Serverless Meetup - Getting started with AWS Cognito [Jul 2020]
dhavaln
48 views
30 slides
Sep 04, 2024
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
This presentation is Part 1 of the Serverless Application Authentication Series.
Amazon Cognito is a fully managed service that simplifies the process of adding authentication, authorization, and user management to your web and mobile applications. It allows developers to quickly integrate user sig...
Slide Content
Getting Started with
Amazon Cognito
Managed Authentication and Authorization Service
Amazon Cognito
Managed Authentication and Authorization Service
https://communityday.awsug.in
●Cloud Practitioner
●12x AWS, Google Cloud, Docker, Kubernetes
Certified
●AWS Serverless Hero
●Founder @ AppGambit, AWS Consulting Partner
●AWS Surat User Group Organiser
●12x AWS, Google Cloud, Docker, Kubernetes
Certified
●AWS Serverless Hero
●Founder @ AppGambit, AWS Consulting Partner
●AWS Surat User Group Organiser
Level 200-300
In our definition, for a service to be considered
serverless, it must scale automatically with no
need for explicit provisioning, and be billed based
on usage.
A Berkeley View on Serverless Computing
serverless, it must scale automatically with no
need for explicit provisioning, and be billed based
on usage.
A Berkeley View on Serverless Computing
●Highly Secure, Durable and Scalable
●Social Logins
●Multiple Interfaces (Web, Mobile, Smart Devices)
●Multi-factor Authentication
●SMS OTP
●Adaptive Authentication
●Signup/Signin Workflow Customization
●Built-in UI with Customization
●Pay for what you use
●Minimum Operational overhead
Modern Applications need...
●Social Logins
●Multiple Interfaces (Web, Mobile, Smart Devices)
●Multi-factor Authentication
●SMS OTP
●Adaptive Authentication
●Signup/Signin Workflow Customization
●Built-in UI with Customization
●Pay for what you use
●Minimum Operational overhead
Modern Applications need...
Amazon Cognito - Undifferentiated Heavy Lifting
●Manage Identities
○Local
○Federated
●Manage User data, Passwords and configurations
●Highly Available and Secure
●Token-based authentication
●3rd Party Integration, OAuth2, OIDC
●Integration with Enterprise policies via Directory Service
●Hosted UI
●APIs and SDK Integration
●Lambda Hooks
●Manage Identities
○Local
○Federated
●Manage User data, Passwords and configurations
●Highly Available and Secure
●Token-based authentication
●3rd Party Integration, OAuth2, OIDC
●Integration with Enterprise policies via Directory Service
●Hosted UI
●APIs and SDK Integration
●Lambda Hooks
How Amazon Cognito Works
Web/Mobile
App
Managed User Directory
Hosted UI
Standard Tokens (OIDC,
OAuth2)
Federated Identity
AWS Credentials
AWS Cognito
Cognito manages your app
authentication and
authorization process
Application
uses the Auth
As a Service
Web/Mobile
App
Managed User Directory
Hosted UI
Standard Tokens (OIDC,
OAuth2)
Federated Identity
AWS Credentials
AWS Cognito
Cognito manages your app
authentication and
authorization process
Application
uses the Auth
As a Service
Different Auth Mechanisms
●JWT Tokens
●OAuth2
●OIDC
○Okta
○Auth0
●SAML
○Enterprise Directory
●Custom flow
●JWT Tokens
●OAuth2
●OIDC
○Okta
○Auth0
●SAML
○Enterprise Directory
●Custom flow
OIDC Terminology
●OIDC vs OAuth2
○OAuth2 is meant for authorization
○OIDC sits on top of OAuth2 and also handles Identity
●Tokens
○JWT, ID, Bearer Access Token, Refresh Tokens
●Flows
○Implicit (not recommended)
○Authorization Code
○Client Credentials
●Scopes
○What authorization is required, data, actions, etc
●Claims
○Attributes in the JWT asserted by the OP/IdP
https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
●OIDC vs OAuth2
○OAuth2 is meant for authorization
○OIDC sits on top of OAuth2 and also handles Identity
●Tokens
○JWT, ID, Bearer Access Token, Refresh Tokens
●Flows
○Implicit (not recommended)
○Authorization Code
○Client Credentials
●Scopes
○What authorization is required, data, actions, etc
●Claims
○Attributes in the JWT asserted by the OP/IdP
https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
JWT Token Structure
AWS Cognito Basics
Managed User Directory
Hosted UI
Standard Tokens (OIDC,
OAuth2)
Federated Identity
AWS Credentials
AWS Cognito
Cognito Identity Pool
Cognito User Pool
Managed User Directory
Hosted UI
Standard Tokens (OIDC,
OAuth2)
Federated Identity
AWS Credentials
