Amazon Cognito Developer Guide Amazon Cognito Developer Guide Amazon Cognito: Developer Guide Amazon Cognito Developer Guide Table of Contents What is Amazon Cognito?................................................................................................................... 1 Features of Amazon Cognito ....................................................................................................... 2 Getting started with Amazon Cognito ........................................................................................... 3 Regional availability................................................................................................................... 3 Pricing for Amazon Cognito ........................................................................................................ 3 Using the Amazon Cognito console .............................................................................................. 3 Getting started with Amazon Cognito................................................................................................... 7 Get an Amazon Web Services account and your root user credentials ................................................ 8 Creating an IAM user .................................................................................................................. 8 Secure IAM users ................................................................................................................ 8 Signing in as an IAM user........................................................................................................... 9 Creating IAM user access keys ...................................................................................................... 9 Common Amazon Cognito scenarios ................................................................................................... 10 Authenticate with a user pool.................................................................................................... 10 Access your server-side resources............................................................................................... 10 Access resources with API Gateway and Lambda ........................................................................... 11 Access Amazon services with a user pool and an identity pool ........................................................ 12 Authenticate with a third party and access Amazon services with an identity pool ............................. 13 Access Amazon AppSync resources with Amazon Cognito .............................................................. 14 Tutorials.......................................................................................................................................... 16 Creating a user pool ................................................................................................................. 16 Related Resources............................................................................................................ 17 Creating an identity pool .......................................................................................................... 17 Related resources............................................................................................................. 17 Cleaning up your Amazon resources ........................................................................................... 17 Integrating with apps....................................................................................................................... 19 Amazon Cognito authentication with the Amazon Amplify framework ............................................. 19 Authentication with amazon-cognito-identity-js ........................................................................... 19 Authentication with Amazon SDKs ............................................................................................. 20 Multi-tenant application best practices ............................................................................................... 21 User-pool-based multi-tenancy.................................................................................................. 21 App-client-based multi-tenancy................................................................................................. 22 Group-based multi-tenancy....................................................................................................... 22 Custom-attribute-based multi-tenancy........................................................................................ 22 Multi-tenancy security recommendations..................................................................................... 22 Amazon Cognito user pools ............................................................................................................... 24 Getting started with user pools.................................................................................................. 25 Prerequisite: Sign up for an Amazon Web Services account .................................................... 25 Step 1. Create a user pool ................................................................................................. 25 Step 2. Add an app client and set up the hosted UI .............................................................. 27 Step 3. Add social sign-in to a user pool (optional) ............................................................... 30 Step 4. Add sign-in with a SAML identity provider to a user pool (optional) .............................. 36 Next steps....................................................................................................................... 38 Using the APIs......................................................................................................................... 39 User pool API authentication............................................................................................. 40 Updating a user pool................................................................................................................ 45 Updating a user pool with the Amazon Cognito API or Amazon CLI ......................................... 46 Using the hosted UI.................................................................................................................. 47 Setting up the hosted UI with Amazon Amplify.................................................................... 47 Setting up the hosted UI with the Amazon Cognito console ................................................... 47 Configuring an app client.................................................................................................. 51 Configuring a domain....................................................................................................... 56 Customizing the built-in webpages ..................................................................................... 62 How to use the hosted UI ................................................................................................. 66 iii Amazon Cognito Developer Guide Defining resource servers .................................................................................................. 78 Adding sign-in through a third party.......................................................................................... 81 How federated sign-in works in Amazon Cognito user pools .................................................. 81 Adding social identity providers ......................................................................................... 83 Adding SAML providers ..................................................................................................... 90 Adding OIDC providers .................................................................................................... 101 Specifying attribute mappings ......................................................................................... 108 Linking federated users to an existing user profile .............................................................. 112 Using Lambda triggers............................................................................................................ 113 Important considerations................................................................................................. 115 Adding a user pool trigger ............................................................................................... 116 User pool Lambda trigger event ....................................................................................... 117 User pool Lambda trigger common parameters .................................................................. 118 Lambda trigger sources ................................................................................................... 118 Pre sign-up Lambda trigger ............................................................................................. 120 Post confirmation Lambda trigger .................................................................................... 126 Pre authentication Lambda trigger ................................................................................... 130 Post authentication Lambda trigger .................................................................................. 132 Challenge Lambda triggers.............................................................................................. 135 Pre token generation Lambda trigger ................................................................................ 145 Migrate user Lambda trigger............................................................................................ 149 Custom message Lambda trigger...................................................................................... 