Cognito

Cognito provides authentication, authorization, and user management for your web and mobile apps in a single service without the need for custom code. Your users can sign in directly with a username and password they create on through a third party (e.g. Facebook, Amazon, Google or Apple)

Features:

1. Sign-up and sign-in options for your apps

2. Access for guest users

3. Acts as an identity broker between your application and web ID providers.

The two components of Cognito are:

• User pools: are directories of users that provide sign-up and sign-in options for your application

• Identity pools: allow you to give your user access to other AWS services.

User pools and Itentity pools can be used either separatly or together.

actor User
participant "Client Application" as App
participant "AWS Cognito" as Cognito
participant "Protected API" as API

User -> App: 1. Open app
App -> Cognito: 2. Initialize
Cognito --> App: 3. Return configuration
User -> App: 4. Enter credentials
App -> Cognito: 5. Authenticate (username/password)
Cognito --> App: 6. Return tokens (ID, Access, Refresh)
App -> App: 7. Store tokens
User -> App: 8. Request protected resource
App -> API: 9. API request with Access token
API -> API: 10. Validate token
API --> App: 11. Return protected resource
App --> User: 12. Display protected resource