When developing an app, it is most likely that we are going to use or implement authentication and authorization methods. Hence, we need to decide, whether to build it our own or to use a cloud environment. Many vendors have realized this issue; and fortunately, they also give us a lot of options to simplify this task. Out of many available services, we recommend Amazon Cognito User Pools which offers numerous advantages to help us authenticate and authorize our app. Let’s discuss.
What is Amazon Cognito?
Amazon Cognito is an Amazon Web Services (AWS) product that controls users and identifies pool management service. Cognito can help developers to implement user authentication and authorization onto the web or mobile applications. Simply put, it is a user management access service that may ease the process of building a robust app.
Key Components of Amazon Cognito
In general, user management and identity management services are built upon two key functions, namely authentication and authorization. Authentication is the process of validating claims of identity, while Authorization is the process of confirming the rights to access other AWS resources and services.
When it comes to Cognito, there are two main sections: User Pools and Identity Pools.
- User Pools is a directory of users for authentication (identify verification), which helps to create and maintain user's sign-up or sign-in to web and mobile application. It is also equipped with enhanced security features such as multi-factor authentication (MFA) with email or phone number verification. Also, it configures with AWS Lambda, which helps users to customize workflows for validation and registration.
- Besides that, Identity Pools is for authorization (access control) to grant our users access to other AWS services without re-entering the credentials. Amazon Cognito allows flexible use of User Pools and Identity Pools, either used separately or used together.
How is it interesting?
Amazon Cognito consists of several features for managing users to sign-up (registration), log-in, change password, manage an account, and perform group authentication. Using these services, we can easily connect with other available services on AWS such as API Gateway, Lambda, AppSync, etc.
- Manage the user directory using User Pools
- Secure and support the encryption of data
- Provide JSON Web Token (JWT)
Instead of creating a mechanism by installing multiple modules, after successfully authenticating a user, Amazon Cognito issues JWT to secure and authorize access to the APIs. Amazon Cognito User Pools implement ID, Access Token, and Refresh Token as defined by the OpenID Connect (OIDC) open standard
- Integrate with social and identity federation
With Amazon Cognito, users can sign in through other social identity providers such as Google, Facebook, and Amazon; and through enterprise identity providers such as Microsoft
Amazon Cognito Pricing
As part of AWS Free Tier, Amazon Cognito offers 10GB of sync store and 1,000,000 sync operations in a month up to the first 12 months of usage. They have a free tier for the first 50,000 monthly active users (MAUs) for users who sign-in directly to Cognito User Pools, and 50 MAUs for users federated through SAML 2.0 based identity providers.
A user is counted as an MAU when there is an identity operation related to that user, such as sign-up, sign-in, token refresh, and password change within one calendar month. Therefore, inactive users will not be charged for subsequent operations within one calendar month. Cognito Identity free tier does not expire at the end of the 12-months AWS Free Tier term. Please note - the free tier pricing isn’t available for both User Pool feature and SAML or OIDC federation in the AWS GovCloud (US-West) region.
For those using User Pool credentials or with social identity providers, such as Apple, Google, Facebook and Amazon, the pricing can be seen in the table below:
And for those using SAML or OIDC federation, the cost after the first 50 MAUs is $0.015.
The Pros and Cons of Amazon Cognito
- Easily manage the users and groups (this helps develop a cycle faster).
- Easily manage Cognito users through the AWS Cognito Console.
- Automatically store all data in the cloud AWS Cognito service.
- Support sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon.
- Provide verification logic via email or phone number.
- Provide an error message (by service).
- Unlike the other services, this is a paid service. The more complex application with many security options and monthly active users you use, the more you pay.
- The documentation provided is very much detailed. To some extent, it is good but could be intoxicating.
- It is time-consuming to fully integrate the system. You must understand AWS SDK and the documentation. You will need to design the product/service to work with AWS Cognito. But, it is still worth it if it is for a lasting period and less maintenance.
- Sometimes the error messages show a technical error, which obliges us to read the documentation and then to convert it to the end-user. An extra effort is needed to map the error data to be a more understandable message.
- The email or phone validation service for sign-up is still a little intermittent. So, you need to include another AWS service such as Simple Email Service to ensure the functionality.
Creating an authentication and authorization feature from scratch is not a simple task to do if we want to take all the security details. And using AWS Cognito for user authentication has become a faster solution. Besides, we do not need to take a lot of time to maintain the backend because it has been provided by AWS Cognito. We can rely on AWS Cognito to handle the security matters related to store login credentials, instead of doing it ourselves.
Niken Hananti Puspasari – Programmer
Yunas Pamatda – Programmer