Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager – Amazon Cognito
M...
Topics
 AWS Mobile Services and Amazon Cognito
 Introduction to Amazon Cognito Identity
 Summary of Features
 Demo
 D...
The Best Mobile Apps Run on AWS
Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito
(Sync)
Amazon...
AWS Mobile Hub: Fastest Way to Build Apps on AWS
Identity is mission critical for applications
Authentication User ManagementAuthorization
 Manage user lifecycles
 Store...
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling us...
Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and s...
Using Cognito User and Federated Identities
Cognito User
Identities
(Your User Pool)
User
Sign-in
1a
Returns Access
and ID...
Amazon Cognito: Identity Management Scenarios
Business to Consumer
IoT Scenarios
Business to Employee
SAML
Federation
Ente...
Your User Pools
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastruct...
Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and
Sign-In
Require users to veri...
Custom User Flows Using Lambda Hooks
13
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Chal...
Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
U...
Groups
Cognito User Pools
Groups and Multiple Authenticated Roles
Group A
IAM Role A
Group B
IAM Role B
…
Authenticated
Us...
Your User Pools and Amazon API Gateway
Native Support Custom Authorizer Function
Control access to your APIs using bearer
...
Control Attribute Permissions
Choose which user attributes
each app can read and write
Read Write
name
phone
custom:paid
Creating Users as an Administrator
 Developers or administrators can create users in a user pool and
send them an optiona...
Additional User Pool Features
 Customizable email addresses – Customize the "from" email address of
emails you send to us...
Importing Existing Users
Batch Imports
 Import users by uploading .csv files
 Users will create a new password when they...
“Building an AWS serverless platform that manages sensitive
customer data requires an authentication strategy that protect...
Demo
Demo URL
The GitHub repository for the serverless authentication
sample app is available at
github.com/awslabs/aws-serverl...
Understanding User Status
 New users start with
“Registered” status
 Users must be
confirmed before
they can sign-in
 U...
Verifying Email and Phone
 Your User Pools provide built-in verification of email
addresses and phone numbers
 A six dig...
Using Aliases in Amazon Cognito User Pools
 Sign-up and sign-in with email is very common
today
 Aliases in Amazon Cogni...
Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
 Getting Started Guides
 Doc...
Q & A
 Visit aws.amazon.com/cognito/ to learn more
 Find resources at aws.amazon.com/cognito/dev-resources/
 Explore th...
Appendix
Amazon Cognito: Comprehensive Support for
Identity Use Cases
Pricing for Amazon Cognito User Pools
 Pricing is based on Monthly Active Users (MAUs) with volume-based discounting
o A ...
Amazon Cognito Sync
User Data
Storage and
Sync
Any Platform
iOS/Android/FireOS
Store app data, preferences, and state
Save...
Cognito Sync Push Synchronization
 Sync between devices in near real-time
using push instead of polling
 Fewer syncs = c...
Cognito Sync Streams
 Enables deeper analysis of data
 Receive a stream of any updates to a dataset for each identity in...
Cognito Sync Events
 Can be used to provide data validation (Cheating, Sanitization)
 Can be used to inject data (Bonuse...
Upcoming SlideShare
Loading in …5
×

Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks

9,725 views

Published on

Amazon Cognito enables you to secure your mobile and web applications by providing a comprehensive identity solution for end user management, registration, sign-in, and security. In this product deep dive, we will walk through Cognito’s feature set, which includes serverless flows for user management and sign-in, a fully managed user directory, and control for user permissions. In addition, we will cover key use cases and discuss the associated benefits.

Learning Objectives:
1. Understand Cognito’s comprehensive feature set and benefits
2. Learn how to use Cognito to address different needs for user management and authorization
3. See how to get started and learn more

