Introduction to AWS Cognito
In the process of web or app development, user authentication and authority processing is a very important module, including user registration, login authentication, and management of corresponding permissions. In addition to user name and password login, it is also a very important demand to log in through a third-party social account. In foreign countries, it is mainly Google, Facebook, or apple login, while in China, it is mainly WeChat and microblog login.
Identity authentication and authorization are complex to implement. Therefore, Cognito service is provided on the AWS cloud to help developers access user registration/login and access control functions faster and more safely. Cognito service allows enterprises to focus more on their core business, focusing on innovation and revenue generation, rather than paying too much attention to the underlying technical details related to authentication and authorization.
authing cognito aws
Replace AWS Cognito with Authing
Pain point
AWS Cognito User Pool is currently unavailable in China, so Authing would be a better choice for companies that want to use IDaaS services like Cognito in China.
The value of Authing
Authing can solve many problems in using Cognito. Using the Authing user pool can completely replace Cognito user pool and build a bridge between domestic users and AWS resources.
Alternatives
authing cognito framework
Architecture design
Demonstrate the overall structure of the website
The static website is hosted by S3, and the static content acceleration and the HTTPS certificate mount are carried out by CloudFront.
Using Authing to authenticate the login and obtain the token, as an alternative to the user pool.
Access the Rest API provided by API Gateway.
Obtain temporary AWS credentials through Cognito Identity Pool to access AWS resources (here, take Polly service as an example).
Login authentication and get token by Authing
Authing authenticates the user based on OIDC and OAuth 2.0 and grants the user access to the corresponding application.
01The user requests to log in through the Authing user pool and gets the code from the server after successful authentication.
02The application requests token with code through the identity pool.
03Users can use token to request access to various application resources.
authing cognito token
The above figure describes the OIDC Authorization Code Flow to obtain Token. Users can also obtain token through OIDC Implicit Flow. This example uses Implicit Flow, View comparison.
authing cognito gateway
Access the protected REST API provided by API Gateway
The token (i.e. id_token) can be obtained after login and authentication through Authing. You can access the protected REST API by carrying a token in the header when sending an HTTP request.
Secure access to AWS services through integration with Identity Pool
The token (i.e. id_token) can be obtained after login and authentication through Authing. Through the integration with identity pool, temporary credentials can be obtained to access AWS resources safely.
authing cognito identity
Scheme deployment
Both the front-end and back-end code of the demo site have been published in the Github:https://github.com/aws-samples/aws-authing-demoyou can refer to the relevant code for deployment and testing.
authing cognito
Callback URL, authorization mode, return type, etc
Authing account opening and OIDC application configuration
First of all, you need to create an OIDC application in Authing. For details, please refer to the View document.The demo environment uses implicit flow and rs256 algorithm for id_token signature. Refer to the left figure for callback URL, authorization mode and return type settings.
Deploying API gateway and lambda through Sam
Since the id_token is encrypted by rs256 algorithm, the corresponding key needs to be set in lambda authorizer for token verification. For details, please refer to the example code app.js Related notes in View documentIn the demonstration environment, API Gateway and related lambda have been described in an AWS Sam template, which can be deployed automatically through Sam.
$ sam build
$ sam deploy --guided
Configuration of integrating Authing and Identity Pool
Config
Config OIDC Provider
Provider URL
It is the corresponding issuer of the Authing application
Audience
This is the app ID corresponding to the Authing application
Reference documents
Please refer to relevant official documents of AWS for specific configuration View document
Config
Config Cognito Identity Pool
Authenticated Provider
Specify Authing as Authenticated Provider
authing cognito identity
Create success examples
authing cognito deploy
At the same time, Cognito Identity Pool will create two Iam roles (for authenticated users and anonymous users). You need to set the permissions for the IAM Role of the authenticated user. The sample website uses Polly service, so you need to add the permission to access Polly.
authing cognito deploy
Deploy static website as front end demo
Front end demo page:
https://github.com/aws-samples/aws-authing-demo/tree/master/frontend
It can be uploaded to the S3 bucket and enable the S3 static website hosting function. Note that CloudFront and HTTPS certificate should be added in the front, or you can choose to deploy on an EC2.
authing solution consult
Let's talk
For more information, please contact our sales and technical support team.