AWS Cognito Under the Hood

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to cloudera note plus your source for exclusive videos and online events for aws professionals my name is andreas and today i demonstrate what you can do with aws cognito have you ever implemented a user database and authentication layer yourself there are a lot of things that can go wrong here from hashing insulting passwords to unauthorized access to sensitive resources that's why i recommend using a production ready service instead of building authentication authorization yourself and by the way that's exactly what aws cognito is all about within the next 10 minutes roundabout we will talk about when to use aws cognito i show you a demo on how to use cognito in combination with an alb to implement an authentication authorization layer we will discuss the question of all questions when it comes to cook need to use a pool versus identity pool and last not least i will talk about pitfall which is basically a missing backup for user pools okay so let's dive into that i'd like to start with a few scenarios for cognito that i have used during projects over the past years so the first one is when you build a serverless application with an api gateway a lambda function maybe dynamodb as a database layer cognito and especially cognitive user pools are an easy way to imple implement authentication and authorization so cognito user pools offers you a user database and it allows you to use that to authenticate your users and then send either identity or access token to the api gateway and the api gateway out of the box can use those tokens integrate with cognito and make sure that authentication authorization works out of the box so that's a very common use case i would say for using cognito user pools okay the next one is a little bit different to that it is cockney to identity pools so cognito identity pools allows you to do federated logins for example with openid connect which is a very popular standard those days i would say and basically what you can do is with cognito identity pools you use one of those identity providers and then identity pool will return basically temporary aws credentials for an im role and you can use those credentials to access aws apis like for example directly talk to f3 or to connect to something like appsync or another api gateway and use those temporary aws credentials for the authentication part so that's another way that i have used cognito for and another interesting option to use cognito is that it also integrates with the application load balancer that aws provides so what you can do with that is you can connect a cognito user pool to your load balancer and then use either the build and user database or social logins like facebook google apple for the authentication part so basically what that means whatever application you're running for example in a container you can front that with alb and the alb handles the authentication part in combination with cognito for you and by the way that's what they will do in the demo so that i will come to that back to that later okay so those are a few ideas when to use cognito there are other scenarios of course as well in summary you could say it is a very helpful service whenever it comes to authentication and authorization and adding that to your own applications because cognito is really for your own applications that you deploy on aws it is not about managing access to the aws services itself okay the next thing is let's have a look into how to use cognito and quickly to user pools with the application build button so because i think that can be very helpful for all kinds of applications that you build your own or also that you just use like open source projects for example for jenkins this is a interesting idea to front your jenkins with that extra layer of security for example or many many other use cases i've used that a lot so let's dive into how this is working because it's a little bit complicated i would say let's have a look okay i would like to start with some code so i have a running example for all of that i will put all that you need to rebuild the same thing into the show notes so you find all the source code it is open source you can use it i'm using cfn modules for our cloudformation modules for that but it doesn't really matter it just shows you how to use those things you can rebuild it easily with terraform or any other infrastructure as code tool it just makes it easier to understand the dependencies between all those resources that are needed to get that running okay let's dive into that so um this is the cloudformation template and what i wanted to show you here is first of all um i'm defining a user pool in that template so i'm using a module for that the user pull module which is another cloudformation template that you can see here and basically all i do is i define a cognito user pool in here and the thing is the user pool comes with the ability to create users so that's basically a way to have your own data your own user data um or you could even use federated uh authentication but in in our case we're just using the built-in user database so you can define stuff like password policies in here you can define emails that are sent out or templates for those emails to allow people to reset their passwords and so on so that is what i do here with the user pool and we can maybe quickly jump to the aws management console to check that out here so here is the user pool cryptic name coming from cloudformation but yeah that's fine so this is the user pool and basically the most important thing is the list of users so i have created myself an account in here a user in here and that i later on used to authenticate okay so that's basically a table and a database of users okay here we go so now the question is how do we get that together with the application load balancer and again i'm starting from the cloudformation template we will jump to the management console in a minute okay so let's get started so the important thing is where do you define all of that and this is in our case we call this the target the alb target module and um so that is very basically hand over the cookie to use a pool module what is also important to know is um it is also necessary that you set up tls or https as well as a domain name so with probably with root 53 pointing to the load balancer because that's a requirement for all of that to work so you need a valid certificate a valid host a domain name and you need https enabled otherwise the whole thing will will not work so that is important um but now i will just focus on the configuration of the load balancer um so let's check