AWS Cognito
Cognito Identity Pool
Cognito User Pool
Amazon Cognito User Pools
●Secure, durable, low-cost and fully managed service
●Built-in customizable User Interface for Signup and Login
●OAuth 2 Support
●Federation with Facebook, Google, Amazon and custom OIDC/SAML
providers
●Secure, durable, low-cost and fully managed service
●Built-in customizable User Interface for Signup and Login
●OAuth 2 Support
●Federation with Facebook, Google, Amazon and custom OIDC/SAML
providers
Managed User Directory
●Serverless (Managed) Direcotry
○Serverless / Managed
○Multi-AZ redudancy
○Secure
●User & Group Storage
○Profile information
○Credential and device information (MFA)
○Custom attributes
●Serverless (Managed) Direcotry
○Serverless / Managed
○Multi-AZ redudancy
○Secure
●User & Group Storage
○Profile information
○Credential and device information (MFA)
○Custom attributes
Cognito Identity Pool
User flows
User Signup and Signin
User Profile Data
Forgot Password
Token Based
Authentication
Email or Phone
Number Verification
SMS Multifactory
Authentication
Allow users to sign up and sign in using email, phone, or username
Enable users to view and update their profile data - including custom
attributes
Provide users the ability to change their password when required
Use JSON Web Tokens (JWTs) based on OIDC and OAuth 2.0 standards
for user auth in your backend
Require users to verify their email address or phone number prior to
activating their account with one-time password (OTP)
Require users to complete a second factor of authentication with security
code received via SMS or Hardware/Software Authenticator
User Signup and Signin
User Profile Data
Forgot Password
Token Based
Authentication
Email or Phone
Number Verification
SMS Multifactory
Authentication
Allow users to sign up and sign in using email, phone, or username
Enable users to view and update their profile data - including custom
attributes
Provide users the ability to change their password when required
Use JSON Web Tokens (JWTs) based on OIDC and OAuth 2.0 standards
for user auth in your backend
Require users to verify their email address or phone number prior to
activating their account with one-time password (OTP)
Require users to complete a second factor of authentication with security
code received via SMS or Hardware/Software Authenticator
Customize user flow with Lambda functions
Category Lambda Hook Use case
Custom authentication
flow
Define auth challenge Determines the next challenge in a custom auth flow
Create auth challenge Creates a challenge in a custom auth flow
Verify auth challenge responseDetermines whether a response is correct in a custom auth
flow
Authentication events
Pre-authentication Custom validation to accept or deny the sign-in request
Post-authentication Event loggin for custom analytics
Pre-token generation Customize claims in the Id token
Sign up
Pre-sign up Custom validation to accept of deny the signup request
Post-confirmation Custom welcome messages or event logging
Migrate user Migrate a user from an existing user directory
Messages Custom message Advanced customization and localization of messages
Category Lambda Hook Use case
Custom authentication
flow
Define auth challenge Determines the next challenge in a custom auth flow
Create auth challenge Creates a challenge in a custom auth flow
Verify auth challenge responseDetermines whether a response is correct in a custom auth
flow
Authentication events
Pre-authentication Custom validation to accept or deny the sign-in request
Post-authentication Event loggin for custom analytics
Pre-token generation Customize claims in the Id token
Sign up
Pre-sign up Custom validation to accept of deny the signup request
Post-confirmation Custom welcome messages or event logging
Migrate user Migrate a user from an existing user directory
Messages Custom message Advanced customization and localization of messages
Extensive admin capabitilies
Create and manage User Pools
Define Custom Attributes
Forgot Password
Token Based Authentication
Select which attributes must be provided by the user prior to
completion of the signup process
Email or Phone Number
Verification
SMS Multifactory Authentication
Create, configure, and delete multiple user pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app
basis
Enforce password policies like minimum length or certain characters
