Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. Finding the right identity solution can often be challenging. In this session, we will look at how Cognito can support a wide range of authentication scenarios including customers, employees and systems to help you make the right choices. Speaker: Stephen Liedig. Solutions Architect. Amazon Web Services Level: 300

1. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
Managing Identity and Securing Your Mobile and
Web Applications with Amazon Cognito
Stephen Liedig, Solutions Architect
A/NZ Public Sector, AWS
August 2017

2. Identity is mission critical for applications
Security
Revenue
Generation
Application
Backbone
 Know your users
 Monitor engagement
with your application
 Store and manage
user data
 Personalize your
users’ experiences
 Protect sensitive data
 Secure business-
critical processes
User Identity

3. Identity is mission critical for applications
Authentication User ManagementAuthorization
 Manage user lifecycles
 Store and manage
user profile data
 Monitor engagement
 Protect data and
operations
 Provide fine-grained
access control
 Sign in users
 Enable federation with
enterprise identities
 Enable federation with
social identities
User Identity

4. Developing Auth Infrastructure is Difficult
Source: images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg

5. Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4

6. Amazon Cognito Identity
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
Sign in
Username
Password
Submit
Facebook
Corporate
OIDC
Sign in with
SAML

7. Comprehensive Support for Identity Use Cases

8. Amazon Cognito: Identity Management Scenarios
Business to Consumer
IoT Scenarios
Business to Employee
SAML
Federation
Enterprise
Directory
Partner A
Partner B
Business to Business
AWS IoT
API Gateway with Lambda
Deny
Allow
Custom
Authorizer
Access control for AWS
Resources
AWS IAM

9. Lets dive a little
deeper…
Source: https://freerangestock.com/photos/44722/photo-details.html

10. I want to authenticate
• consumers
• employees
• systems
…on
• Amazon EC2 / Amazon ECS
• AWS Lambda
• Browser
• Mobile
• other
…against
• IAM
• A managed IdP
• SAML
• Google
• Twitter
• Facebook
• OpenID
• Custom
…to access
• AWS APIs and SDKs
• Amazon API Gateway
• custom applications

11. I want to authenticate
people
…on
browser or mobile
Let’s imagine a user table
Username Email Password
beverly123 beverly123@example.com Password$123
pilotjane pilotjane@example.com a##eroplan3
sudhir1977 sudhir197@example.com mmd414997a

12. I want to authenticate
people
…on
browser or mobile
Let’s imagine a user table
Username Email Password
beverly123 beverly123@example.com Password$123
pilotjane pilotjane@example.com a##eroplan3
sudhir1977 sudhir197@example.com mmd414997a
• Never store passwords in plaintext!
• Vulnerable to rogue employees
• A hacked DB results in
all passwords being compromised

13. I want to authenticate
people
…on
browser or mobile
Let’s try again…
Username Email Hashed Password
beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f
pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883
sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d

14. I want to authenticate
people
…on
browser or mobile
Doh!!!
Username Email Hashed Password
beverly123 beverly123@example.com 21a730e7d6cc9d715efcc0514ed69a1f
pilotjane pilotjane@example.com fea74fde863cd38f88b3393f590ae883
sudhir1977 sudhir197@example.com 6ce6be14f0c775cc9b3dbe4e18d9fc7d
• MD5/SHA1 collisions
• Rainbow Tables
• Dictionary attacks, brute-force (GPUs can compute
billions of hashes/sec)

15. I want to authenticate
people
…on
browser or mobile
Secure Remote Password Protocol
Username Email SRP Verifier function
beverly123 beverly123@example.com <password-specific verifier>
pilotjane pilotjane@example.com <password-specific verifier>
sudhir1977 sudhir197@example.com <password-specific verifier>
Secure Remote Password (SRP) Protocol
• Verifier-based protocol
• Passwords never travel over the wire
• Resistant to several attack vectors
• Perfect Forward Secrecy

16. I want to authenticate
people
…on
browser or mobile
But wait…
Best practices
☐ Secure password handling

17. I want to authenticate
people
…on
browser or mobile
But wait…
Best practices
☐ Secure password handling
☐ Encrypt all data server-side
☐ Enforce password policies (min length, valid characters)
☐ Token-based Authentication
☐ MFA - via SMS for sign-in and forgot password flows
☐ Support CAPTCHAs and other custom authentication flows
☐ Scalable to 100s of millions of users

