This document contains a summary of a workshop on user management and app authentication with Amazon Cognito. The workshop covers setting up Cognito user pools for user sign-up, sign-in, and password management. It also covers getting temporary AWS credentials from Cognito identity pools to access AWS services like S3. The hands-on portion involves building a desktop app for user authentication with Cognito user pools and getting credentials to call AWS services.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:Invent
User Management and App
Authentication with Amazon Cognito
W o r k s h o p
R a h u l S a r e e n — S r . C o n s u l t a n t I o T
R a f a e l K o i k e — S r . C o n s u l t a n t S e c u r i t y
N o v e m b e r 3 0 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Cognito Authentication Framework
• Is Cognito Just for Mobile?
• SRP Authentication
• Workshop Requirements
• Hands-On Lab

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS credentials and access control OpenID Connect and OAuth 2.0 Based
Managed user directory Sign in with existing
identities (federation)
Customizable, hosted UI, or
SDK
Amazon Cognito

4. Developer
Authenticated
Identities
Login with Amazon Google Facebook Cognito
User Pools
SAML Open ID Connect
Cognito Federated Identities
Developer Identities
Identity Providers (IdPs):
AWS Services
Amazon API
Gateway*
AWS
Lambda
Amazon
EC2
Amazon
S3
Amazon
RDS
Amazon
Kinesis
Amazon
SNS
AWS IoT
Token
IAM Credentials
User
Send
credentials
to IdP of
choice

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is Amazon Cognito Just for Mobile?

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito: Identity Scenarios
Business to Consumer Business to Business
Business to Employee IoT Scenarios
Enterprise
DirectoryEnterprise
Directory
SAML
Enterprise
Directory
SAML
AWS IoT

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito: Services
User Pools Federated Identity (Identity Pools)
Sign-up/Sign-in
User Profiles
Issue Tokens
Hosted UIs
OAuth2/OIDC IdP & RP
SAML2 SP
Federation Guest Access
AWS Credentials
Cross Device Sync

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use Amazon Cognito User Pools If
You Have:
1. End users who want to create an account
2. End users who have an existing social or corporate account
You Want:
1. Managed user directory
2. End user authentication
3. End user profiles
4. OpenID-Connect Id Token, Access Token and Refresh Token which can be used to
authenticate/authorize against your backend service
5. OAuth 2.0 flows for your app to authenticate with User Pool
6. OAuth 2.0 and SAML2 redirect/POST bindings to authenticate with identity providers
7. Integration with API Gateway

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use Amazon Cognito Identity Pools If
You Have:
1. End user that has authenticated with a social or corporate identity provider and has a token
2. End user that is unauthenticated
You Want:
1. Scoped, time-bound AWS Credentials for that identity
2. Direct access to AWS services from your web or mobile app
3. To use Cognito Sync to sync user preferences and game state across devices

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentication
Amazon Cognito User Pools use SRP to
authenticate.
How does that work?

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SRP
The Secure Remote Password protocol (SRP) is an augmented password-
authenticated key agreement (PAKE) protocol, specifically designed to work around
existing patents.[1]
Like all PAKE protocols, an eavesdropper or man in the middle cannot obtain
enough information to be able to brute force guess a password without further
interactions with the parties for each guess. This means that strong security can be
obtained using weak passwords. Furthermore, being an augmented PAKE protocol,
the server does not store password-equivalent data. This means that an attacker
who steals the server data cannot masquerade as the client unless they first
perform a brute force search for the password.
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SRP
To authenticate with Cognito User Pools IdP, we just need to use
SRP authentication and, after the successful authentication, we
get a JWT.
JSON Web Tokens are an open, industry standard RFC 7519 method
for representing claims securely between two parties.
https://jwt.io/

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
JWT

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Credentials
OK, where are the IAM credentials?
Where is STS?
I need access keys and secret keys!!!!

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting IAM Credentials
To get the STS token you will need to pass ID Token + other
parameters like:
• Identity Pool ID
• Pool ID
• App Client ID

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enhanced (Simplified) Flow

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hands-On

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Details
Choose JAVA or .NET to build your desktop app with chosen language
First Part:
• Setup Cognito User Pools
• Sign-up
• Sign-in
• Reset password
• Change password
Second Part:
• Setup Cognito Identity Pools
• List/put object in S3 buckets after authenticated with the IAM credentials received from Cognito
Third Part:
• Build a Cognito Hosted UI

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Requirements
• AWS Account
• JDK (Java Development Kit)
• Visual Studio 2015 (any edition)

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Accomplishments of This Workshop
1) Create a desktop application with .NET or JAVA
• Sign-up/register users
• Login with username/password (using Cognito User Pools with SRP Authentication)
• Forgot/reset password
• Change password
• Get IAM temporary credentials
• List your S3 buckets (or anything you want with the IAM temporary credentials policy permits)
2) Authenticating your end users using Users Pools Hosted UI with minimal effort
With this workshop, you have the foundation skills to start building applications using Amazon Cognito as
your Authentication framework and AWS IAM Credentials to get access to all AWS services integrated with
your app.

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s Start

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!