Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito


Published on

Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.

Published in: Technology
  • Be the first to comment

(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Stephen Johnson, Solution Architect -- AWS Valentin Polouchkine, Developer Advocate -- Twitter October 2015 MBL402 Identity Management & Data Sync with Amazon Cognito
  2. 2. What to Expect from the Session Dive deep into Cognito Identity Learn about Cognito Sync features Twitter Fabric and Digits demonstration
  3. 3. Cognito Identity Authenticates Users - Third-party ID Providers - OpenID Connect Providers - Developer Providers Anonymous Identity Federation of Identities OpenID Connect Token Generation Amazon Cognito Overview Cognito Sync Store Customer Data in the Cloud Synchronize Data - Between Devices and Cloud - Across Devices Cognito Events - Trigger AWS Lambda Cognito Streams - Send to Amazon Kinesis
  4. 4. Amazon Cognito - Identity
  5. 5. Cognito Identity Developer Features Identify customers whenever they use my app No matter how they authenticate (across IDPs) Even if they don’t authenticate (upgrade when they do) Provide appropriate credentials for AWS access Any level of permission, for any service Distinguish authenticated and unauthenticated users
  6. 6. AWS Identity Before Cognito AWS Security Token Service (STS) 5. Receive AWS Credentials 3. Assume Role2. Retrieve Identity Mobile Client Identity Provider 1. Authenticate 4. Validate Amazon S3 Web Identity -or- SAML -or- OpenID Connect 6. Store Data
  7. 7. Cognito - Identity Storage Identity Pool No limit on # identities Up to 60 Pools / Account Usually associated with an app Trust Policy Access Policy Authenticated Role Trust Policy Access Policy Unauthenticated Role
  8. 8. Using the Cognito in the Mobile SDK CognitoCachingCredentialsProvider provider = new CognitoCachingCredentialsProvider ( getApplicationContext(), "us-east-1:64813b20-4f17-491a-9287", Regions.US_EAST_1 ); provider.getIdentityId(); AWSSessionCredentials c = provider.getCredentials();
  9. 9. Create an Identity Pool with Roles $ aws cognito-identity create-identity-pool --identity-pool-name mySamplePool --allow-unauthenticated-identities { "IdentityPoolId": "us-east-1:cb6ff5f8-f6aa", "AllowUnauthenticatedIdentities": true, "IdentityPoolName": "mySamplePool”} $ aws cognito-identity set-identity-pool-roles --identity-pool-id us-east-1:cb6ff5f8-f6aa --roles authenticated=arn:aws:iam:::role/Auth_Role, unauthenticated=arn:aws:iam:::role/Unauth_Role
  10. 10. Create an (Unauthenticated) Identity $ aws cognito-identity get-id --identity-pool-id us-east-1:cb6ff5f8-f6aa { "IdentityId": "us-east-1:73dbf099-cb1b-4a32-90f0-6c224" }
  11. 11. Get the OpenID Connect Token $ aws cognito-identity get-open-id-token --identity-id us-east-1:73dbf099-cb1b-4a32 { "Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjo iUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NzNkYmYwOTktY2Ix XUSUi27oUABCPA6Vx14WUTUCc7WfMqidQu5GIvZIiCvvTXG9EXY6 zsf1C5BhV9EVvtww", "IdentityId": "us-east-1:73dbf099-cb1b-4a32 }
  12. 12. Cognito Token – JWT format (courtesy
  13. 13. Assume Unauthenticated Role $ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::role/Cognito_Unauth_Role --role-session-name steve --web-identity-token eyJraWQiOiJ1cy1lYXN0LTExIiwi dHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lY XN0LTE6NzNkYmYwOTktY2IxYi00YTMyLTkwZjAtNmMyMjQ4NTg4O GFmIiwiYXVkIjoidXMtZWFzdC0xOjY0ODEzYjIwLTRmMTctNDkxY S05Mjg3LTJiMzc2YjgyNThjO
  14. 14. Assumed Role Credentials (output) "Credentials": { "AccessKeyId": "ASIAJBGJ6DTQE5Q3N67Q”, "SecretAccessKey”:"aAa5v7/e+rk8Cr5VB+P4sL3DyaQJZ", "SessionToken": "AQoDYXdzEFAagAS8+GnLyCwthcqB /GftrGcCcY4cMi8sPOHXk1gNUkWvJIqkUcY4cMi8sPOHXk1gNUkW vJIqkv9uy9H07T4cY4cMi8sPOHXk1gNUkWvJIqk4PF/e==", "Expiration": "2015-09-17T00:15:53Z” }
  15. 15. Unauthenticated Flow STS 5. Receive AWS Credentials 3. Assume Role2. OpenID Token Mobile Client Cognito “IDP” 1. Get New Identity 4. Validate Amazon S3 6. Store Data
  16. 16. Revisit API for Authenticated Identities $ aws cognito-identity get-id --identity-pool-id <required> --logins <to fetch authenticated id> $ aws cognito-identity get-open-id-token --identity-id <required> --logins <to fetch token for auth’d id>