Search users based on a full match or prefix match or their attributes,
using console or API
SMS Multifactory AuthenticationConduct admin actions, such as password reset, confirm user, enable
MFA or global sign out
Create and manage User Pools
Define Custom Attributes
Forgot Password
Token Based Authentication
Select which attributes must be provided by the user prior to
completion of the signup process
Email or Phone Number
Verification
SMS Multifactory Authentication
Create, configure, and delete multiple user pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app
basis
Enforce password policies like minimum length or certain characters
Search users based on a full match or prefix match or their attributes,
using console or API
SMS Multifactory AuthenticationConduct admin actions, such as password reset, confirm user, enable
MFA or global sign out
Using Cognito from AWS Amplify
●A comprehensive library for building modern applications
●Powerful toolchain built for developers
●Minimalist styled UI component library
●Best for: Mobile applications or JavaScript front-end applications
●https://docs.amplify.aws/
●A comprehensive library for building modern applications
●Powerful toolchain built for developers
●Minimalist styled UI component library
●Best for: Mobile applications or JavaScript front-end applications
●https://docs.amplify.aws/
Serverless Flow
Direct API Integration
●Integrate Cognito APIs directly into your application using the AWS SDK of
your chosen language.
●Provides complete control over user experience and flows.
●Best for: Maximum control and flexibility
https://medium.com/@prasadjay/amazon-cognito-user-pools-in-nodejs-as-fast-as-possible-22d586c5c8ec
●Integrate Cognito APIs directly into your application using the AWS SDK of
your chosen language.
●Provides complete control over user experience and flows.
●Best for: Maximum control and flexibility
https://medium.com/@prasadjay/amazon-cognito-user-pools-in-nodejs-as-fast-as-possible-22d586c5c8ec
Other features
MFA Options
SMS / TOTP
Advanced Security Features
Compromised Credentials,
Adaptive Authentication,
Security Reporting
Migration Options
Batch or Just-in-time
MFA Options
SMS / TOTP
Advanced Security Features
Compromised Credentials,
Adaptive Authentication,
Security Reporting
Migration Options
Batch or Just-in-time
Demo
●HTML JavaScript App
●Hosted on S3
●Using the Cognito IdP
and Use Pool
●Gain Access to S3
Bucket
●HTML JavaScript App
●Hosted on S3
●Using the Cognito IdP
and Use Pool
●Gain Access to S3
Bucket
Amazon Cognito Pricing
A user is counted as a MAU if, within a calendar month, there is an identity
operation related to that user, such as sign-up, sign-in, token refresh or password
change. You are not charged for subsequent sessions or for inactive users within
that calendar month.
Pricing Tier Price Per MAU Cost for 1 Lac MAUs
Upto 50K Free
50K-1 Lac $0.0055 $275 / per month
For 10 Lac $0.0046 $4140 / per month
Both Okta and Auth0 roughly charge around $1000 for upto 50K Monthly Active Users with varying
features. Please do some pricing analysis before you select your Auth Service.
A user is counted as a MAU if, within a calendar month, there is an identity
operation related to that user, such as sign-up, sign-in, token refresh or password
change. You are not charged for subsequent sessions or for inactive users within
that calendar month.
Pricing Tier Price Per MAU Cost for 1 Lac MAUs
Upto 50K Free
50K-1 Lac $0.0055 $275 / per month
For 10 Lac $0.0046 $4140 / per month
Both Okta and Auth0 roughly charge around $1000 for upto 50K Monthly Active Users with varying
features. Please do some pricing analysis before you select your Auth Service.
AWS Workshop
●Using AWS Cognito for Serverless Consumer Apps
●https://serverless-idm.awssecworkshops.com/
●Using AWS Cognito for Serverless Consumer Apps
●https://serverless-idm.awssecworkshops.com/
Thank You!
https://communityday.awsug.in
https://communityday.awsug.in
Extra Resources
●https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oid
c
●https://www.youtube.com/watch?v=OAR4ZHP8DEg
●https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oid
c
●https://www.youtube.com/watch?v=OAR4ZHP8DEg
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 48
- Slides 30
- Age 453 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views