Amazon Cognito
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. It can scale to millions of users and supports sign-in with social identity providers and enterprise identity via SAML 2.0 and OpenID Connect.
Two Main Components
User Pools
A user directory that provides:
- Sign-up and sign-in functionality
- Built-in UI or customisable hosted UI
- MFA and account recovery
- Social login (Google, Facebook, Apple, Amazon)
- SAML/OIDC federation for enterprise SSO
Identity Pools (Federated Identities)
Provides AWS credentials for accessing AWS services:
- Temporary AWS credentials based on user identity
- Fine-grained access control via IAM roles
- Support for authenticated and unauthenticated users
Common Authentication Flow
User → Cognito User Pool → JWT Tokens → API Gateway/AppSync → Backend
What We Like
- Scalability: Handles millions of users without infrastructure concerns
- Security: Built-in protection against common attacks
- Compliance: SOC, PCI, HIPAA eligible
- Cost: Free tier covers many small applications
- Integration: Native support in Amplify, API Gateway, and AppSync
What We Don't Like
- Customisation limits: Email templates and hosted UI have restrictions
- Migration difficulty: User passwords cannot be exported
- Error messages: Generic errors can make debugging frustrating
- Complexity: The User Pools vs Identity Pools distinction confuses newcomers
- Quotas: Some limits (like custom attributes) can't be changed after creation
Best Practices
- Plan your schema: Custom attributes can't be removed or modified later
- Use groups for authorisation: Map Cognito groups to IAM roles or application permissions
- Enable MFA: At least optional MFA for sensitive applications
- Configure password policies: Match your security requirements upfront