Post on 08-Jan-2017
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stephen Johnson, Solution Architect -- AWS
Valentin Polouchkine, Developer Advocate -- Twitter
October 2015
MBL402
Identity Management &
Data Sync with Amazon Cognito
What to Expect from the Session
Dive deep into Cognito Identity
Learn about Cognito Sync features
Twitter Fabric and Digits demonstration
Cognito Identity
Authenticates Users
- Third-party ID Providers
- OpenID Connect Providers
- Developer Providers
Anonymous Identity
Federation of Identities
OpenID Connect Token
Generation
Amazon Cognito Overview
Cognito Sync
Store Customer Data in the Cloud
Synchronize Data
- Between Devices and Cloud
- Across Devices
Cognito Events
- Trigger AWS Lambda
Cognito Streams
- Send to Amazon Kinesis
Amazon Cognito - Identity
Cognito Identity Developer Features
Identify customers whenever they use my app
No matter how they authenticate (across IDPs)
Even if they don’t authenticate (upgrade when they do)
Provide appropriate credentials for AWS access
Any level of permission, for any service
Distinguish authenticated and unauthenticated users
AWS Identity Before Cognito
AWS Security
Token Service (STS)
5. Receive
AWS
Credentials
3. Assume Role2. Retrieve Identity
Mobile Client
Identity
Provider
1. Authenticate
4. Validate
Amazon S3
Web Identity
-or-
SAML
-or-
OpenID Connect
6. Store Data
Cognito - Identity Storage
Identity Pool
No limit on # identities
Up to 60 Pools / Account
Usually associated
with an app
Trust
Policy
Access
Policy
Authenticated Role
Trust
Policy
Access
Policy
Unauthenticated Role
Using the Cognito in the Mobile SDK
CognitoCachingCredentialsProvider provider =
new CognitoCachingCredentialsProvider(getApplicationContext(),"us-east-1:64813b20-4f17-491a-9287", Regions.US_EAST_1);
provider.getIdentityId();
AWSSessionCredentials c = provider.getCredentials();
Create an Identity Pool with Roles
$ aws cognito-identity create-identity-pool
--identity-pool-name mySamplePool
--allow-unauthenticated-identities
{ "IdentityPoolId": "us-east-1:cb6ff5f8-f6aa",
"AllowUnauthenticatedIdentities": true,
"IdentityPoolName": "mySamplePool”}
$ aws cognito-identity set-identity-pool-roles
--identity-pool-id us-east-1:cb6ff5f8-f6aa
--roles authenticated=arn:aws:iam:::role/Auth_Role,
unauthenticated=arn:aws:iam:::role/Unauth_Role
Create an (Unauthenticated) Identity
$ aws cognito-identity get-id
--identity-pool-id us-east-1:cb6ff5f8-f6aa
{
"IdentityId":
"us-east-1:73dbf099-cb1b-4a32-90f0-6c224"
}
Get the OpenID Connect Token
$ aws cognito-identity get-open-id-token
--identity-id us-east-1:73dbf099-cb1b-4a32
{
"Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NzNkYmYwOTktY2IxXUSUi27oUABCPA6Vx14WUTUCc7WfMqidQu5GIvZIiCvvTXG9EXY6zsf1C5BhV9EVvtww",
"IdentityId": "us-east-1:73dbf099-cb1b-4a32
}
Cognito Token – JWT format (courtesy jwt.io)
Assume Unauthenticated Role
$ aws sts assume-role-with-web-identity
--role-arn arn:aws:iam::role/Cognito_Unauth_Role
--role-session-name steve
--web-identity-token eyJraWQiOiJ1cy1lYXN0LTExIiwi
dHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NzNkYmYwOTktY2IxYi00YTMyLTkwZjAtNmMyMjQ4NTg4OGFmIiwiYXVkIjoidXMtZWFzdC0xOjY0ODEzYjIwLTRmMTctNDkxYS05Mjg3LTJiMzc2YjgyNThjO
Assumed Role Credentials (output)
"Credentials":
{
"AccessKeyId": "ASIAJBGJ6DTQE5Q3N67Q”,
"SecretAccessKey”:"aAa5v7/e+rk8Cr5VB+P4sL3DyaQJZ",
"SessionToken": "AQoDYXdzEFAagAS8+GnLyCwthcqB
/GftrGcCcY4cMi8sPOHXk1gNUkWvJIqkUcY4cMi8sPOHXk1gNUkWvJIqkv9uy9H07T4cY4cMi8sPOHXk1gNUkWvJIqk4PF/e==",
"Expiration": "2015-09-17T00:15:53Z”
}
Unauthenticated Flow
STS
5. Receive
AWS
Credentials
3. Assume Role2. OpenID Token
Mobile Client
Cognito
“IDP”
1. Get New
Identity
4. Validate
Amazon S3
6. Store Data
Revisit API for Authenticated Identities
$ aws cognito-identity get-id
--identity-pool-id <required>
--logins <to fetch authenticated id>
$ aws cognito-identity get-open-id-token
--identity-id <required>
--logins <to fetch token for auth’d id>
Getting a Token : linking a login (promotion)
get-open-id-token( Id = 2, )
Id = 2,
Id = 2
