Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting Started with Cognito User Pools - September Webinar Series


Published on

You can now use Amazon Cognito to easily add user sign-up and sign-in to your mobile and web apps instead of worrying about user management, authentication, and sync across platforms and devices. With the User Pools feature, you can create your own user directory that can scale to hundreds of millions of users, and is fully managed so you don’t have to worry about building, securing, and scaling authentication to your apps. In this webinar, we will walk your through adding the process of adding user sign-up and sign-in to your mobile and web apps.

Learning Objectives:
*Learn to add user sign-up and sign-in to your mobile and web apps quickly and easily
*Authenticate users through social identity providers such as Facebook, Twitter, or Amazon and provide secure access to AWS resources

Published in: Technology
  • Be the first to comment

Getting Started with Cognito User Pools - September Webinar Series

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Hunt, Sr. Product Manager, Amazon Cognito September 21, 2016 Getting Started with Amazon Cognito User Pools
  2. 2. Topics  AWS Mobile Services and Amazon Cognito  Introduction to Your User Pools  Summary of Features  Demo  Deeper Dive in a Few Areas  Getting Started  Q & A
  3. 3. The Best Mobile Apps Run on AWS
  4. 4. Authenticate users Analyze User Behavior Store and share media Synchronize data Deliver media Amazon Cognito (Sync) Amazon Cognito (Identity) Amazon S3 Amazon CloudFront Store data Amazon DynamoDB Amazon RDS Track Retention Amazon Mobile Analytics Send push notifications Amazon SNS Mobile Push Server-side logic Lambda Device Farm Test your app Amazon Mobile Analytics Build and Scale Your Apps on AWS
  5. 5. AWS Mobile Hub: Fastest Way to Build Apps on AWS
  6. 6. Comprehensive Support for Identity Use Cases 6
  7. 7. Manage authenticated and guest users’ access to your AWS resources Federated Identities Synchronize user’s data across devices and platforms via the cloud Data Synchronization Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Sync Amazon Cognito Identity and Sync k/v data SAML
  8. 8. Sign in with Facebook Or Username Password Sign In Or Start as a guest Authenticate via 3rd party Identity Providers Amazon Cognito Identity and User Experience Guest Access Your User Pools in Amazon Cognito Amazon Cognito Identity provides temporary credentials to securely access your resources DynamoDB S3 API Gateway
  9. 9. Your User Pools 9 Add user sign-up and sign- in easily to your mobile and web apps without worrying about server infrastructure Serverless Authentication and User Management Verify phone numbers and email addresses and offer multi-factor authentication Enhanced Security Features Launch a simple, low-cost, and fully managed service to create and maintain a user directory that can scale to 100s of millions of users Managed User Directory 1 2 3
  10. 10. Comprehensive User Flows 10 Email or phone number verification Forgot password User registration and authentication Users verify their email address or phone number prior to activating an account Users can change their password if they forget it Users can sign up and sign in using an email, phone number, or username (and password) User profile data User can view and update profile data – including custom attributes SMS-based MFA Users complete Multi-Factor Authentication (MFA) by inputting a security code received via SMS as part of the sign-in flow Customize these user flows using Lambda
  11. 11. Custom User Flows Using Lambda Hooks 11 Category Lambda Hook Example Scenarios Custom Authentication Flow Define Auth Challenge Determines the next challenge in a custom auth flow Create Auth Challenge Creates a challenge in a custom auth flow Verify Auth Challenge Response Determines if a response is correct in a custom auth flow Authentication Events Pre Authentication Custom validation to accept or deny the sign-in request Post Authentication Event logging for custom analytics Sign-Up Pre Sign-up Custom validation to accept or deny the sign-up request Post Confirmation Custom welcome messages or event logging for custom analytics Messages Custom Message Advanced customization and localization of messages
  12. 12. Custom Auth flow 12 Amazon Cognito Your User Pools Custom Authentication Challenges (e.g., CAPTCHA or custom 2nd factors) 1 2 5 6 3 4
  13. 13. Extensive Admin Capabilities 13 Define custom attributes Set per-app permissions Set up password policies Create and manage user pools Define custom attributes for your user profiles Set read and write permissions for each user attribute on a per-app basis Enforce password policies like minimum length and requirements for different character types Create, configure, and delete user pools across AWS regions Require submission of attribute data Select which attributes must be provided by the user to complete sign-up Search for users Search for users based on a full match or a prefix match of their attributes through the console or admin API Manage users Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user, and global sign-out
  14. 14. Remembered Devices 14 Remember the devices associated with your users 1 Reduce the friction that your users face with MFA by suppressing the 2nd factor challenge from remembered devices Build logic to associate devices with your users to achieve specific business requirements such as remote device signout 2
