Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webinar Series
-
Upload
amazon-web-services -
Category
Technology
-
view
2.867 -
download
3
Transcript of Getting Started with your User Pools in Amazon Cognito - AWS June 2016 Webinar Series
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager, Amazon Cognito
June 30, 2016
Getting Started with Your User Pools in Amazon Cognito
Topics
AWS Mobile Services and Amazon Cognito Introduction to Your User Pools Summary of Features Demo Deeper Dive in a Few Areas Getting Started Q & A
The Best Mobile Apps Run on AWS
AWS Mobile Services Eliminate the Heavy Lifting
When developing mobile apps today, you want to focus on ...
The great stuff that makes your app unique
Not…
The heavy lifting needed to manage backend infrastructure
AWS Mobile SDKs
AWS Mobile Hub
Authenticate users
Analyze User Behavior
Store and share media
Synchronize data
Deliver media
Amazon Cognito (Sync)
Amazon Cognito(Identity) Amazon S3
Amazon CloudFront
Store dataAmazon DynamoDBAmazon RDS
Track RetentionAmazon Mobile Analytics
Send push notificationsAmazon SNS Mobile Push
Server-side logicLambda
Device Farm
Test your app
Amazon Mobile Analytics
Build and Scale Your Apps on AWS
AWS Mobile Hub: Fastest Way to Build Apps on AWS
Manage authenticated and guest users’
access to your AWS resources
Federated Identities
Synchronize user’s data across devices and
platforms via the cloud
Data Synchronization
Add sign-up and sign-in with a fully
managed user directory
Your User Pool
GuestYour ownauth
Amazon Cognito Identity Amazon Cognito Sync
Amazon Cognito Identity and Sync
k/v data
SAML
Sign in with Facebook
Or
Username
Password
Sign In
Or
Start as a guest
Authenticate via 3rd party Identity Providers
Amazon Cognito Identity and User Experience
Guest Access
Your User Pool in Amazon Cognito
Amazon Cognito Identity provides temporary credentials to securely access your resources
DynamoDB
S3
API Gateway
A Fully Managed User Directory in Cognito
Add sign-up and sign-in easily to your mobile and
web apps
Easy User Management
Verify phone numbers and email addresses and offer multi-factor authentication
Enhanced Security Features
Launch a simple, secure, low-cost, and fully managed
service to create and maintain a user directory
that scales to 100s of millions of users
Managed User Directory
Comprehensive User Scenarios
Email or phone number Verification
Forgot Password
User sign-up and sign-in
Users verify their email address or phone number prior to activating an account
Users can change their password if they forget it
Users sign-up using email, phone number or user name and password.Users can then sign-in.
User Profile Retrieve and update user profiles, including custom attributes
SMS-based MFA If enabled, users complete Multi-Factor Authentication (MFA) with a confirmation code via SMS as part of sign-in and forgot password flows
Comprehensive Administrator Scenarios
Manage users in a User Pool
Select Email and Phone Verification
Customize with Lambda Triggers
Setup Password Policies
Create and manageUser Pools
List, search and perform actions on specific user(s) in the User Pool
Configure verifications of users’ email addresses and phone numbers (via SMS)
Create functions in AWS Lambda to customize workflows
Control password requirements like minimum length, uppercase, and inclusion of special characters
Create, configure and delete multiple User Pools in their AWS account
Define Attributes Select required attributes and Define custom user attributes
Secure Sign-in Made Easy
Token-based Authentication
Secure Remote Password Protocol
SMS-based Multi-factor Authentication
Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards
Uses Secure Remote Password (SRP) for secure password handling end to end
Enables your end users to user the text messaging functionality of a mobile phone as an extra layer of security
Customization using Lambda hooks
Lambda Hook Example Scenarios
Pre user sign-up Custom validation to accept or deny the sign-up request
Custom message Advanced customization and localization of verification messages
Pre user sign-in Custom validation to accept or deny the sign-in request