Cognito promotes
to “authenticated” ,
Returns same identity-id
Getting a Token : lookup, return id
get-open-id-token( Id = 3
Id = 3, )
Id = 3,
Cognito returns
The same identity-id
Id = 2
Getting a Token : merging identities
get-open-id-token( Id = 3, )
Id = 3,
Cognito merges the
Identities, returns an
existing identity-id
Id = 2
Getting a Token : Not Authorized
get-open-id-token( ID = 3,ID = 3
) )
Cognito requires a valid
linked login before giving
a token for an authorized ID
Authenticated Flow
STS
5. Receive
AWS
Credentials
3. Assume Role2. OpenID Token
Mobile Client
Cognito
“IDP”
1. Get or Create
Identity
4. Validate
Amazon S3
6. Store Data
Authenticated OpenID Token
OpenID Information in IAM Policy (Trust)
"Condition":
{
"StringEquals":
{
"cognito-identity.amazonaws.com:aud”:"us-east-1:identity-pool-id”
},
"ForAnyValue:StringLike":
{
"cognito-identity.amazonaws.com:amr": ”authenticated”
< or specify by provider… >
"cognito-identity.amazonaws.com:amr": ”api.twitter.com”
}
}
Restricting S3 Buckets by User
{ "Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"],
"Condition": {
"StringLike": {
"s3:prefix": ["cognito/myapp/"]
} } },
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ],
"Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/
${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/
${cognito-identity.amazonaws.com:sub}/*" ]
} ]
}
Using Developer Identities
What if you already have a directory with names and passwords?
You can federate your own identities using Cognito
One server side API call:
getOpenIdTokenForDeveloperIdentity
Developer Authenticated Flow
STS
6. Receive
AWS
Credentials
4. Assume Role
Mobile Client
1. Authenticate
5. Validate
Amazon S3
7. Store Data
3. OpenID Token
Cognito
“IDP”
Developer
Login
2. Request
Token
Developer Auth Demo
Developer Auth Demo
STS
6. Receive
AWS
Credentials
4. Assume Role
Mobile Client
1. Authenticate
5. Validate
Amazon S3
7. Store Data
3. OpenID Token
Cognito
API
API Gateway
AWS Lambda
2. Get
Token
Pro Tips for Cognito Identity
Always cache Unauthenticated Identity IDs
Trap security errors so you know when to reauthenticate
Be sure to customize the default Access Policies for Authenticated and
Unauthenticated Identities
If you use Developer Identities, lock down the login workflow.
Amazon Cognito Sync
Cognito Sync Data Structure
Identity Pool
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
1 MB
Each identity’s store
contains up to 20 Datasets
A Dataset contains
Key/Value Records
Protips for Cognito Sync
Use SyncOnConnect, or explicit Sync calls depending on use case
Sync happens at the Dataset level. Use different datasets for different
Sync patterns
If you require immediate updates, use Cognito Push Sync
Implement SyncCallback if you want to know what’s going on, or give
your Customers a better experience
Cognito Sync Events
Mobile Client
1. Sync
Identity
Pool
Sync Data
AWS Lambda
Amazon
DynamoDB
Amazon
Redshift
2. SyncTrigger
Event3. R/W
4. Write
5. Update
Pro Tips for Cognito Events
Handles Incoming Sync Data --whatever makes it in the store will be
shared with all clients on sync
You have control over what is stored:
Add, Modify, or Delete Records
Modify Record Values (create ‘Read Only’ Values)
Use DynamoDB, S3, or Amazon RDS to support complex use cases
Validate values to detect exploits or cheating
Cognito Streams
Mobile Client
1. Sync
Identity
Pool
Sync Data
3. Update
Amazon Kinesis
Amazon
Redshift
Amazon S3
2. Stream
Twitter Digits Integration
What’s in the box?
Crashlytics Kit
Stability
Twitter Kit
Social
MoPub Kit
Revenue
Digits Kit
Identity
Basic flow
Phone Number
SMS (Confirmation Code)
Stable ID, oAuth Token
Confirmation Code
Digits
iOS, Android, JS
216 countries, 28 languages
Digits.com: 2FA, phone number change
Voice verification as fallback
Thank you!
Remember to complete
your evaluations!
Related Sessions
SEC307 - A Progressive Journey Through AWS IAM
Federation Options
SEC305 - Become an AWS IAM Policy Ninja in 60 Minutes
or Less
MBL309 - Analyze Mobile App Data and Build Predictive
Applications