© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Stephen Johnson, Solution Architect -- AWS

Valentin Polouchkine, Developer Advocate -- Twitter

October 2015

MBL402

Identity Management &

Data Sync with Amazon Cognito

What to Expect from the Session

Dive deep into Cognito Identity

Learn about Cognito Sync features

Twitter Fabric and Digits demonstration

Cognito Identity

Authenticates Users

- Third-party ID Providers

- OpenID Connect Providers

- Developer Providers

Anonymous Identity

Federation of Identities

OpenID Connect Token

Generation

Amazon Cognito Overview

Cognito Sync

Store Customer Data in the Cloud

Synchronize Data

- Between Devices and Cloud

- Across Devices

Cognito Events

- Trigger AWS Lambda

Cognito Streams

- Send to Amazon Kinesis

Amazon Cognito - Identity

Cognito Identity Developer Features

Identify customers whenever they use my app

No matter how they authenticate (across IDPs)

Even if they don’t authenticate (upgrade when they do)

Provide appropriate credentials for AWS access

Any level of permission, for any service

Distinguish authenticated and unauthenticated users

AWS Identity Before Cognito

AWS Security

Token Service (STS)

5. Receive

AWS

Credentials

3. Assume Role2. Retrieve Identity

Mobile Client

Identity

Provider

1. Authenticate

4. Validate

Amazon S3

Web Identity

-or-

SAML

-or-

OpenID Connect

6. Store Data

Cognito - Identity Storage

Identity Pool

No limit on # identities

Up to 60 Pools / Account

Usually associated

with an app

Trust

Policy

Access

Policy

Authenticated Role

Trust

Policy

Access

Policy

Unauthenticated Role

Using the Cognito in the Mobile SDK

CognitoCachingCredentialsProvider provider =

new CognitoCachingCredentialsProvider(getApplicationContext(),"us-east-1:64813b20-4f17-491a-9287", Regions.US_EAST_1);

provider.getIdentityId();

AWSSessionCredentials c = provider.getCredentials();

Create an Identity Pool with Roles

$ aws cognito-identity create-identity-pool

--identity-pool-name mySamplePool

--allow-unauthenticated-identities

{ "IdentityPoolId": "us-east-1:cb6ff5f8-f6aa",

"AllowUnauthenticatedIdentities": true,

"IdentityPoolName": "mySamplePool”}

$ aws cognito-identity set-identity-pool-roles

--identity-pool-id us-east-1:cb6ff5f8-f6aa

--roles authenticated=arn:aws:iam:::role/Auth_Role,

unauthenticated=arn:aws:iam:::role/Unauth_Role

Create an (Unauthenticated) Identity

$ aws cognito-identity get-id

--identity-pool-id us-east-1:cb6ff5f8-f6aa

{

"IdentityId":

"us-east-1:73dbf099-cb1b-4a32-90f0-6c224"

}

Get the OpenID Connect Token

$ aws cognito-identity get-open-id-token

--identity-id us-east-1:73dbf099-cb1b-4a32

{

"Token": "eyJraWQiOiJ1cy1lYXN0LTExIiwidHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NzNkYmYwOTktY2IxXUSUi27oUABCPA6Vx14WUTUCc7WfMqidQu5GIvZIiCvvTXG9EXY6zsf1C5BhV9EVvtww",

"IdentityId": "us-east-1:73dbf099-cb1b-4a32

}

Cognito Token – JWT format (courtesy jwt.io)

Assume Unauthenticated Role

$ aws sts assume-role-with-web-identity

--role-arn arn:aws:iam::role/Cognito_Unauth_Role

--role-session-name steve

--web-identity-token eyJraWQiOiJ1cy1lYXN0LTExIiwi

dHlwIjoiSldTIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiJ1cy1lYXN0LTE6NzNkYmYwOTktY2IxYi00YTMyLTkwZjAtNmMyMjQ4NTg4OGFmIiwiYXVkIjoidXMtZWFzdC0xOjY0ODEzYjIwLTRmMTctNDkxYS05Mjg3LTJiMzc2YjgyNThjO

Assumed Role Credentials (output)

"Credentials":

{

"AccessKeyId": "ASIAJBGJ6DTQE5Q3N67Q”,

"SecretAccessKey”:"aAa5v7/e+rk8Cr5VB+P4sL3DyaQJZ",

"SessionToken": "AQoDYXdzEFAagAS8+GnLyCwthcqB

/GftrGcCcY4cMi8sPOHXk1gNUkWvJIqkUcY4cMi8sPOHXk1gNUkWvJIqkv9uy9H07T4cY4cMi8sPOHXk1gNUkWvJIqk4PF/e==",

"Expiration": "2015-09-17T00:15:53Z”

}

Unauthenticated Flow

STS

5. Receive

AWS

Credentials

3. Assume Role2. OpenID Token

Mobile Client

Cognito

“IDP”

1. Get New

Identity

4. Validate

Amazon S3

6. Store Data

Revisit API for Authenticated Identities

$ aws cognito-identity get-id

--identity-pool-id <required>

--logins <to fetch authenticated id>

$ aws cognito-identity get-open-id-token

--identity-id <required>

--logins <to fetch token for auth’d id>

Getting a Token : linking a login (promotion)

get-open-id-token( Id = 2, )