153 Custom sender Lambda triggers....................................................................................... 158 Using Amazon Pinpoint analytics .............................................................................................. 168 Find Amazon Cognito and Amazon Pinpoint Region mappings .............................................. 168 Integrating your app with Amazon Pinpoint ....................................................................... 171 Managing users...................................................................................................................... 172 Signing up and confirming user accounts ........................................................................... 172 Creating users as administrator ........................................................................................ 182 Adding groups to a user pool ........................................................................................... 187 Managing and searching for users .................................................................................... 190 Recovering user accounts ................................................................................................. 195 Importing users into a user pool ...................................................................................... 195 Email settings........................................................................................................................ 207 Default email functionality .............................................................................................. 207 Amazon SES email configuration ...................................................................................... 207 Configuring the email account ......................................................................................... 209 SMS message settings ............................................................................................................. 213 Setting up SMS messaging for the first time in Amazon Cognito user pools ............................ 213 Using tokens.......................................................................................................................... 218 Using the ID token ......................................................................................................... 219 Using the access token .................................................................................................... 221 Using the refresh token ................................................................................................... 223 Revoking tokens............................................................................................................. 224 Verifying a JSON web token ............................................................................................ 225 Caching tokens............................................................................................................... 228 Accessing resources after sign-in .............................................................................................. 230 Accessing server-side resources .......................................................................................... 10 Accessing resources with API Gateway and Lambda ............................................................. 231 Accessing Amazon resources using an identity pool ............................................................. 232 Using security features ............................................................................................................ 235 Adding MFA................................................................................................................... 235 Adding advanced security ................................................................................................ 243 Amazon WAF Web ACLs .................................................................................................. 254 Case sensitivity............................................................................................................... 256 User pools console reference ................................................................................................... 257 User pool name.............................................................................................................. 258 iv Amazon Cognito Developer Guide Users and groups ........................................................................................................... 258 Attributes...................................................................................................................... 258 Password requirements................................................................................................... 267 Admin create user policy ................................................................................................. 267 Deletion protection......................................................................................................... 267 Email or phone verification .............................................................................................. 268 Message customizations.................................................................................................. 271 Tags.............................................................................................................................. 275 Devices.......................................................................................................................... 275 App clients.................................................................................................................... 276 Triggers......................................................................................................................... 279 Review settings.............................................................................................................. 279 Analytics........................................................................................................................ 279 App client settings .......................................................................................................... 280 Domain name................................................................................................................ 282 UI customization............................................................................................................ 283 Resource servers............................................................................................................. 284 Identity providers........................................................................................................... 285 Attribute mapping .......................................................................................................... 291 Managing error responses ........................................................................................................ 293 User creation and authentication operations ...................................................................... 293 Password reset operations ............................................................................................... 296 Confirmation operations.................................................................................................. 296 Amazon Cognito identity pools ........................................................................................................ 297 Getting started with identity pools ........................................................................................... 297 Sign up for an Amazon Web Services account .................................................................... 298 Create an identity pool in Amazon Cognito ........................................................................ 298 Install the Mobile or JavaScript SDK ................................................................................. 299 Integrate the identity providers ........................................................................................ 299 Get credentials............................................................................................................... 299 Using identity pools ................................................................................................................ 299 User IAM roles ............................................................................................................... 300 Authenticated and unauthenticated identities.................................................................... 300 Enable or disable unauthenticated identities...................................................................... 300 Change the role associated with an identity type ................................................................ 301 Enable or edit authentication providers ............................................................................. 301 Delete an identity pool ................................................................................................... 302 Delete an identity from an identity pool ........................................................................... 302 Using Amazon Cognito Sync with identity pools ................................................................. 302 Identity pools concepts ........................................................................................................... 304 Identity pools authentication flow .................................................................................... 304 IAM roles....................................................................................................................... 