@@ -1402,3 +1402,64 @@ about the change
14021402 - No mapping template
14031403 - The HTTP request is passed to the backend
14041404 - The HTTP response from the backend is forwarded by API Gateway
1405+
1406+ ----------------------------------------------
1407+
1408+ # Amazon Cognito
1409+ - We want to give our users an identity so that they can interact with our application.
1410+ - Cognito User Pools:
1411+ - Sign in functionality for app users
1412+ - Integrate with API Gateway & Application Load Balancer
1413+ - Cognito Identity Pools (Federated Identity):
1414+ - Provide AWS credentials to users so they can access AWS resources directly
1415+ - Integrate with Cognito User Pools as an identity provider
1416+ - Cognito Sync:
1417+ - Synchronize data from device to Cognito.
1418+ - Is deprecated and replaced by AppSync
1419+ - Cognito vs IAM: "hundreds of users", "mobile users", "authenticate with SAML"
1420+
1421+ ## Cognito User Pools (CUP) -- User Features
1422+ - Create a serverless database of user for your web & mobile apps
1423+ - Simple login: Username (or email) / password combination
1424+ - Password reset
1425+ - Email & Phone Number Verification
1426+ - Multi-factor authentication (MFA)
1427+ - Federated Identities: users from Facebook, Google, SAML...
1428+ - Feature: block users if their credentials are compromised elsewhere
1429+ - Login sends back a JSON Web Token (JWT)
1430+
1431+ ## Cognito User Pools -- Hosted Authentication UI
1432+ - Cognito has a hosted authentication UI that you can add to your app to handle signup and sign-in workflows
1433+ - Using the hosted UI, you have a foundation for integration with social logins, OIDC or SAML
1434+ - Can customize with a custom logo and custom CSS
1435+
1436+ ## Cognito Identity Pools (Federated Identities)
1437+ - Get identities for "users" so they obtain temporary AWS credentials
1438+ - Your identity pool (e.g identity source) can include:
1439+ - Public Providers (Login with Amazon, Facebook, Google, Apple)
1440+ - Users in an Amazon Cognito user pool - OpenID Connect Providers & SAML Identity Providers
1441+ - Developer Authenticated Identities (custom login server)
1442+ - Cognito Identity Pools allow for unauthenticated (guest) access
1443+ - Users can then access AWS services directly or through API Gateway
1444+ - The IAM policies applied to the credentials are defined in Cognito
1445+ - They can be customized based on the user_id for fine grained control
1446+
1447+ ## Cognito Identity Pools -- IAM Roles
1448+ - Default IAM roles for authenticated and guest users
1449+ - Define rules to choose the role for each user based on the user's ID
1450+ - You can partition your users' access using policy variables
1451+ - IAM credentials are obtained by Cognito Identity Pools through STS
1452+ - The roles must have a "trust" policy of Cognito Identity Pools
1453+
1454+ ## Cognito User Pools vs Identity Pools
1455+ - Cognito User Pools:
1456+ - Database of users for your web and mobile application
1457+ - Allows to federate logins through Public Social, OIDC, SAML...
1458+ - Can customize the hosted UI for authentication (including the logo)]
1459+ - Has triggers with AWS Lambda during the authentication flow
1460+ - Cognito Identity Pools:
1461+ - Obtain AWS credentials for your users
1462+ - Users can login through Public Social, OIDC, SAML & Cognito User Pools
1463+ - Users can be unauthenticated (guests)
1464+ - Users are mapped to IAM roles & policies, can leverage policy variables
1465+ - CUP + CIP = manage user / password + access AWS services
0 commit comments