A Beginner's Guide to Securing Apps with Amazon Cognito

A Beginner's Guide to Securing Apps with Amazon Cognito

Secure your web and mobile apps using Amazon Cognito

ยท

6 min read

When building web applications, user authentication and authorization can be challenging. Amazon Cognito simplifies this process for developers by providing convenient sign-up, sign-in, and enhanced security functionalities.

Amazon Cognito is a fully managed service that provides the following services and features:

  • Authentication, authorization, and user management for web and mobile applications.

  • Federated identities for sign-in with social identity providers (Amazon, Facebook, Google) or with SAML.

  • User pools that maintain a directory with user profile authentication tokens.

  • Identity pools that enable the creation of unique identities and permissions assignments for users.

The diagram shows accessing server-side resources with a user pool.

  1. After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito.

  2. You can use those tokens to control access to your server-side resources. You can also create user pool groups to manage permissions and to represent different types of users.

Now let's get our hands dirty and configure an Amazon Cognito user pool, which we use to manage users and their access to an existing web application. We'll also create an Amazon Cognito identity pool, which authorizes users when the application makes calls to the Amazon DynamoDB service.

We have the Birds web application, which is built by using a NodeJs server running on an AWS Cloud9 instance and an Amazon Simple Storage Service (Amazon S3) bucket with static website hosting capability. The Birds application tracks students' bird sightings by using the following components:

  • A home page

  • An educational page that teaches students about birds

  • The following three protected pages, which students can access only if they have been authenticated:

    • A sightings page where students can view past bird sightings

    • A reporting page where students report new bird sightings

    • An administrator page where site administrators can perform additional operations

We need to add authentication and authorization to the application for the protected pages. In this architecture, we have components to implement authentication by using an Amazon Cognito user pool for protected pages and authorization by using an Amazon Cognito identity pool to implement administrator access to the site.

StepExplanation
1The user requests access to the administrator page from the browser.
2The request is routed to the NodeJs application server that is hosting the Birds application.
3The application redirects the request to the Amazon Cognito-hosted UI.
4aThe user is authenticated by the Amazon Cognito user pool, and the access token is returned to the application.
4bThe Amazon Cognito SDK also stores the access token in the browser's local storage for subsequent use, with a default expiration of 3,600 seconds.
5The application validates the token and returns the administrator page as requested.
6The page is returned to the user's browser through the CloudFront distribution.
7The user initiates a query to a DynamoDb table.
8The application sends the token to the Amazon Cognito identity pool and receives temporary AWS credentials upon validation.
9The application uses the received credentials to query the DynamoDB table and return data to the protected page. The page is returned to the user's browser through the CloudFront distribution.

This is how the application home page looks like.


Configure the Amazon Cognito user pool

We have to create an Amazon Cognito user pool, which is used as the identity provider to create users and manage user passwords. The Birds web application uses the tokens generated by the Amazon Cognito user pool to help ensure that users have authenticated and have a valid session before they can access a protected page or perform a protected action. Tokens are also used to authenticate administrators and provide access to the site administrator page.

For Step 1: Configure sign-in experience*, configure the following options:*

When creating a user pool In real life, we might configure these options based on the application's needs. We can check the Info link for each option for more information about the recommended options.

For Step 2: Configure security requirements*, configure the following options:*

Edited: In the OAuth 2.0 grant types section select the Implicit grant as well.

Now we'll create users lke testuser and admin user.

Add the admin user to the Administrators group.

In the App client click on the View Hosted UI tab to view the Sign In page.

Now we have to update the application configurations to add the details about the Amazon Cognito user pool ID and App client ID.


Test the user pool integration with the application

Click on the Login button to log In as a community member.

Select Sign In as a different user.

Now test for the SiteAdmin protected page. Choose the Admin Login page.

Select Sign In as a different user and provide admin credentials.


Configure the Amazon Cognito Identity Pool to Work with the Birds Application

Now, we need to select the Identity provider option.

We need to update the application to use the identity pool for authorization. Also, log -In as a testuser on the Report page.

Select sign-in as a different user.

Click on Validate My Temporary AWS Credentials to verify that we now have access to the temporary AWS credentials that we can use to interact with a DynamoDB table

The application now uses the identity pool to generate temporary credentials and uses the same credentials to access the BirdSightings DynamoDB table. After successfully connecting to the database table, the application attempts to count the number of rows.

This test verifies that we have correctly configured the Amazon Cognito identity pool and the application. Users who are logged in can access temporary credentials to communicate with the DynamoDB database.

We can access the DynamoDB table from the AWS Management Console and verify that the table has 0 rows.


Conclusion

In this tutorial, we have successfully integrated Amazon Cognito into the Birds web application to manage user authentication and authorization. By following the steps outlined, we configured an Amazon Cognito user pool to handle user sign-ups and sign-ins, and an identity pool to grant temporary AWS credentials for accessing protected resources like the DynamoDB table. This setup ensures that only authenticated users can access sensitive parts of the application, such as the Sightings, Report, and SiteAdmin pages.

Thank you for following along with this guide. I hope it has provided you with practical skills to enhance the security of your web applications using Amazon Cognito. Happy coding!

About the Author

Jayesh is a senior college student with a passion for guiding newcomers in the field of Cloud and DevOps. He is determined to help others learn new cloud-native tools and technologies while advocating for inclusivity in the tech industry. Connect with Jayesh on LinkedIn

ย