309 Role trust and permissions .............................................................................................. 314 Using attributes for access control ............................................................................................ 315 Using attributes for access control with Amazon Cognito identity pools ................................. 316 Using attributes for access control policy example .............................................................. 317 Disable attributes for access control .................................................................................. 318 Default provider mappings .............................................................................................. 319 Role-based access control ........................................................................................................ 320 Creating roles for role mapping ........................................................................................ 320 Granting pass role permission .......................................................................................... 320 Using tokens to assign roles to users ................................................................................ 321 Using rule-based mapping to assign roles to users .............................................................. 321 Token claims to use in rule-based mapping ........................................................................ 323 Best practices for role-based access control ....................................................................... 324 Getting credentials................................................................................................................. 324 Android ......................................................................................................................... 324 v Amazon Cognito Developer Guide iOS - Objective-C ............................................................................................................ 325 iOS - Swift .................................................................................................................... 326 JavaScript...................................................................................................................... 327 Unity............................................................................................................................. 328 Xamarin......................................................................................................................... 329 Accessing Amazon services ...................................................................................................... 330 Android ......................................................................................................................... 330 iOS - Objective-C ............................................................................................................ 330 iOS - Swift .................................................................................................................... 330 JavaScript...................................................................................................................... 331 Unity............................................................................................................................. 331 Xamarin......................................................................................................................... 331 Identity pools external identity providers ................................................................................... 331 Facebook....................................................................................................................... 332 Login with Amazon ......................................................................................................... 337 Google.......................................................................................................................... 340 Sign in with Apple.......................................................................................................... 346 Open ID Connect providers .............................................................................................. 350 SAML identity providers .................................................................................................. 352 Developer authenticated identities ............................................................................................ 354 Understanding the authentication flow ............................................................................. 354 Define a developer provider name and associate it with an identity pool ................................ 354 Implement an identity provider ........................................................................................ 355 Updating the logins map (Android and iOS only) ................................................................ 360 Getting a token (server side) ............................................................................................ 361 Connect to an existing social identity ................................................................................ 362 Supporting transition between providers ........................................................................... 362 Switching identities................................................................................................................ 365 Android ......................................................................................................................... 365 iOS - objective-C ............................................................................................................ 365 iOS - swift ..................................................................................................................... 366 JavaScript...................................................................................................................... 366 Unity............................................................................................................................. 367 Xamarin......................................................................................................................... 367 Amazon Cognito Sync ..................................................................................................................... 368 Getting started with Amazon Cognito Sync ................................................................................ 368 Sign up for an Amazon account ....................................................................................... 368 Set up an identity pool in Amazon Cognito ........................................................................ 369 Store and sync data ........................................................................................................ 369 Synchronizing data................................................................................................................. 369 Initializing the Amazon Cognito Sync client ....................................................................... 369 Understanding datasets................................................................................................... 371 Reading and writing data in datasets ................................................................................ 372 Synchronizing local data with the sync store ...................................................................... 374 Handling callbacks.................................................................................................................. 376 Android ......................................................................................................................... 376 iOS - Objective-C ............................................................................................................ 378 iOS - Swift .................................................................................................................... 380 JavaScript...................................................................................................................... 382 Unity............................................................................................................................. 384 Xamarin......................................................................................................................... 386 Push sync.............................................................................................................................. 388 Create an Amazon Simple Notification Service (Amazon SNS) app ......................................... 388 Enable push sync in the Amazon Cognito console ............................................................... 388 Use push sync in your app: Android .................................................................................. 389 Use push sync in your app: iOS - Objective-C ..................................................................... 390 Use push sync in your app: iOS - Swift .............................................................................. 392 vi Amazon Cognito Developer Guide Amazon Cognito Streams ........................................................................................................ 394 Amazon Cognito Events .......................................................................................................... 396 Security......................................................................................................................................... 400 Data protection...................................................................................................................... 