Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.
5. Cognito Identity Developer Features
Identify customers whenever they use my app
No matter how they authenticate (across IDPs)
Even if they don’t authenticate (upgrade when they do)
Provide appropriate credentials for AWS access
Any level of permission, for any service
Distinguish authenticated and unauthenticated users
6. AWS Identity Before Cognito
AWS Security
Token Service (STS)
5. Receive
AWS
Credentials
3. Assume Role2. Retrieve Identity
Mobile Client
Identity
Provider
1. Authenticate
4. Validate
Amazon S3
Web Identity
-or-
SAML
-or-
OpenID Connect
6. Store Data
7. Cognito - Identity Storage
Identity Pool
No limit on # identities
Up to 60 Pools / Account
Usually associated
with an app
Trust
Policy
Access
Policy
Authenticated Role
Trust
Policy
Access
Policy
Unauthenticated Role
8. Using the Cognito in the Mobile SDK
CognitoCachingCredentialsProvider provider =
new CognitoCachingCredentialsProvider
(
getApplicationContext(),
"us-east-1:64813b20-4f17-491a-9287",
Regions.US_EAST_1
);
provider.getIdentityId();
AWSSessionCredentials c = provider.getCredentials();
9. Create an Identity Pool with Roles
$ aws cognito-identity create-identity-pool
--identity-pool-name mySamplePool
--allow-unauthenticated-identities
{ "IdentityPoolId": "us-east-1:cb6ff5f8-f6aa",
"AllowUnauthenticatedIdentities": true,
"IdentityPoolName": "mySamplePool”}
$ aws cognito-identity set-identity-pool-roles
--identity-pool-id us-east-1:cb6ff5f8-f6aa
--roles authenticated=arn:aws:iam:::role/Auth_Role,
unauthenticated=arn:aws:iam:::role/Unauth_Role
16. Revisit API for Authenticated Identities
$ aws cognito-identity get-id
--identity-pool-id <required>
--logins <to fetch authenticated id>
$ aws cognito-identity get-open-id-token
--identity-id <required>
--logins <to fetch token for auth’d id>
17. Getting a Token : linking a login (promotion)
get-open-id-token( Id = 2
, )
Id = 2
,
Id = 2
Cognito promotes
to “authenticated” ,
Returns same identity-id
18. Getting a Token : lookup, return id
get-open-id-token( Id = 3
Id = 3
, )
Id = 3
,
Cognito returns
The same identity-id
19. Id = 2
Getting a Token : merging identities
get-open-id-token( Id = 3
, )
Id = 3
,
Cognito merges the
Identities, returns an
existing identity-id
Id = 2
20. Getting a Token : Not Authorized
get-open-id-token( ID = 3
,ID = 3
) )
Cognito requires a valid
linked login before giving
a token for an authorized ID
25. Using Developer Identities
What if you already have a directory with names and passwords?
You can federate your own identities using Cognito
One server side API call:
getOpenIdTokenForDeveloperIdentity
26. Developer Authenticated Flow
STS
6. Receive
AWS
Credentials
4. Assume Role
Mobile Client
1. Authenticate
5. Validate
Amazon S3
7. Store Data
3. OpenID Token
Cognito
“IDP”
Developer
Login
2. Request
Token
28. Developer Auth Demo
STS
6. Receive
AWS
Credentials
4. Assume Role
Mobile Client
1. Authenticate
5. Validate
Amazon S3
7. Store Data
3. OpenID Token
Cognito
API
API Gateway
AWS Lambda
2. Get
Token
29. Pro Tips for Cognito Identity
Always cache Unauthenticated Identity IDs
Trap security errors so you know when to reauthenticate
Be sure to customize the default Access Policies for Authenticated and
Unauthenticated Identities
If you use Developer Identities, lock down the login workflow.
31. Cognito Sync Data Structure
Identity Pool
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
Each identity’s store
contains up to 20 Datasets
A Dataset contains
Key/Value Records
32. Protips for Cognito Sync
Use SyncOnConnect, or explicit Sync calls depending on use case
Sync happens at the Dataset level. Use different datasets for different
Sync patterns
If you require immediate updates, use Cognito Push Sync
Implement SyncCallback if you want to know what’s going on, or give
your Customers a better experience
33. Cognito Sync Events
Mobile Client
1. Sync
Identity
Pool
Sync Data
AWS Lambda
Amazon
DynamoDB
Amazon
Redshift
2. SyncTrigger
Event
3. R/W
4. Write
5. Update
34. Pro Tips for Cognito Events
Handles Incoming Sync Data --whatever makes it in the store will be
shared with all clients on sync
You have control over what is stored:
Add, Modify, or Delete Records
Modify Record Values (create ‘Read Only’ Values)
Use DynamoDB, S3, or Amazon RDS to support complex use cases
Validate values to detect exploits or cheating
43. Related Sessions
SEC307 - A Progressive Journey Through AWS IAM
Federation Options
SEC305 - Become an AWS IAM Policy Ninja in 60 Minutes
or Less
MBL309 - Analyze Mobile App Data and Build Predictive
Applications