Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

aws service difference between cognito user pool and federated identity

AWS provides cognito which provides the developer with sign-up and sign-in functionality including federations with OpenId compatible identity providers such as facebook, google etc.

There are two types of categories in cognito developer console. These are managing user pool and managing federated identities.

I'm just a little bit confused because both are very similar even we want to provide our client to login with their facebook account. The cognito user pool itself provides federation and federation identity pool also provide it by authentication providers.

The question is that if I want to allow my clients to use their own facebook account for sign-in, which categories should I use? user pool or federated identities?

In addition, if I want to configure authorizer in API gateway I have to create cognito user pool but federated identity pool. Is that the main reason choosing the cognito category?

like image 645
jwchoi Avatar asked Sep 21 '17 02:09

jwchoi


People also ask

What is federated identity in Cognito?

Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application.

What is identity pool in AWS Cognito?

Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.

What is Federated identity pool?

Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services.

What are federated identities AWS?

Identity federation in AWS Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.


2 Answers

Cognito user pool:

Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.

Cognito Federated Identities or Identity Pool:

Cognito Identity Pool (or Cognito Federated Identities) on the other hand is a way to authorize your users to use the various AWS services. Say you wanted to allow a user to have access to your S3 bucket so that they could upload a file; you could specify that while creating an Identity Pool. And to create these levels of access, the Identity Pool has its own concept of an identity (or user). The source of these identities (or users) could be a Cognito User Pool or even Facebook or Google.

Relationship between User pool and Identity pool:

The Cognito Identity Pool simply takes all the identity providers and puts them together (federates them). And with all of this it can now give your users secure access to your AWS services, regardless of where they come from.

Relationship between User pool and Identity pool

So in summary, the Cognito User Pool stores all the users which then plugs into Cognito Identity Pool which can give the users access to AWS services.

source

like image 59
Mahbubur Rahman Avatar answered Sep 23 '22 10:09

Mahbubur Rahman


You can think of user pools as sort of a directory which contains user attributes such as name, email, phone number etc. This also provides sign up, sign in capability. You can federate users into user pools. Currently you can use Facebook, Google, and SAML as identity providers for user pools.

Cognito Federated identities lets you federate users into AWS and vends AWS credentials that can be used to access the resources you allow in your policy. For Cognito Federated Identities, you also have a variety of identity providers that you can configure such as Facebook, Google, and also Cognito User Pools can be an identity provider.

What you use depends on your use case. If you don't require AWS resources for your app, probably User Pools is all you need.

like image 22
Ionut Trestian Avatar answered Sep 23 '22 10:09

Ionut Trestian