Académique Documents
Professionnel Documents
Culture Documents
6/21/2016
2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session?
http://cognito.budilov.com
Build and Scale Your Apps on AWS
Authenticate users Store and share media
Amazon Cognito Amazon S3
(Identity)
Cloud storage
Static website hosting
11 9s of Durability
4 9s of Availability
CloudFront Integration
Undifferentiated Heavy Lifting of Authentication
k/v data
Add sign-up and sign-in Launch a simple, secure, Verify phone numbers and
easily to your mobile and low-cost, and fully managed email addresses and offer
web apps service to create and multi-factor authentication
maintain a user directory
that scales to 100s of
millions of users
Comprehensive User Scenarios
User sign-up and sign- Users sign-up using email, phone number or user name and password.
in Users can then sign-in.
Email or phone number Users verify their email address or phone number prior to activating an account
Verification
User Profile Retrieve and update user profiles, including custom attributes
Manage users in a
List, search and perform actions on specific user(s) in the User Pool
User Pool
Setup Password Control password requirements like minimum length, uppercase, and inclusion of
Policies special characters
Define Attributes Select required attributes and Define custom user attributes
Secure Sign-in Made Easy
Token-based
Uses tokens based on OpenID Connect (OIDC) and OAuth 2.0 standards
Authentication
Secure Remote
Uses Secure Remote Password (SRP) for secure password handling end to end
Password Protocol
SMS-based Multi-factor Enables your end users to use the text messaging functionality of a mobile
Authentication phone as an extra layer of security
Authentication flow
Code Time!
Authentication Flow
Amazon Cognito
User Pools Lets walk through
S3
this step by step
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Amazon Cognito Step 0: User invokes the website hosted
User Pools on S3
S3
Amazon S3 can be used as a highly
available website hosting platform
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Step 1: User signs up for an account with
our Amazon Cognito User Pool, providing
Amazon Cognito their email & password (+ any custom
User Pools attributes).
S3
Amazon Cognito can automatically verify
the users email address and/or phone
number if required.
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Amazon Cognito Step 2: At some point in the
User Pools future, the user wants to sign in.
S3 We can now authenticate the
user.
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Optional: If MFA is enabled
Amazon Cognito
User Pools (either for this user, or all users),
S3
Amazon Cognito will SMS a one
time authentication code to the
user.
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Amazon Cognito
User Pools Optional: If Lambda Hooks are
S3 setup, then they will be invoked
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Step 3: After a successful
Amazon Cognito
User Pools authentication, Amazon Cognito
S3
responds with a signed JSON
Web Token (JWT) containing the
users details.
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Step 4: Once youre
Amazon Cognito
User Pools authenticated, you want to
S3
retrieve your scoped AWS
credentials to access other
services.
Lambda Hooks
Amazon
DynamoDB
Authentication Flow
Amazon Cognito
User Pools Step 5: You are now ready to
S3 call DynamoDB.
Lambda Hooks
Amazon
DynamoDB
Going serverless
This is a more
Amazon Cognito
User Pools
complete solution
S3 that you can achieve
without managing
Lambda Hooks servers
Amazon Cognito
Mobile apps Identities
Monitoring
Throttling
Logging
Cache
Amazon
DynamoDB
/v2 Lambda
Amazon API Gateway
Function
Getting started with the
QuickStart app
Tech Stack
Required Tools
aws cli
npm
bower
angular-cli
Frameworks
AWS JavaScript SDK & Amazon Cognito Libraries
Angular 2 (Ionic) RC2
TypeScript
Bootstrap
Get The QuickStart App
# Clone it from github
git clone --depth 1 git@github.com:awslabs/aws-cognito-angular2-quickstart.git
# Build the project and sync the output with the S3 bucket
ng build
cd dist
aws s3 sync . s3://your-unique-bucket-name/
# Test it out
curl I http://your-unique-bucket-name.s3-website-us-east-1.amazonaws.com/
Code Time!
Tokens
Types
ID Token
JWT
OpenID Identity Information (name, phone_number, etc)
Access Token
JWT
No Identity Information
Used for further authorizations
Refresh Token
String
Refresh Amazon Cognito Identity session
ID Token
Header
kid used to locate the public key
alg RS256
Payload
user attributes (user identity information)
iss the issuer
sub UUID of the authenticated user
token_use the purpose of the token
Signature
Based on header and payload
Access Token
Header
kid different from ID token since different keys used
alg RS256
Payload
username (e.g. vladimir@budilov.com)
Signature
Based on header and payload
Unpacking a Token
Thank You!
Questions? Comments? Suggestions?
Dont Forget Evaluations!