Amazon Cognito is a managed authentication and authorisation service for web and mobile applications. It supports both native identities, where users have registered for the service directly, and federated identities from a range of providers and your own trusted IdPs.
- User Pools are directories of users which need access to applications and a means of authenticating them. Tokens provided by this service are used to access application resources. This is the level at which most applications will interact with Cognito.
- Hosted UI refers to the built-in registration, login, and password reset flows.
- Standard Tokens refer to OpenID Connect and OAuth 2.0 tokens issued by the user pools.
- Identity Pools provide AWS STS tokens for users authenticated via user pools, allowing end users to access AWS services with their exchanged tokens.
- Hosted UI for registration, login pages, and password recovery pages.
- Storing user profile data, including custom attributes.
- Authentication via JWT.
- Email and phone number verification.
- MFA over SMS and TOTP.
- Customisable user flows using Lambda hooks.
- Risk scoring of authentication events, actively scanning for compromised credentials and security auditing and reporting.
- Migration of existing user data, one-time and just-in-time.
- Mobile applications.
- Web applications, both client-side and server-side.
Note that in many cases Amplify Auth is a better fit for new mobile and web applications that don't require as much control over the authentication flow as it's much easier to integrate.
In the normal user authentication case a client must authenticate with a user pool, yielding an authentication token along with a refresh token. If authenticating with AWS services using this identity, these tokens must be exchanged with an identity pool for an STS token.
Four OAuth 2.0 flows are supported:
- Authorisation Code
- Client Credentials
- Resource Owner Password Credentials
Challenges might be password-based or include MFA token requests.
- Google Account
- Apple ID
- OpenID Connect IdP
- SAML 2.0 IdP
Cognito Sync allows you to synchronise application state across applications without the need to host your own backend service. It's implemented as a client library. New users are advised to use AppSync instead.
[SAML] Security Assertion Markup Language [SMS]: Short Message Service