400 Data encryption............................................................................................................. 401 Identity and access management .............................................................................................. 401 Audience....................................................................................................................... 402 Authenticating with identities.......................................................................................... 402 Managing access using policies ......................................................................................... 404 How Amazon Cognito works with IAM ............................................................................... 405 Identity-based policy examples ........................................................................................ 412 Troubleshooting............................................................................................................. 415 Using service-linked roles ................................................................................................ 416 Authentication............................................................................................................... 419 Logging and monitoring.......................................................................................................... 426 Tracking quotas and usage in CloudWatch and Service Quotas ............................................. 427 Logging Amazon Cognito API calls with Amazon CloudTrail .................................................. 434 Compliance validation............................................................................................................. 447 Resilience.............................................................................................................................. 447 Regional data considerations ............................................................................................ 448 Infrastructure security............................................................................................................. 448 Configuration and vulnerability analysis .................................................................................... 448 Amazon managed policies ....................................................................................................... 449 Policy updates................................................................................................................ 449 Tagging resources........................................................................................................................... 451 Supported resources............................................................................................................... 451 Tag restrictions...................................................................................................................... 451 Managing tags with the console ............................................................................................... 452 Amazon CLI examples ............................................................................................................. 452 Assigning tags................................................................................................................ 452 Viewing tags.................................................................................................................. 453 Removing tags............................................................................................................... 454 Applying tags when you create resources .......................................................................... 454 API actions............................................................................................................................ 455 API actions for user pool tags .......................................................................................... 455 API actions for identity pool tags ..................................................................................... 455 Quotas.......................................................................................................................................... 456 Understanding API request rate quotas ..................................................................................... 456 Quota categorization...................................................................................................... 456 Amazon Cognito user pools API operations with special request rate handling ........................ 456 Monthly active users ....................................................................................................... 457 Managing API request rate quotas ............................................................................................ 457 Identify quota requirements ............................................................................................ 457 Optimize quotas............................................................................................................. 457 Track quota usage .......................................................................................................... 458 Requesting a quota increase ............................................................................................ 459 User pools request rate quotas ................................................................................................ 459 Identity pools request rate quotas ............................................................................................ 464 Quotas on resource number and size ........................................................................................ 465 API references................................................................................................................................ 469 Hosted UI and OIDC endpoints reference ................................................................................... 469 Authorize endpoint......................................................................................................... 470 Token endpoint.............................................................................................................. 476 UserInfo endpoint........................................................................................................... 480 Login endpoint............................................................................................................... 481 Logout endpoint............................................................................................................. 483 Revoke endpoint............................................................................................................ 485 vii Amazon Cognito Developer Guide User pools API reference ......................................................................................................... 486 Identity pools API reference ..................................................................................................... 486 Cognito sync API reference ...................................................................................................... 487 Document history........................................................................................................................... 488 viii Amazon Cognito Developer Guide What is Amazon Cognito? Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other Amazon services. You can use identity pools and user pools separately or together. An Amazon Cognito user pool and identity pool used together See the diagram for a common Amazon Cognito scenario. Here the goal is to authenticate your user, and then grant your user access to another Amazon service. 1. In the first step your app user signs in through a user pool and receives user pool tokens after a successful authentication. 2. Next, your app exchanges the user pool tokens for Amazon credentials through an identity pool. 3. Finally, your app user can then use those Amazon credentials to access other Amazon services such as Amazon S3 or DynamoDB. 1 Amazon Cognito Developer Guide Features of Amazon Cognito For more examples using identity pools and user pools, see Common Amazon Cognito scenarios (p. 10). Amazon Cognito is compliant with SOC 1-3, PCI DSS, ISO 27001, and is HIPAA-BAA eligible. For more information, see Amazon services in scope. See also Regional data considerations (p. 448). Topics • Features of Amazon Cognito (p. 2) • Getting started with Amazon Cognito (p. 3) • Regional availability (p. 3) • Pricing for Amazon Cognito (p. 3) • Using the Amazon Cognito console (p. 3) Features of Amazon Cognito User pools A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito, or federate through a third-party identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. User pools provide: • Sign-up and sign-in services. • A built-in, customizable web UI to sign in users. • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool. • User directory management and user profiles. • Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. • Customized workflows and user migration through Amazon Lambda triggers. For more information about user pools, see Getting started with user pools (p. 25) and the Amazon Cognito user pools API reference. Identity pools With an identity pool, your users can obtain temporary Amazon credentials to access Amazon services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools: • Amazon Cognito user pools • Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple • OpenID Connect (OIDC) providers • SAML identity providers • Developer authenticated identities To save user profile information, your identity pool needs to be integrated with a user pool. 2