Your Guide To AWS Cognito For Serverless User Authentication

Your Guide To AWS Cognito For Serverless User Authentication

A Technical Guide To Integrating AWS Cognito Into Your Application

This article, part of our Serverless architecture consulting series, is a technical guide to using AWS Cognito for User Management in a Serverless application.

The most common component of web applications is a user management system that facilitates sign up, sign in, creation of a user profile and assigning permissions so the user can securely access appropriate application features and functionalities.

Serverless User Management Components

Regardless of the Serverless Cloud vendor they are native to, all Serverless user management components are similar and include the following features:

  • Secure authentication and authorisation of the user (sign up, sign in, forgot-change password flow, multi-factor authorization)
  • Out-of-the-box customizable hosted UI or SDK
  • Identity provider federation (single sign on with existing accounts from Amazon, Google, Facebook, Twitter)
  • User migration
  • Flexible app integration with customized authentication flow if needed
  • Cloud resources secured by configuration only
  • Any other integrated server resources secured via token verification (a short code)
  • Scalable to millions of users without having to change anything
  • Single sign on across multiple Apps (register once, one User profile, use for all apps)

AWS Cognito

Let’s see the integration of a User Management component in action with AWS Cognito the example. You’ll see just how easy it can be to configure.

  1. Login to your AWS account and select Services from the navigation. You’ll find Cognito under the Security, Identity & Compliance category.AWS Cognito Step-by-Step Set-Up
  2. Select the AWS regions in which you want to instantiate the User Management component. You want      geographically proximity to as many of your customers as possible.AWS Cognito step-by-step adding regions
  3. Click on ‘Create a User Pool’ and type in name (like TestAppUserPool)AWS Cognito step-by-step create user pool
  4. Click on the Review defaults and Create Pool button in an opened window. Now your User Pool is created.AWS Cognito step-by-step user pool created
  5. Configure a Client application which will use this user management component (it can be shared between different applications). Be careful and uncheck the Generate client secret checkbox.AWS Cognito step-by-step Client application
  6. Configure Client application settings to integrate created App client with User pool. Choose callback URL’s for sign in / sign out requests (https://localhost:4200 on screenshot).AWS Cognito step-by-step integrate created App client
  7. Configure a domain name for your User pool UI, by selecting App integration->Domain name and typing domain prefix, check availability and save changes.AWS Cognito step-by-step Configure domain name for User pool UI
That’s it. You have created and configured your first User management Serverless component which you can use now in your web application. You can use it to secure your web/mobile application resources with AWS SDK, AWS Amplify and Serverless Framework.

Now check it your browser is going to address:

https://<DOMAIN_NAME>..auth.<AWS_REGION>.amazoncognito.com/login?response_type=code&client_id=<APP_CLIENT_ID>&redirect_uri=<REDIRECT_URL>

DOMAIN_NAME – from step 7

AWS_REGION – from step 7

APP_CLIENT_ID – from step 5

REDIRECT_URL – from step 6

 Sample: (https://mytestappuserpooldomain.auth.eu-central-1.amazoncognito.com/login?response_type=code&client_id=6ka14g4k7vvkqbubga33c2n0g&redirect_uri=https://localhost:4200)

 You should see an AWS User Management login form which can be easily customized to your needs in the UI Customization settings of your AWS Cognito User Pool.

AWS Cognito step-by-step user management login
AWS Cognito step-by-step complete
Try to sign up to your application and after passing through the registration process, which by default is protected with an email verification code (put a real email during registration to see it), sign in and you’ll be redirected to the URL you have chosen at step 6.

 You can find your newly registered user in General settings->Users and groups of your User Pool.

AWS Cognito step-by-step set-up complete

There are a lot of configurations available on your user pool, from required fields and password strength policies to multi-factor authorization and single sign on with different Identity providers (Twitter, Facebook). 

Alternatives to AWS Cognito

There are many alternatives to AWS Cognito as a User Management Serverless component. Other Cloud providers and 3rd party vendors all offer components with almost identical core features and functionalities. Some examples are: Auth0, Google IAM and the Azure Active Directory.

All of them share similar features and can be considered if your infrastructure means another choice than AWS Cognito is more appropriate (eg. If using Windows Servers – consider the Azure user management component).

You can read more about the different qualities of the major Serverless providers in our article Serverless Architecture for Modern Apps: Stacks Providers & Caveats.

We hope this step-by-step guide to the features and configuration of the AWS Cognito User Management component help demonstrate just how powerful and convenient contemporary Serverless components have become

Krusche & Company – Your AWS Serverless Developers

Munich-based Krusche & Company have established themselves as one of Germany and Europe’s most trusted serverless development outsourcing agencies. With over 20 years of experience working with partners that range from blue chip brands to SMEs and exciting start-ups, our German management and nearshored developer talent offers a perfect blend of communication, quality and price point.

We specialise is Cloud-based, DevOps web development, architecture and consultancy. We’d be delighted to hear from you regarding any Serverless development projects or broader Serverless transition strategy your organisation may need experienced help with.

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry that something went wrong, repeat again!
Contact us