Published in: Technology

Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Hunt, Sr. Product Manager – Amazon Cognito March 30, 2017 Deep Dive on Amazon Cognito
  2. 2. Topics  AWS Mobile Services and Amazon Cognito  Introduction to Amazon Cognito Identity  Summary of Features  Demo  Deeper Dive in a Few Areas  Getting Started  Q & A
  3. 3. The Best Mobile Apps Run on AWS
  4. 4. Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Amazon RDS Run Targeted Campaigns Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Build and Scale Your Apps on AWS Amazon Pinpoint Amazon Pinpoint
  5. 5. AWS Mobile Hub: Fastest Way to Build Apps on AWS
  6. 6. Identity is mission critical for applications Authentication User ManagementAuthorization  Manage user lifecycles  Store and manage user profile data  Monitor engagement  Protect data and operations  Provide fine-grained access control  Sign in users  Enable federation with enterprise identities  Enable federation with social identities User Identity
  7. 7. Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Implementing token-based authentication • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  8. 8. Amazon Cognito Identity Facebook Corporate OIDC Sign in with Your User Pools You can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users. Federated Identities Your users can sign in with third-party identity providers, such as Facebook and SAML providers, and you can control access to AWS resources from your app. SAML Sign in Username Password Submit
  9. 9. Using Cognito User and Federated Identities Cognito User Identities (Your User Pool) User Sign-in 1a Returns Access and ID Tokens 2a Cognito Federated Identities (Identity Pool) Get AWS scoped credentials 3 Access to AWS Services 4 DynamoDBS3 API Gateway SAML Identity Provider Example: Active Directory with ADFS 1bSign-in 2b Returns Tokens
  10. 10. Amazon Cognito: Identity Management Scenarios Business to Consumer IoT Scenarios Business to Employee SAML Federation Enterprise Directory Partner A Partner B Business to Business AWS IoT API Gateway with Lambda Deny Allow Custom Authorizer Access control for AWS Resources AWS IAM Lambda Cognito Cognito Cognito Cognito Cognito Cognito API Gateway S3 DynamoDB
  11. 11. Your User Pools Add user sign-up and sign- in easily to your mobile and web apps without worrying about server infrastructure Serverless Authentication and User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, secure, low-cost, and fully managed service to create and maintain a user directory that scales to 100s of millions of users Managed User Directory 1 2 3
  12. 12. Comprehensive User Flows Email or Phone Number Verification Forgot Password User Sign-Up and Sign-In Require users to verify their email address or phone number prior to activating their account with a one-time password challenge Provide users the ability to change their password when they forget it with a one- time password challenge Allow users to sign up and sign in using an email, phone number, or username (and password) for your application. User Profile Data Enable users to view and update their profile data – including custom attributes SMS Multifactor Authentication Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow Customize these User Flows Using Lambda Token Based Authentication Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend
  13. 13. Custom User Flows Using Lambda Hooks 13 Category Lambda Hook Example Scenarios Custom Authentication Flow Define Auth Challenge Determines the next challenge in a custom auth flow Create Auth Challenge Creates a challenge in a custom auth flow Verify Auth Challenge Response Determines if a response is correct in a custom auth flow Authentication Events Pre Authentication Custom validation to accept or deny the sign-in request Post Authentication Event logging for custom analytics Sign-Up Pre Sign-up Custom validation to accept or deny the sign-up request Post Confirmation Custom welcome messages or event logging for custom analytics Messages Custom Message Advanced customization and localization of messages
  14. 14. Extensive Admin Capabilities Define Custom Attributes Set per-App Permissions Set up Password Policies Create and manage User Pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirement of certain types of characters Create, configure, and delete multiple user pools across AWS regions Require Submission of Attribute Data Select which attributes must be provided by the user prior to completion of the sign-up process Search Users Search users based on a full match or a prefix match of their attributes through the console or Admin API Manage Users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  15. 15. Groups Cognito User Pools Groups and Multiple Authenticated Roles Group A IAM Role A Group B IAM Role B … Authenticated User Identity Get Credentials Multiple Roles for Authenticated Identities Cognito Federated Identities IAM Role and Policy IAM Role and Policy IAM Role and Policy Backend Resources MaptodifferentIAMroles API Gateway DynamoDB S3 ControlAccess
  16. 16. Your User Pools and Amazon API Gateway Native Support Custom Authorizer Function Control access to your APIs using bearer token authentication strategies, such as OAuth or SAML – API Gateway’s custom authorizer feature uses bearer tokens to determine access privileges Configure API Gateway to accept ID tokens to authorize users based on their existence in a user pool – User Pools works together with API Gateway to authorize API requests 1 2
  17. 17. Control Attribute Permissions Choose which user attributes each app can read and write Read Write name phone custom:paid