Id = 2,

Id = 2

Cognito promotes

to “authenticated” ,

Returns same identity-id

Getting a Token : lookup, return id

get-open-id-token( Id = 3

Id = 3, )

Id = 3,

Cognito returns

The same identity-id

Id = 2

Getting a Token : merging identities

get-open-id-token( Id = 3, )

Id = 3,

Cognito merges the

Identities, returns an

existing identity-id

Id = 2

Getting a Token : Not Authorized

get-open-id-token( ID = 3,ID = 3

) )

Cognito requires a valid

linked login before giving

a token for an authorized ID

Authenticated Flow

STS

5. Receive

AWS

Credentials

3. Assume Role2. OpenID Token

Mobile Client

Cognito

“IDP”

1. Get or Create

Identity

4. Validate

Amazon S3

6. Store Data

Authenticated OpenID Token

OpenID Information in IAM Policy (Trust)

"Condition":

{

"StringEquals":

{

"cognito-identity.amazonaws.com:aud”:"us-east-1:identity-pool-id”

},

"ForAnyValue:StringLike":

{

"cognito-identity.amazonaws.com:amr": ”authenticated”

< or specify by provider… >

"cognito-identity.amazonaws.com:amr": ”api.twitter.com”

}

}

Restricting S3 Buckets by User

{ "Version": "2012-10-17",

"Statement": [ {

"Effect": "Allow",

"Action": ["s3:ListBucket"],

"Resource": ["arn:aws:s3:::EXAMPLE-BUCKET-NAME"],

"Condition": {

"StringLike": {

"s3:prefix": ["cognito/myapp/"]

} } },

{

"Effect": "Allow",

"Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ],

"Resource": [ "arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/

${cognito-identity.amazonaws.com:sub}",

"arn:aws:s3:::EXAMPLE-BUCKET-NAME/cognito/myapp/

${cognito-identity.amazonaws.com:sub}/*" ]

} ]

}

Using Developer Identities

What if you already have a directory with names and passwords?

You can federate your own identities using Cognito

One server side API call:

getOpenIdTokenForDeveloperIdentity

Developer Authenticated Flow

STS

6. Receive

AWS

Credentials

4. Assume Role

Mobile Client

1. Authenticate

5. Validate

Amazon S3

7. Store Data

3. OpenID Token

Cognito

“IDP”

Developer

Login

2. Request

Token

Developer Auth Demo

Developer Auth Demo

STS

6. Receive

AWS

Credentials

4. Assume Role

Mobile Client

1. Authenticate

5. Validate

Amazon S3

7. Store Data

3. OpenID Token

Cognito

API

API Gateway

AWS Lambda

2. Get

Token

Pro Tips for Cognito Identity

Always cache Unauthenticated Identity IDs

Trap security errors so you know when to reauthenticate

Be sure to customize the default Access Policies for Authenticated and

Unauthenticated Identities

If you use Developer Identities, lock down the login workflow.

Amazon Cognito Sync

Cognito Sync Data Structure

Identity Pool

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

1 MB

Each identity’s store

contains up to 20 Datasets

A Dataset contains

Key/Value Records

Protips for Cognito Sync

Use SyncOnConnect, or explicit Sync calls depending on use case

Sync happens at the Dataset level. Use different datasets for different

Sync patterns

If you require immediate updates, use Cognito Push Sync

Implement SyncCallback if you want to know what’s going on, or give

your Customers a better experience

Cognito Sync Events

Mobile Client

1. Sync

Identity

Pool

Sync Data

AWS Lambda

Amazon

DynamoDB

Amazon

Redshift

2. SyncTrigger

Event3. R/W

4. Write

5. Update

Pro Tips for Cognito Events

Handles Incoming Sync Data --whatever makes it in the store will be

shared with all clients on sync

You have control over what is stored:

Add, Modify, or Delete Records

Modify Record Values (create ‘Read Only’ Values)

Use DynamoDB, S3, or Amazon RDS to support complex use cases

Validate values to detect exploits or cheating

Cognito Streams

Mobile Client

1. Sync

Identity

Pool

Sync Data

3. Update

Amazon Kinesis

Amazon

Redshift

Amazon S3

2. Stream

Twitter Digits Integration

What’s in the box?

Crashlytics Kit

Stability

Twitter Kit

Social

MoPub Kit

Revenue

Digits Kit

Identity

Basic flow

Phone Number

SMS (Confirmation Code)

Stable ID, oAuth Token

Confirmation Code

Digits

iOS, Android, JS

216 countries, 28 languages

Digits.com: 2FA, phone number change

Voice verification as fallback

Thank you!

Remember to complete

your evaluations!

Related Sessions

SEC307 - A Progressive Journey Through AWS IAM

Federation Options

SEC305 - Become an AWS IAM Policy Ninja in 60 Minutes

or Less

MBL309 - Analyze Mobile App Data and Build Predictive

Applications