Post user sign-in Event logging for custom analytics
Post user confirmation Custom welcome messages or event logging for custom analytics
Cognito User and Federated Identities
Cognito User Identities(Your User Pool)
User
Sign-in1Returns Accessand ID Tokens
2
Cognito Federated Identities(Identity Pool)
Get AWS scoped credentials
3
Accessto AWS Services
4
DynamoDBS3 API Gateway
Demo
Understanding User Status
New users start with “Registered” status
Users must be confirmed before they can sign-in
Users must be disabled before they can be deleted
Registered(cannot sign in)
Sign-up
Confirmed
Disabled
Verify email Verify phoneor
Disable
Delete
(deleted)
Lambda Trigger:Pre Sign-up
Verifying Email and Phone
Your User Pools provide built-in verification of email addresses and phone numbers
A six digit code is sent as an email message or SMS text and is submitted via the VerifyUserAttribute API
If both a phone number and email address are provided at sign-up, a verification code will only be sent to the phone
Your app can call GetUser to see if an email address or phone number is awaiting verification, and then call GetUserAttributeVerificationCode to initiate the verification
Your verification code is 938764
Using Aliases in Amazon Cognito User Pools
Sign-up and sign-in with email is very common today
Aliases in Amazon Cognito support use of email, phone or preferred user name in place of the user name
A username value must be provided at sign-up, but it could be generated by the app and not exposed to the end user
Phone numbers and email addresses must be unique and must be verified before they can be used to sign-in
My App
Password
Sign In
Sign Up
Getting Started with Your User Pools
See aws.amazon.com/cognito/dev-resources/ for links to
SDKs for iOS, Android, and JavaScript Sample apps for iOS and Android
AWS Mobile Blog article describes them Developer Guide API Reference Guide
Thank You!
Visit aws.amazon.com/cognito/ to learn more
Q & A
Visit aws.amazon.com/cognito/ to learn more
Appendix
AWS Resources
Authentication – Supported Providers:
Authorization / Permission
Cognito User and Federated Identities
Social Identity Providers Developer Provided
Enterprise Identity Provider
via SAML(coming)
Authenticate users and generate identity
tokens
Validates identity tokens and provides credentials to access
AWS resources
Cognito Identity
Cognito Identity
Pricing
Pricing is based on Monthly Active Users (MAUs) with volume-based discounting A user is counted as a MAU if there is an identity operation related to that user within a
calendar month (e.g., sign-up, sign-in, token refresh, or password change) No charge for subsequent sessions or for inactive users
SMS charges are billed separately (using the SNS Global SMS feature)
Pricing Tier Price per 1K MAUsFirst 50,000 MAUs FreeNext 50,000 MAUs $5.50
Next 900,000 MAUs $4.60Next 9,000,000 MAUs $3.25
>10,000,000 MAUs $2.50
Amazon Cognito Sync
User Data Storage andSync
Any Platform
iOS/Android/FireOS
Store app data, preferences, and stateSave app and device data to the cloud and merge them after login
Cross-device / Cross-OS Sync Sync user data and preferences across devices with a few lines of code
Work offlineData always stored in local SQLite DB firstWorks seamlessly with intermittent or no connectivity
k/v data
Identity pool
No back endSimple client SDK eliminates need for server side code
© 2015 Amazon Web Services, Inc. and its affiliates. All rights reserved.
Push Sync Sync between devices in near real-time
using push instead of polling Fewer syncs = cost savings Powered by SNS Push changes from your backend
Cognito Streams Enables deeper analysis of data Receive a stream of any updates to a dataset for each identity in
your identity pool Publishes updates to Kinesis From Kinesis write to other destinations such as Redshift or
ElasticSearch
RedShift
ElasticSearch
KinesisCognito
Cognito Events Can be used to provide data validation (Cheating, Sanitization)
Can be used to inject data (Bonuses, Content)
Perform additional logic server side during a synchronize call
Full control over dataset contents
LambdaCognito