  17. 17. Getting a Token : linking a login (promotion) get-open-id-token( Id = 2 , ) Id = 2 , Id = 2 Cognito promotes to “authenticated” , Returns same identity-id
  18. 18. Getting a Token : lookup, return id get-open-id-token( Id = 3 Id = 3 , ) Id = 3 , Cognito returns The same identity-id
  19. 19. Id = 2 Getting a Token : merging identities get-open-id-token( Id = 3 , ) Id = 3 , Cognito merges the Identities, returns an existing identity-id Id = 2
  20. 20. Getting a Token : Not Authorized get-open-id-token( ID = 3 ,ID = 3 ) ) Cognito requires a valid linked login before giving a token for an authorized ID
  21. 21. Authenticated Flow STS 5. Receive AWS Credentials 3. Assume Role2. OpenID Token Mobile Client Cognito “IDP” 1. Get or Create Identity 4. Validate Amazon S3 6. Store Data
  22. 22. Authenticated OpenID Token
  23. 23. OpenID Information in IAM Policy (Trust) "Condition": { "StringEquals": { "”:"us-east-1:identity-pool-id” }, "ForAnyValue:StringLike": { "": ”authenticated” < or specify by provider… > "": ”” } }
  24. 24. Restricting S3 Buckets by User { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"], "Condition": { "StringLike": { "s3:prefix": ["cognito/myapp/"] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/ ${}", "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/ ${}/*" ] } ] }
  25. 25. Using Developer Identities What if you already have a directory with names and passwords? You can federate your own identities using Cognito One server side API call: getOpenIdTokenForDeveloperIdentity
  26. 26. Developer Authenticated Flow STS 6. Receive AWS Credentials 4. Assume Role Mobile Client 1. Authenticate 5. Validate Amazon S3 7. Store Data 3. OpenID Token Cognito “IDP” Developer Login 2. Request Token
  27. 27. Developer Auth Demo
  28. 28. Developer Auth Demo STS 6. Receive AWS Credentials 4. Assume Role Mobile Client 1. Authenticate 5. Validate Amazon S3 7. Store Data 3. OpenID Token Cognito API API Gateway AWS Lambda 2. Get Token
  29. 29. Pro Tips for Cognito Identity Always cache Unauthenticated Identity IDs Trap security errors so you know when to reauthenticate Be sure to customize the default Access Policies for Authenticated and Unauthenticated Identities If you use Developer Identities, lock down the login workflow.
  30. 30. Amazon Cognito Sync
  31. 31. Cognito Sync Data Structure Identity Pool 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB 1 MB Each identity’s store contains up to 20 Datasets A Dataset contains Key/Value Records
  32. 32. Protips for Cognito Sync Use SyncOnConnect, or explicit Sync calls depending on use case Sync happens at the Dataset level. Use different datasets for different Sync patterns If you require immediate updates, use Cognito Push Sync Implement SyncCallback if you want to know what’s going on, or give your Customers a better experience
  33. 33. Cognito Sync Events Mobile Client 1. Sync Identity Pool Sync Data AWS Lambda Amazon DynamoDB Amazon Redshift 2. SyncTrigger Event 3. R/W 4. Write 5. Update
  34. 34. Pro Tips for Cognito Events Handles Incoming Sync Data --whatever makes it in the store will be shared with all clients on sync You have control over what is stored: Add, Modify, or Delete Records Modify Record Values (create ‘Read Only’ Values) Use DynamoDB, S3, or Amazon RDS to support complex use cases Validate values to detect exploits or cheating
  35. 35. Cognito Streams Mobile Client 1. Sync Identity Pool Sync Data 3. Update Amazon Kinesis Amazon Redshift Amazon S3 2. Stream
  36. 36. Twitter Digits Integration
  37. 37. What’s in the box? Crashlytics Kit Stability Twitter Kit Social MoPub Kit Revenue Digits Kit Identity
  38. 38. Basic flow Phone Number SMS (Confirmation Code) Stable ID, oAuth Token Confirmation Code
  39. 39. Digits iOS, Android, JS 216 countries, 28 languages 2FA, phone number change Voice verification as fallback
  40. 40. Thank you!
  41. 41. Remember to complete your evaluations!
  42. 42. Related Sessions SEC307 - A Progressive Journey Through AWS IAM Federation Options SEC305 - Become an AWS IAM Policy Ninja in 60 Minutes or Less MBL309 - Analyze Mobile App Data and Build Predictive Applications