Understanding Amazon Cognito
Amazon Cognito is the AWS service that handles user authentication. Before writing code, let's understand how it works and what Amplify does for us.
What is Amazon Cognito?
A fully managed service that provides authentication, authorization, and user management for web and mobile apps. It can handle millions of users and integrates with social identity providers like Google, Facebook, and Apple.
Cognito handles:
- User sign-up – Registration with email/phone verification
- User sign-in – Secure authentication with password
- Password management – Forgot password, password reset
- Token management – JWT tokens for API authorization
- Multi-factor authentication (MFA) – SMS or TOTP codes
- Social sign-in – Google, Facebook, Apple, Amazon
Cognito Components
User Pool
A user directory that stores user profiles and handles authentication. When users sign up, their information is stored in the User Pool. When they sign in, the User Pool validates their credentials and issues tokens.
A User Pool contains:
- User accounts (email, password hash, attributes)
- Authentication settings (password policy, MFA)
- App clients (your frontend's connection to Cognito)
- Triggers (Lambda functions for custom logic)
Identity Pool (Optional)
Provides temporary AWS credentials to users, allowing them to access other AWS services (like S3) directly. Amplify creates an Identity Pool when you add storage or other services that need direct AWS access.
How Authentication Works
┌──────────────────────────────────────────────────────────────────────┐
│ AUTHENTICATION FLOW │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ 1. User enters email + password │
│ ┌─────────┐ │
│ │ Browser │ ─────────────────────────────────────────┐ │
│ └─────────┘ │ │
│ ▼ │
│ 2. Amplify sends to Cognito ┌──────────────────────┐ │
│ │ Amazon Cognito │ │
│ │ User Pool │ │
│ └──────────────────────┘ │
│ │ │
│ 3. Cognito validates │ │
│ - Checks password │ │
│ - Verifies user exists │ │
│ - Checks if verified │ │
│ ▼ │
│ 4. Returns tokens ┌──────────────────────┐ │
│ - ID Token (user info) │ Tokens │ │
│ - Access Token (API access) │ - idToken │ │
│ - Refresh Token (stay signed in) │ - accessToken │ │
│ │ - refreshToken │ │
│ └──────────────────────┘ │
│ │ │
│ 5. Browser stores tokens ▼ │
│ (in localStorage or memory) ┌──────────────────────┐ │
│ │ localStorage or │ │
│ │ secure memory │ │
│ └──────────────────────┘ │
│ │
│ 6. Tokens used for API calls │
│ ┌─────────┐ Authorization: Bearer eyJhbG... ┌─────────┐ │
│ │ Browser │ ───────────────────────────────────► │ API │ │
│ └─────────┘ └─────────┘ │
│ │
└──────────────────────────────────────────────────────────────────────┘
JWT Tokens Explained
A compact, URL-safe token format that contains encoded JSON data. JWTs are signed cryptographically, so they can be verified without contacting the server that issued them.
The Three Tokens
| Token | Purpose | Expires |
|---|---|---|
| ID Token | Contains user profile information (email, name, custom attributes) | 1 hour |
| Access Token | Authorizes API requests to AppSync and other services | 1 hour |
| Refresh Token | Used to get new ID and Access tokens without re-authenticating | 30 days |
You don't need to manage these tokens manually! The Amplify library stores them securely, includes them in API requests, and refreshes them automatically.
What Amplify Does For You
Without Amplify, you'd need to:
- Create a Cognito User Pool in the AWS Console
- Configure password policies and verification
- Set up an app client with the right OAuth settings
- Handle the Secure Remote Password (SRP) protocol
- Manage token storage and refresh logic
- Handle all the edge cases (expired tokens, network errors, etc.)
With Amplify, you write:
// Define your auth resource
export const auth = defineAuth({
loginWith: { email: true }
});
// Sign in a user
import { signIn } from 'aws-amplify/auth';
await signIn({ username: email, password });Authentication Methods
Email + Password (What We'll Use)
Users create an account with their email address and a password. They receive a verification code via email to confirm their account.
Phone + SMS
Similar to email, but uses phone numbers and SMS codes. Requires an SMS provider (Amazon SNS).
Social Sign-In
Users sign in with existing accounts from Google, Facebook, Apple, or Amazon. Requires setting up OAuth apps with those providers.
Passwordless (Magic Link)
Users receive a one-time code or link via email/SMS instead of using a password.
Sign-Up Flow
-
User Enters InformationUser provides email and password in your sign-up form.
-
Amplify Sends to CognitoThe
signUp()function sends the credentials to Cognito. -
Cognito ValidatesPassword meets requirements? Email unique? If yes, user is created.
-
Verification Code SentCognito sends a 6-digit code to the user's email.
-
User ConfirmsUser enters the code, Amplify calls
confirmSignUp(). -
Account ActivatedUser can now sign in with their credentials.
Security Features
Password Requirements
By default, Cognito requires:
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Account Security
- Email verification – Proves user owns the email
- MFA – Optional second factor (SMS or authenticator app)
- Brute force protection – Locks account after failed attempts
- Secure password storage – Passwords are hashed, never stored in plain text
Summary
- Amazon Cognito is AWS's managed authentication service
- User Pool stores user accounts and handles sign-in
- JWT tokens are issued after successful authentication
- Amplify abstracts the complexity of token management
- We'll use email + password authentication with verification