  15. 15. Amazon Cognito User Pools and Amazon API Gateway 15 Custom Authorizer FunctionNative Support Configure API Gateway to accept Cognito user pool ID tokens to authorize users Control access to your APIs by inspecting tokens provided by Cognito user pools
  16. 16. Importing Existing Users  Import users into your Cognito user pool by uploading .csv files  Users will create a new password when they first sign-in  Each imported user must have an email address or a phone number
  17. 17. Control Attribute Permissions Choose which user attributes each app can read and write Read Write name phone custom:paid
  18. 18. Additional User Pool Features  Customizable email addresses – Customize the "from" email address of emails you send to users in a user pool.  Admin sign-in – Your app can sign in users from back-end servers or Lambda functions.  Global sign-out – Allow a user to sign out from all signed-in devices or browsers.  Custom expiration period – Set an expiration period for refresh tokens.
  19. 19. “Building an AWS serverless platform that manages sensitive customer data requires an authentication strategy that protects the information from unauthorized access. Using the Amazon Cognito user pool feature together with AWS Lambda, we’re developing a flexible, fully integrated solution that can scale effortlessly – a powerful tool that will be critical in keeping our customers’ data secure.” Feedback from our beta customers 19 “It is critical for us to provide a secure and simple sign-up and sign-in experience for our tens of millions of end users. With Amazon Cognito, we can enable that without having to worry about building and managing any backend infrastructure.”
  20. 20. Demo
  21. 21. Understanding User Status  New users start with “Registered” status  Users must be confirmed before they can sign-in  Users must be disabled before they can be deleted Registered (cannot sign in) Sign-up Confirmed Disabled Verify email Verify phone or Disable Delete (deleted) Lambda Trigger: Pre Sign-up Password Reset Required Reset password User import
  22. 22. Verifying Email and Phone  Your User Pools provide built-in verification of email addresses and phone numbers  A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API  If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone  Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification Your verification code is 938764
  23. 23. Using Aliases in Amazon Cognito User Pools  Sign-up and sign-in with email is very common today  Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name  A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user  Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in My App Email Password Sign In Sign Up
  24. 24. Cognito User and Federated Identities Cognito User Identities (Your User Pool) User Sign-in1 Returns Access and ID Tokens 2 Cognito Federated Identities (Identity Pool) Get AWS scoped credentials 3 Access to AWS Services 4 DynamoDBS3 API Gateway
  25. 25. Getting Started with Your User Pools See for links to  SDKs for iOS, Android, and JavaScript  Sample apps for iOS and Android  AWS Mobile Blog article describes them  Developer Guide  API Reference Guide
  26. 26. Monday, October 24, 2016 JW Marriot Austin Free, one-day developer event featuring tracks, labs, and workshops around Serverless, Containers, IoT, and Mobile Q&A If you want to learn more, register for our upcoming AWS DevDay Austin!
  27. 27. Appendix Visit to learn more
  28. 28. AWS Resources Authentication – Supported Providers: Authorization / Permission Cognito Functional Diagram Social Identity Providers Developer Provided Enterprise Identity Provider via SAML Authenticate users and generate identity tokens Validates identity tokens and provides credentials to access AWS resources Cognito User Pool Cognito Federated Identities (Identity Pool)
  29. 29. Pricing  Pricing is based on Monthly Active Users (MAUs) with volume-based discounting  A user is counted as a MAU if there is an identity operation related to that user within a calendar month (e.g., sign-up, sign-in, token refresh, or password change)  No charge for subsequent sessions or for inactive users  SMS charges are billed separately (using the SNS Global SMS feature) Pricing Tier Price per 1K MAUs First 50,000 MAUs Free Next 50,000 MAUs $5.50 Next 900,000 MAUs $4.60 Next 9,000,000 MAUs $3.25 >10,000,000 MAUs $2.50
  30. 30. Amazon Cognito Sync User Data Storage and Sync Any Platform iOS/Android/FireOS Store app data, preferences, and state Save app and device data to the cloud and merge them after login Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code Work offline Data always stored in local SQLite DB first Works seamlessly with intermittent or no connectivity k/v data Identity pool No back end Simple client SDK eliminates need for server side code © 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.
  31. 31. Push Sync  Sync between devices in near real-time using push instead of polling  Fewer syncs = cost savings  Powered by SNS  Push changes from your backend
  32. 32. Cognito Streams  Enables deeper analysis of data  Receive a stream of any updates to a dataset for each identity in your identity pool  Publishes updates to Kinesis  From Kinesis write to other destinations such as Redshift or ElasticSearch RedShift ElasticSearch KinesisCognito
  33. 33. Cognito Events  Can be used to provide data validation (Cheating, Sanitization)  Can be used to inject data (Bonuses, Content)  Perform additional logic server side during a synchronize call  Full control over dataset contents LambdaCognito