that so the the module that i'm using here which is again just another aw cloudformation template is called ecs alb target um let's jump into here and the interesting thing here is um you define all the authentication part in the listener rule of the load balancers listener and basically what you can see here is there's a special action a special type that you can use which is called authenticate cognito and there we basically reference the user pool um we need a user client id which we'll talk about in a minute and also we need to define um the domain for the user pool so that is important um cognito user pools come with the ability to basically host a front-end ui for authentication and that's where the user pool domain comes in so i've um i've probably skipped that a little bit too fast so back to the cook need to use a pool template we have a user pool domain here as well that's just something you can enable and you get your own front end basically for authentication so that's a requirement the user pool client id um basically to to be able to authenticate with cognito you need to create a client which is basically the application that uses cognito in that example this is another resource in the template i'm just creating a user pool client i'm defining the allowed scopes um defining the callback urls so basically um to allow it to do the ooz2 um authentication dance i would call it so everything that is needed is defined in here and it was not too easy to set this up and get it up and running so i highly recommend to check the code to use that as a template if you want to build your own or just use the whole module if you can so that really should speed up the whole process a lot also feel free to ask me any questions i'm happy to help with that okay so back to that so you specify all of that within the listener rule and that's basically the most important configuration part that we need to get up and running in in the code okay so now let's jump to the management console and check how things look there um so um here is uh maybe let's start so this is the load balancer that cloudformation created for me again cryptic names in here and the listener is the m as um funny thing or the important thing um it is a https listener so we have security policy ssl certificate defined here and then where the magic really happens is inside the rules so i click here view edit rules which shows me the listener rules for that and the listener rule the default or the one that i'm using here is basically saying all the incoming requests should be rooted to a certain target group which in my case are fargate containers but that doesn't matter at all and now you can see also the authentication is configured here so i'm clicking the more link to to get a little bit more information so you see this links the user pool id it has the client id some specification about the session cookie the session time out and what should happen in case someone is not authenticated basically that's all the configuration jumping and back to the user pool itself um the user pool has um something here in the sidebar which has app integration and here you will find the client the app client so that's basically the the secrets the client secrets and the configuration used for the alb um so that is the client id here which has also been created with cook with cloud formation okay so that's it so that's all we need and now i want to show you how this looks in action so i will go to demo demo.andreas.welcome.co that's basically where i'm running that load balancer as i mentioned it's important to have a real domain name and a valid certificate with the certificate manager and now um the alb redirects me you can see that in the url on top it redirects me automatically to cognito and this is the the domain that was created for me automatically this just a random domain auth at your central amazoncognito.com and this is the basically the front and that cognito comes with out of the box here that i can use for the login now so here i have to type in my username which is my email address and my password and then i just click sign in and yes as it promises here it works so i don't have only a very basic nginx running here without any application but what happens now now the alb forwards the request to the target to the fargate container running here in my in my case so the alb handles the authentication your application does not need to do that and that's very handy and you can use that to set things up very easily and to have an authentication layer in front of your application for example if you want to host a private application publicly so if you want to have it accessible from the internet that's a very easy way to just add a layer of authentication here okay so that is how you can combine alb with cognito user pools a very handy feature in my opinion okay so after a few scenarios and a demo i want to dive into some technical questions that arise typically and i would say really the most the question that that i get asked the most often and that i always struggle myself very often is what's actually the difference between user pools and identity pools um because when you go to cognito in the documentation you find those two options and it's not that easy to really find out what they are about so let's let's go through them so basically um those are two options both are part of the cognito service and they have only some differences the most important difference is definitely that a user pool comes with a built-in user database that's what i showed you in the demo so and so i created my own user and we had our own user database with identity pool there is no such thing all you can do is use federated login so social login summer open id connect all those things are supported but basically someone else stores the user database when using identity pool with user pool um you also have the option with the social login samol and open id connect but you also have the option to have a built-in user database so that's a diff important difference then and the identity pool allows you to get temporary aws credentials and you can use them to directly access aws api so you could upload stuff to s3 download stuff from e3 of course access dynamodb all those things so very interesting concept when building mobile applications for example um that's not possible with user pool by default but you can also combine those two together you can have a user pool and an identity pool and then you can basically authenticate with the user pool and then use the identity pool to get temporary aws credentials that works another important difference is that user pool comes with a hosted ui so that's