User Treasure: AWS Cognito
As we all know, user management has become much more important these days. While some companies keep their users on on-prem servers and provide user management by themselves, some large companies such as Auth0, Okta, OneLogin also provide services in this field. When it comes to user management, we should not think only of a server where users are stored, but also we should choose an identity provider to provide these points:
- Authentication & authorization mechanisms,
- Token generation, distribution, and security,
- Password storage and protection,
- User management APIs (Register, login, forgot password, logout, etc..)
- Additional security mechanisms (MFA, suspicious IP blocking, account locking…)
Today, we will discuss one of my favorites, AWS Cognito. AWS Cognito has two aspects:
- AWS Cognito User Pools
- AWS Cognito Identity Pools
AWS Cognito User Pool provides user management (register, login, logout, forgot password, reset password, etc.) and access control to our web and mobile app users quickly and easily. It also supports sign-in with social identity providers, such as Google, Facebook, Apple, and Amazon, SAML 2.0, and OpenID Connect. We don’t have to worry about where users’ passwords or information are stored, Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users with JWT (JSON Web Token) mechanism. It also complies with HIPAA, PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27018, and ISO 9001, so you can use AWS Cognito with your critical infrastructure apps. To understand Cognito deeply, let’s get our hands dirty! To do this, we need a free tier AWS account. You could get this following the steps here.
First of all, we should search Cognito on AWS Management Console and select Cognito.
We should select manage user pools here. If there are no issues related to your AWS account settings, you could see “Your User Pools” blank page. If there is an error, please check your AWS account registration payment settings. On this page, we should select Create A User Pool. We should give a name to our user pool to identify in the future. We can create our user pool with review default settings or step-through settings one by one. I choose step-through settings so we could see AWS Cognito settings in detail.
On “Attributes” tab, we should select “How do we want our users to sign in? Username, E-mail or Phone Number?” This selection is critical because you cannot change this setting after creation of Cognito User Pool. I choose Email address or phone number and “Allow email address” option.
What are the attributes that we want from the users on the sign-up process? We could select register (sign-up) attributes on the same page. There are two options: Required or Custom Attributes. If you select required attributes, users must provide all of them. On the other hand, if you select custom attributes, users could send them with null values (blank on the register page). You could use the custom attributes for your custom user management, database, or multi-tenancy solutions. I recommend using custom attributes instead of required attributes if they are not critical for development or production purposes. I choose email for required attributes.
In the next step, we could set our password policy, users could sign-up themselves up or not. This option could be useful for critical and internal apps that should be only registered users by admin. Also, we could edit the temporary password expiration time. I don’t change anything here, I pass this page with default values. I recommend you construct a strong password policy in the production environment.
After this page, we will see “MFA and verifications” page. I will mention MFA options in a different blog post. I pass this page for now.
On “Message Customization” page, we could modify our user verification, temporary code mail details. AWS Cognito uses AWS SES for email sending operations. You could select your verification type and email message detail here. I select the verification link and change the Email message content a little bit.
We could add additional tags for management purposes on the “Tags” page.
On “Devices” page, you will see “Remember User Devices?” option. This option allows us to collect the details of the devices that users sign in. This option could be useful for security purposes. I choose “Always” option here.
After this page. we should see a critical option “App Clients”. You can create multiple apps for a user pool. Generally, an app corresponds to the platform of an app. For example, you might create an app for Android and Web. Each app has its own app client ID. In addition to this, we could set our tokens (id, access, and refresh) expiration time for every app client here. I only disable “Generate client secret” option here. The client secret option could be useful cloud-cloud integrations, we don’t need a client secret value here.
At the bottom of the same page, you should see “Set attribute read and write permissions” option. If you add custom attribute value, you should select read and write permissions here. Otherwise, you could not get any error but you cannot see your user custom attribute values on the Cognito User Page. This could be confusing so you should think about this option.
After this, we are up to against one of my favorite Cognito features: Cognito Triggers. These options could be so useful for when we want to operate in user register, sign-in, getting user token processes. To use triggers, we should use AWS Lambda functions.
After all of these, we could create our user pool successfully. You could see your user pool ID on the main page of your user pool.
Let’s we can register a user and sign in. AWS Cognito provides us Hosted UI page for test purposes. We could select “App Integration → Domain Name” from the left bar on User Pool Page that we have created. We need an AWS Cognito Domain for sign-in, sign-up, forgot password, etc.. operations. I select “test-medium” as my domain name and I checked availability and save changes. You could also get your own domain with AWS ACM.
Finally, you should set a callback sign-in and sign-out URL for your app client. I choose http://localhost:8000 for test purposes. After save these configurations, you will see “Launch hosted UI” button below.
After we launch hosted UI, we can sign-up our users. You should think Hosted UI as your app register or login page. I select the sign-up option here because I have not a registered user.
On the sign-up process, I registered with my e-mail address and password.
To verify my email address, AWS Cognito sends a verification link to my email address. (You should remember, we configured this option above.)
After I click the verification email, AWS Cognito verifies my email address, and I could sign in successfully and get my tokens. You could see tokens on your browser’s bar. Also, on the “Users and Groups” option in your user pool configuration page, you could see all of your user list and user data.
More content at plainenglish.io