18. I want to authenticate
people
…on
browser or mobile
But wait…
User flows
☐ Registration
☐ Verify email/phone
☐ Secure sign-in
Best practices
☐ Secure password handling
☐ Encrypt all data server-side
☐ Enforce password policies (min length, valid characters)
☐ Token-based Authentication
☐ MFA - via SMS for sign-in and forgot password flows
☐ Support CAPTCHAs and other custom authentication flows
☐ Scalable to 100s of millions of users
☐ Forgot password
☐ Change password
☐ Sign-out

19. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
Amazon Cognito User Pools
Best practices
☐ Secure password handling
☐ Encrypt all data server-side
☐ Enforce password policies (min length, valid characters)
☐ Token-based Authentication
☐ MFA - via SMS for sign-in and forgot password flows
☐ Support CAPTCHAs and other custom authentication flows
☐ Scalable to 100s of millions of users
User flows
☐ Registration
☐ Verify email/phone
☐ Secure sign-in
☐ Forgot password
☐ Change password
☐ Sign-out

20. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
User APIs
Email or Phone Number
Verification
Require users to verify their email address or phone number prior to
activating their account with a one-time password challenge
Forgot Password
Provide users the ability to change their password when they forget
it with a one-time password challenge
User Sign-Up and Sign-In
Allow users to sign up and sign in using an email, phone number, or
username (and password) for your application.
User Profile Data
Enable users to view and update their profile data – including
custom attributes
SMS Multifactor
Authentication
Require users to complete a second factor of authentication by
inputting a security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC)
and OAuth 2.0 standards for user authentication in your backend

21. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
Administrator APIs
Define Custom Attributes
Set per-App Permissions
Set up Password Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a
per-app basis
Enforce password policies like minimum length and
requirement of certain types of characters
Create, configure, and delete multiple user pools across AWS
regions
Require Submission of
Attribute Data
Select which attributes must be provided by the user prior to
completion of the sign-up process
Search Users Search users based on a full match or a prefix match of their
attributes through the console or Admin API
Manage Users Conduct admin actions, such as reset user password, confirm
user, enable MFA, delete user, and global sign-out

22. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
Customize with Lambda triggers
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge
Response
Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation
Custom welcome messages or event logging for custom
analytics
Messages Custom Message Advanced customization and localization of messages

23. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
App Integration with User Pools
Use the Amazon Cognito SDK
(JavaScript / Android / iOS), use the
APIs directly.
User Pools now provides a hosted UI
for sign up, sign in, forgot password,
etc.
Developers can customize the UI to
match their style and branding
through custom logo and CSS
NEW!

24. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
UI Customizations
Customize UI for each application
Customize logo
CSS customizations

25. How do I use Amazon Cognito
User Pools to authenticate
against Amazon API Gateway?
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway

26. Amazon Cognito User Pool
Authorizer
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Supports authentication, but not authorization.
API Gateway has an easy integration with Amazon Cognito User
Pools.

27. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
For fine grained authorization to API Gateway, you’ll need to use
an API Gateway Custom Authorizer.
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
… let’s dive a bit deeper…

28. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 1: User signs up for an
account with our Amazon
Cognito User Pool, providing
their email, telephone number &
password (+ any custom
attributes).
Amazon Cognito can
automatically verify the user’s
email address and/or phone
number if required.

29. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 2: At some point in the
future, the user wants to sign in.
We can now authenticate the
user.

30. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Optional: If MFA is enabled
(either for this user, or all users),
Amazon Cognito will SMS a one
time authentication code to the
user.

31. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 3: After a successful
authentication, Amazon Cognito
responds with a signed JSON
Web Token (JWT) containing the
user’s details.
JWT Token

32. Wait… what’s a JWT?
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
https://jwt.io
Cryptographically
verifiableclaims

33. Restricting JWT claims
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
You can select which Amazon Cognito User Pool attributes are included in
the generated JWT token by using scopes.

34. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 3: After a successful
authentication, Amazon Cognito
responds with a signed JSON
Web Token (JWT) containing the
user’s details.
JWT Token

35. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 4: You are now ready to call
your backend API’s from your
mobile application.
The JWT is passed in via the
Authorization HTTP header.
GET /pets HTTP/1.1
Host: ...
Authorization:eyJraWQi…

36. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 5: API Gateway calls your
custom authorizer function which
validates the JWT token and
creates an IAM policy that
defines which API resources the
user can access (based on their
user attributes in the JWT
claims).
GET /pets HTTP/1.1
Host: ...
Authorization:eyJraWQi…

37. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 6: Additionally, the custom
authorizer function will need to
check that the JWT hasn’t been
tampered with.
To do this, it needs the signing
public key (JWK) from Amazon
Cognito.
GET /pets HTTP/1.1
Host: ...
Authorization:eyJraWQi…

38. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
var samplePolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
samplePolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/windfarms/");
samplePolicy.allowMethod(AuthPolicy.HttpVerb.GET, "/windfarms/123/*");
samplePolicy.allowMethod(AuthPolicy.HttpVerb.GET, "/windfarms/234/*");
samplePolicy.allowMethod(AuthPolicy.HttpVerb.ALL, "/users/" + user.id);
callback(null, samplePolicy.getPolicy());
A custom authorizer function should return a policy that defines which API
resources the user should get access to.
This is then cached and used for any requests with the same authentication
token (default: 300 seconds).
Make sure your policy includes all actions the user can perform, not just a
single request.

39. Custom Authorizers
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon Cognito
User Pools
Amazon API Gateway
Custom Authorizer
Lambda Function
/pets
/n…
Amazon
DynamoDB
Throttling
Cache
Logging
Monitoring
Auth
Step 7: If authentication was
successful, the API call will be
passed through to the backend
Lambda functions where your
logic sits.
Authentication is cached for each
token (up to 1 hour).
GET /pets HTTP/1.1
Host: ...
Authorization:eyJraWQi…

40. API Gateway summary
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
Amazon API Gateway
Amazon
Cognito
User Pool
Authenticate
2
CUP
Token1
Backend
resources
Access backend
resources
CUP
Token
API GW
4
Amazon Cognito User Pools can
be used as standalone IdPs
Amazon Cognito User Pools and
API Gateway integrate really
nicely.
Use the built in User Pool
Authorizer if you don’t need
authorization.
Use Custom Authorizers instead
if you do.

41. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
AWS APIs and SDKs
How do I use Amazon Cognito
User Pools to authenticate /
authorize access to AWS APIs and
SDKs?

42. AWS APIs and SDKs
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
AWS APIs and SDKs
Amazon Cognito User Pools cannot generate AWS credentials. You need to use
Amazon Cognito Federated Identity in-front of Amazon Cognito User Pools.

43. AWS APIs and SDKs
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
AWS APIs and SDKs
You can then configure the AWS SDK to fetch API credentials from Amazon
Cognito like so:
var Amazon CognitoUser = userPool.getCurrentUser();
if (Amazon CognitoUser != null) {
Amazon CognitoUser.getSession(function(err, result) {
if (result) {
console.log('You are now logged in.');
// Add the User's Id Token to the Amazon Cognito credentials login map.
AWS.config.credentials = new AWS.Amazon CognitoIdentityCredentials({
IdentityPoolId: 'YOUR_IDENTITY_POOL_ID',
Logins: {
'Amazon Cognito-idp.{region}.amazonaws.com/{user-pool-id}':
result.getIdToken().getJwtToken()
}
});
}
});
}

44. RBAC (Role based access control)
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
AWS APIs and SDKs
Amazon Cognito User Pool groups
can be configured with an IAM role
You can then configure Amazon
Cognito Federated Identity to
use the role within the JWT
token when issuing AWS
credentials

45. RBAC (Role based access control)
I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
…to access
AWS APIs and SDKs
Alternatively, you can also map roles based on other attributes in the
JWT token

46. I want to authenticate
people
…on
browser or mobile
…against
Amazon Cognito User
Pools
What about federation to Active
Directory, SAML and/or social
media accounts?

47. I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
and/or social media
accounts
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications
SAML / Active Directory Federation
NEW!