what i've showed you the login interface that i've showed you this is what user pool provides there is no such thing with identity pool um there you have to yeah integrate that into your application on your own so that's maybe not too hard but that's a difference and then there is a difference cost wise so identity pool is free and user pool costs a small amount per monthly active user so that means for every user that is active that is logging in you pay a smaller a small fee um so depending on the scale and everything that might be an interesting um difference to to make your decision okay so that's the difference so personally um usually i use user pools because it's a little bit easier to to use and integrate it into i would say more other services but speaking about user pools there's one big problem with user pools and that is there is no no way to backup your user database stored in a user pool and that's a bummer because think about that so i've used user pools many times to build an applications and when i'm using the built-in user database that's really a valuable asset so that could be all the login information for all the users of your app what happens if you lose that so what happens if you use the information about all the users that use your application that's a catastrophe really and unfortunately cognito user pool to this day does not provide any way to snapshot or backup the data of course the service is operated by aws and they will make sure they're not losing your data but what happens when you for example accidentally delete your user pool happened to me when using cloudformation for example so that is really a problem and added the following solution to the problem so i've used the following infrastructure to do so so i used code build so code build allows you to basically run a container it's intended for ci cd stuff but i'm using it for for backing up my user pool so basically it's a way to run your code and there there is some timeouts but the jobs can run for a really long time so compared to lambda and other things and what i did is i was using code build and i was triggering a code build job let's say every 12 hours and inside code build i was running my own container image which included a small application written in node.js because you know i'm a node.js guy and and what i'm basically doing is i'm using the api to fetch the user data from the cookie to user pool that i want to snapshot so i'm getting all that information so you get the email address the usernames all that stuff is you can down you can get that from the api i'm creating a boring csv file out of that and upload that to s3 so that is how you can that's one way how you can create a snapshot of the users in your user pool to make sure you're not losing that asset in any way unfortunately there is one problem with that so cognito user pool the api does not give you any information about the passwords so that has a good and a bad side so it's a good site because you don't want to so you want to make sure that you never touch the salted hashed passwords so that's something aws stores for us and we don't have to deal with that that's fine on the one side but the other side we cannot snapshot or backup that so that's a problem so um yeah that's a little bit of a restriction here that we have to deal with so on the plus side with the data even without the the password we could just recreate the user database and it would mean that each user needs to create a new password for example by clicking a send me a new email with a new password link or something like that so that is possible and it's the best you can do now so i think that's the the nearest you can come to your backup of your user database so i have some code for that i i wanted to make that an open source project for for months but i never found the time so i never found a time to polish everything up but i can offer you one thing if you're interested in that solution if you want to see how i solved that issue i'm happy to share the code with you so just send me a message and i will be happy to do so okay so keep that in mind it's hard to create a snapshot of your data and i think that's really a bummer for production ready service that stores so relevant information for our business actually so that's it for now about aws cognito you can reach out to us and the community about this topic or other aws related questions anytime visit community.cloudonnow.io and ask your questions we are looking forward to hear from you thanks a lot for watching don't forget to rate this video if you learned something new your feedback helps us to produce relevant videos so reach to us via email twitter the community you will find all the details in the show notes of this video we'll be back in one week bye thanks a lot for your support
Info
Channel: cloudonaut
Views: 364
Rating: undefined out of 5
Keywords: aws, amazon web service, cloudonaut, cloud, cloudcomputing, cloud computing, aws training, aws cloud, aws tutorial, aws tutorial for beginners, amazon aws tutorial, aws cognito, aws alb, aws cognito react demo, aws user pool, aws identity pool, user pool vs. identity pool, alb vs. cognito, cognito vs. alb, When to use AWS Cognito?, ALB + AWS Cognito User Pools, User Pool Problem, aws implemented user database, aws authentication layer, aws cognito tutorial
Id: XWrzRwSEXl4
Channel Id: undefined
Length: 22min 17sec (1337 seconds)
Published: Sun Nov 14 2021
Related Videos
$EURST --- The Euro Stable Token ,, Live audited Asset-Backed Stable coin
Crypto Boat
2.7K
AWS CloudFormation Modules - A New Way to Reuse Templates?
cloudonaut
333
AWS re:Invent 2019: [REPEAT 1] AWS Fargate under the hood (CON423-R1)
AWS Events
14K
Don't Talk to the Police
Regent University School of Law
16M
Implementing GraphQL API security best practices with AWS AppSync
Derek Bingham
60
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Unboxing AWS S3 Object Lambda
cloudonaut
64
DNSSEC with AWS Route 53: Protecting the core of the Internet
cloudonaut
425
User Authentication with AWS Application Load Balancer and Cognito (w/o modifying your source code!)
Thorn Technologies
14K
AWS: Frontend web application with Javascript, DynamoDB and Amazon Cognito
Learn By Examples
2.2K
User Authentication for Angular with AWS Cognito & Amplify - Crash Course
Enlear Academy
8.7K
AWS Client VPN: Connected with the Cloud
cloudonaut
775
Refactoring A PDF And Web Scraper Part 2 // CODE ROAST
ArjanCodes
5.9K
I built the same app 10 times // Which JS Framework is best?
Fireship
769K
A Deep Dive into AWS CloudTrail
cloudonaut
435
Encryption and Key Management in AWS
Amazon Web Services
75K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.