Overview
- Managed user directory
- Scales to 100M+ users
- Integrates with identity providers
- Social: FB, G+, Amazon Login
- OpenId Connect
- SAML (enteprise federation)
- Supports
- Use cases
- Business to Consumer (e.g. mobile app)
- Business to Business (e.g. SaaS)
- Business to Employee (e.g. internal HR portal)
- IoT
- Syncs data between device and service. Solves limitations of Web Identity federation.
Cognito User Pool Token
- JWT token (OpenId Connect standard)
- ID Token
- Contain claims (e.g. group information)
- Can be added (e.g. user profile)
- Can be removed (suppress unused)
- Contain claims (e.g. group information)
- Access Token
- Refresh Token
- ID Token
- Returned (vended) by Cognito
- Can be exchanged for
- AWS token (Cognito Identity Pool)
- Role mapping based on claim in ID token
- AWS token (Cognito Identity Pool)
Cognito User Pool
- Stand-alone Identity Provider
- Can be re-used by multiple Cognito Client App
- Signle Sign-On
- Store of user identity data
- Logical boundary
- Max 60 pools per AWS account
- Associated with 1 or more apps
- Hosted UIs - customizable
- Use cases
- Users create their own account
- AWS handles authentication
- Serverless integration (API Gateway)
Cognito User Pool (AuthN)
- Fires lambda webhooks
- Custom Authentication Flows (e.g. muptile challenges)
- Authentication Events
- Sign-up
- Messages
- Device tracking
- Supports MFA
- SMS
- One Time Password (Google Authenticator)
- Adaptive
- When detects risks behaves differently
- Compromised credentials
- AWS detects logins with credentials that were detected compromised elsewhere
- Sign-in from various locations
- Reporting
- When detects risks behaves differently
Cognito User Pool (AuthZ)
- Create groups (e.g. Admin, Regular)
- Can create IAM Roles
- Add user to groups
- Cognito Id token contains additional information
- Support precedence
- Integrates with API Gateway
- API Gateway recognizes Cognito tokens
Federated Identity (Identity Pool)
- Token vending machine for AWS Services
- Use cases
- You already have authenticated token
- Temporary access to AWS services
- Anonymous access
- Role mapping (AWS mapping)
- You already have authenticated token
Cognito sync
- Identity Data Store (Sync Store)
- 20 DataSets per user
- DataSet = 1 MB
- Unit of synchronization
- Contains records: key-value
- DataSet = 1 MB
- 20 DataSets per user
- Same data available on every platform user logs in
- SDK has synchronize() method that syncs state between device and the service
- Conflict: default latest wins
- Can be overridden by the app (callback)
- Conflict: default latest wins
- Silent push notification - can be sent to the device but is not visible to the user
- Cognito Event
- Sync Trigger - event raised every time dataset is synchronized
- Can associate Lambda function
- Lambda intercepts the data and can transform it (e.g. validate)
- Can associate Lambda function
- Take all the data from sync operations and send to Kinesis Streams
- Then it can go to Redshift
- Sync Trigger - event raised every time dataset is synchronized
References
No comments:
Post a Comment