48. I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
and/or social media
accounts
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications
Social Media Federation

49. Mapping Federated Attributes
I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
and/or social media
accounts
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications

50. Business to Consumer Use Case
I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications Get AWS credentials
Cognito
Identity Pool
DynamoDB
S3
API GW
Access backend
resources
Cognito
User Pool
Authenticate
3
CUP
Token1
IdP
Token
2
Redirect /
Post back
CUP
Token
4
5
User Pools authenticate users
and returns OpenID Connect and
OAuth2.0 standard tokens
Identity Pools provide AWS
credentials to access backend
resources

51. Business to Business/Employee
with SAML
I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications
User Pools authenticate users
and returns OpenID Connect and
OAuth2.0 standard tokens
Identity Pools provide AWS
credentials to access backend
resources
Get AWS credentials
Cognito
Identity Pool
DynamoDB
S3
API GW
Access backend
resources
SAML IdP
(e.g., ADFS)
Cognito
User Pool
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
CUP
Token
4
5

52. Business to Business/Employee
with SAML v2
I want to authenticate
people
…on
browser or mobile
…against
SAML (Active Directory)
…to access
AWS APIs and SDKs,
Amazon API Gateway or
custom applications
Amazon Cognito User Pools
authenticate users and returns
OpenID Connect and OAuth2.0
standard tokens
Amazon Cognito User Pool
tokens can be used for
authorizing access to your APIs /
backend
SAML IdP
(e.g., ADFS)
Cognito
User Pool
Authenticate
3
CUP
Token1
SAML
2
Redirect /
Post back
Backend
resources
Access backend
resources
CUP
Token
API GW
4

53. I want to authenticate
systems
Ok, we’ve covered
authenticating people, but what
about authenticating systems?
For example, Application A communicating with Application B.

54. want to authenticate
systems
…on
Amazon EC2
…against
IAM
…to access
AWS APIs and SDKs
Amazon EC2 Instance Roles
Instance roles allow you to grant access from systems on EC2 (AWS
CLI or SDKs) to access AWS Services without needing to bake in
credentials. The CLI and SDKs are preconfigured to detect and use
instance roles if one is attached.

55. want to authenticate
systems
…on
Amazon EC2
…against
IAM
…to access
Amazon API Gateway
EC2 Instance Roles
EC2 Instance Roles are also a great option for granting access to APIs
hosted with Amazon API Gateway.
API Gateway should be configured for IAM authentication:

56. want to authenticate
systems
…on
Amazon EC2
…against
IAM
…to access
Amazon API Gateway
EC2 Instance Roles
…and the IAM role should have a policy attached that allows access
to the API required:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*"
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/windfarms"
}
]
}

57. want to authenticate
systems
…on
Amazon EC2 Container
Service (ECS)
…against
IAM
…to access
AWS APIs and SDKs or
Amazon API Gateway
EC2 Container Service (ECS)
ECS supports IAM Roles too. This makes it easy to secure an AWS Service
or API hosted with Amazon API Gateway to a specific container (or group of
containers).

58. want to authenticate
systems
…on
AWS Lambda
…against
IAM
…to access
AWS APIs and SDKs or
Amazon API Gateway
AWS Lambda
Use AWS Lambda’s execution role to secure an AWS service or API hosted
with Amazon API Gateway to a specific AWS Lambda function.

59. Summary
It can support a wide range of scenarios including customers, employees,
systems
1
2
3
5
6
4
It includes a fully managed identity provider (Amazon Cognito User Pools), with
a great free tier
Amazon Cognito offers huge flexibility for AuthN / AuthZ
Hosted authentication pages makes integrating really easy
Don’t be scared of Amazon Cognito  Reach out to your local SA if you need
help
New SAML and social federation in Amazon Cognito User Pools!

60. No more of this…
Source: images.huffingtonpost.com/2015-06-18-1434640796-8854716-frustration.jpg

61. Source: https://freerangestock.com/photos/39981/victorious--man-standing-on-the-top-of-a-mountain-raising-.html
…and heaps more of this!

62. © 2017, Amazon Web Services, Inc. or its Affiliates, All rights reserved.
Thank you!