  18. 18. Creating Users as an Administrator  Developers or administrators can create users in a user pool and send them an optional, customizable invitation email or SMS message  New users sign in with a temporary password and create a new password  User pools can be configured to only allow users created by an administrator
  19. 19. Additional User Pool Features  Customizable email addresses – Customize the "from" email address of emails you send to users in a user pool.  Admin sign-in – Your app can sign in users from back-end servers or Lambda functions.  Global sign-out – Allow a user to sign out from all signed-in devices or browsers.  Custom expiration period – Set an expiration period for refresh tokens.
  20. 20. Importing Existing Users Batch Imports  Import users by uploading .csv files  Users will create a new password when they first sign-in  Each imported user must have an email address or a phone number One-at-a-Time Migration  Migrate users individually as they sign in  App first tries to sign in via Cognito, if user does not exist, app signs in via prior identity system, captures username and password, and silently creates user in Cognito  Retains passwords, but requires app coding and maintenance of prior system for some period Prior IdP
  21. 21. “Building an AWS serverless platform that manages sensitive customer data requires an authentication strategy that protects the information from unauthorized access. Using the Amazon Cognito user pool feature together with AWS Lambda, we’re developing a flexible, fully integrated solution that can scale effortlessly – a powerful tool that will be critical in keeping our customers’ data secure.” Feedback from our beta customers 21 “It is critical for us to provide a secure and simple sign-up and sign-in experience for our tens of millions of end users. With Amazon Cognito, we can enable that without having to worry about building and managing any backend infrastructure.”
  22. 22. Demo
  23. 23. Demo URL The GitHub repository for the serverless authentication sample app is available at github.com/awslabs/aws-serverless-auth-reference-app See the Quickstart.md file for a guide to setting up and exploring the app (We will show that URL again later in the presentation)
  24. 24. Understanding User Status  New users start with “Registered” status  Users must be confirmed before they can sign-in  Users must be disabled before they can be deleted Registered (cannot sign in) Sign-up Confirmed Disabled Admin Confirm Confirm via email/phone or Disable Delete (deleted) Lambda Trigger: Pre Sign-up Reset Required User import Force Change Password Admin Create User Reset password Enable
  25. 25. Verifying Email and Phone  Your User Pools provide built-in verification of email addresses and phone numbers  A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API  If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone  Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification Your verification code is 938764
  26. 26. Using Aliases in Amazon Cognito User Pools  Sign-up and sign-in with email is very common today  Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name  A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user  Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in My App Email Password Sign In Sign Up
  27. 27. Getting Started with Your User Pools See aws.amazon.com/cognito/dev-resources/ for links to  Getting Started Guides  Documentation, SDKs, and Sample Apps  Videos  Presentation Slides  Blog Posts  Developer Forums
  28. 28. Q & A  Visit aws.amazon.com/cognito/ to learn more  Find resources at aws.amazon.com/cognito/dev-resources/  Explore the sample app at github.com/awslabs/aws-serverless-auth- reference-app  Ask questions at the AWS Developer Forum or Stack Overflow (‘amazon-cognito’ tag)
  29. 29. Appendix
  30. 30. Amazon Cognito: Comprehensive Support for Identity Use Cases
  31. 31. Pricing for Amazon Cognito User Pools  Pricing is based on Monthly Active Users (MAUs) with volume-based discounting o A user is counted as a MAU if there is an identity operation related to that user within a calendar month (e.g., sign-up, sign-in, token refresh, or password change) o No charge for subsequent sessions or for inactive users  SMS charges are billed separately (using the SNS Global SMS feature) Pricing Tier Price per 1K MAUs First 50,000 MAUs Free Next 50,000 MAUs $5.50 Next 900,000 MAUs $4.60 Next 9,000,000 MAUs $3.25 >10,000,000 MAUs $2.50
  32. 32. Amazon Cognito Sync User Data Storage and Sync Any Platform iOS/Android/FireOS Store app data, preferences, and state Save app and device data to the cloud and merge them after login Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code Work offline Data always stored in local SQLite DB first Works seamlessly with intermittent or no connectivity k/v data Identity pool No back end Simple client SDK eliminates need for server side code © 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.
  33. 33. Cognito Sync Push Synchronization  Sync between devices in near real-time using push instead of polling  Fewer syncs = cost savings  Powered by SNS  Push changes from your backend
  34. 34. Cognito Sync Streams  Enables deeper analysis of data  Receive a stream of any updates to a dataset for each identity in your identity pool  Publishes updates to Kinesis  From Kinesis write to other destinations such as Redshift or ElasticSearch RedShift ElasticSearch KinesisCognito
  35. 35. Cognito Sync Events  Can be used to provide data validation (Cheating, Sanitization)  Can be used to inject data (Bonuses, Content)  Perform additional logic server side during a synchronize call  Full control over dataset contents LambdaCognito

×