AWS认证解决方案架构助理 - AWS Cognito笔记
Decentralized Managed Authentication.
Sign-up, sign-in integration for your apps.
Social identity provider. eg. Facebook, Google.
-
Cognito User Pools
User directory with authentication to IdP to grant access to your app -
Cognito Identity Pools
Provide temporary credentials for users to access AWS Services. -
Cognito Sync
Syncs user data and preferences across all devices.
Web Identity Federation and IdP
-
Web Identity Federation
To exchange identity and security information between an identity provider (IdP) and application -
Identity Provider (IdP)
a trusted provider of your user identity that lets you use authentication to access other services.
Identity Providers could be: Facebook, Amazon, Google, Twitter, Github, LinkedIn -
Type of Identity Providers
The technology that behind the Identity Providers -
OpenID Connect (OIDC)
OAuth. This is for Web Identity Federation. -
Security Assertion Markup Language (SAML)
Single Sin On (SSO)
User Pools
User Pools are user directories used to manage the actions for web and mobile apps such as:
- Sign-up
- Sign-in
- Account recovery
- Account confirmation
Allows users to sign-in directly to the User Pool, or using Web Identity Federation.
Use AWS Cognito as the identity broker between AWS and the identity provider.
Successful user authentication generates a JSON Web Token (JWTs).
User Pools can be thought of as the account used to access the system (ie. email address and password)
- Choose what attributes
- Choose password requirements
- Apply MFA
- Restrict whether users are allow to sign p on their own or need admin verification
- Analytics with PinPoint for user campaigns.
- Trigger custom log via Lambdas after actions such as after signup
Identity Pools
Identity Pools provides temporary AWS credentials to access services e.g S3, DynamoDB.
Identity Pools can be thought of as the actual mechanism authorizing access to the AWS resources.
Sync
Sync user data and preference across devices with one line of code.
Cognito uses push synchronization to push updates and synchronize data uses Simple Notification Service(SNS) to send notifications to all user devices when data in the cloud changes.