MIXo
• Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User
Pools, and Amazon API Gateway - http://amzn.to/2rItQQm
• Authorizing Access Through a Proxy Resource to Amazon API Gateway and AWS
Lambda Using Amazon Cognito User Pools - http://amzn.to/2jO3qYt
65. OAUTH, OIDC
Outsourcing Auth to 3rd party
• Oauth: Authorization (grant access to data/API/etc.)
• OpenID: Authentication
Redirect to authorization server in query string:
• Response_type (contains grant code), scope, etc.
ClientID & Secret
• ClientID is public used for login URLs.
• Secret embedded in app source code (not for JavaScript apps)
ID (Identity - OIDC), Access (Session – OAUTH2), Refresh
(Password – OAUTH2) Tokens
67. SRP
Problem with salting/hashing passwords in DB
• Rainbow Tables, MD5 collisions
• GPUs can compute billions hashes/sec
• Dictionary attacks, brute-force
SRP: Passwords never travel over the wire
• Verifier calculated and stored in Database
• http://srp.stanford.edu/ndss.html
68. SAML
2-Way trust to securely exchange claims
SAML doesn’t accept passwords!
• That’s what an IdP is for!
Terms
• Service Provider (Relaying Party)
• STS (ADFS, Shibboleth)
• Signed and Base-64 encoded claims in <samlp: /> notation
• IdP
• “SAML authority” or “Asserting Party” = “SAML IdP”
– AKA “guy that has all the claims to share”
Bindings
Notes de l'éditeur
<Connect with the audience>
If you’re anything like me, this is probably how that makes you feel. <pause, hopefully for a bit of laughter>
The good news is that there is a lot of help. I’ll try to give you a bit of a roadmap today on how you might think about going on this journey.
Firstly, you’ll need to take a look at your organisation, the teams that are working on your projects.
You’ll need to put some new definitions around your architecture.
You will probably need to know how to deal with your existing application investments, so we’ll talk about how to approach migrations
and lastly, I’ll try to give you some of my best tips and tricks, best practices for avoiding some of those challenges along the way and hopefully avoid some of the frustrations like what this poor guy is feeling.
http://images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg
Who Loves AAA?! Who Hates it?
We have amazing services that integrate to your app and provide essential features for your users.
Authentication, Data Sync, Analytics, media, push notifications, serverless backends, enterprise features and chat bots
However it might take some time to get acquainted, learn and configure all these services and how they interact with each other. Time you could be using to focus on your application code.
AWS have successfully removed the undifferentiated heavy lifting of infrastructure, now we’re going one step further. What if I told you now we could also remove the heavy lifting of provisioning and configuration of your mobile backend for you?
Pulling this all together is easier through Mobile SDKs for iOS, Android, Xamarin, Unity…or use Mobile Hub which makes development even simpler with a single integrated console.
This is what our Mobile Hub service is here for! With Mobile Hub you can select, mix and match what features you want to add to your app and the related services are automatically provisioned for you, bootstrapping your mobile backend in a matter of minutes! Not only that but all the backend services are pre-configured and personalized with all the best practices and security in mind.
Session Based Auth
Server does heavy lifting. Stateful.
Client session ID attached to every request, associated with user ID that must be referenced on server
Pros: Auditing, revocation of actions
Cons: Scaling
Token Based Auth
Stateless, nothing persisted on server
Simple validation of token signing
Pros: Scaling
Create and manage User Pools - Create, configure, and delete multiple user pools across AWS regions
Define Custom Attributes - Define custom attributes for your user profiles
Require Submission of Attribute Data - Select which attributes must be provided by the user prior to completion of the sign-up process
Set per-App Permissions - Set read and write permissions for each user attribute on a per-app basis
Set up Password Policies - Enforce password policies like minimum length and requirement of certain types of characters
Search Users - Search users based on a full match or a prefix match of their attributes through the console or Admin API
Manage Users - Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
User Sign-Up and Sign-In
Allow users to sign up and sign in using an email, phone number, or username (and password) for your application.
User Profile Data
Enable users to view and update their profile data – including custom attributes
Forgot Password
Provide users the ability to change their password when they forget it with a one-time password challenge
Token Based Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
Email or Phone Number Verification
Require users to verify their email address or phone number prior to activating their account with a one-time password challenge
SMS Multifactor Authentication
Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow
Lambda is our microserivces framework, which let’s you run code without provisioning or managing servers. And you can use Lambda in conjunction with User Pools to customize the user flow according to your business requirements.
Before Migrate, Always Federate
Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
Stateless authentication mechanism as the user state is never saved in server memory
OAuth 2.0 looks at the problem of "How does Software A give Software B access to User X's data without Software B having access to User X's login credentials."
Redirect URIs must be registered with the OAuth service with TLS in order to prevent MTM attacks. Registration process gives ClientID & Secret.
Service Providers provide web services and rely on a “trusted” Identity Provider and Security Token Service for AuthN and AuthZ. This is the WS-Fed definition where a SP is called a Relaying Party. The SP depends on having assertions from the IdP
The key here is that the SAML Authnrequest was signed. That’s what allows direct sending of user data from the IdP on the right back to the Resource server on the left.