Nothing Special   »   [go: up one dir, main page]
SlideShare a Scribd company logo

Amazon Cognito

Amazon Web Services
Amazon Web Services

This document discusses how Amazon Cognito can be used to manage user identities, synchronize app data across devices, and securely access AWS cloud resources from a mobile app. It describes Amazon Cognito's key capabilities such as authenticating users, authorizing access, synchronizing app state, securely storing user data and media, and sending push notifications. It also provides examples of how to use Amazon Cognito for identity management, data synchronization, and secure AWS access in a mobile app.

1 of 32
Downloaded 222 times
Authenticate users Authorize access Synchronize app state Manage users and identity providers Securely access cloud resources Sync user prefs across devices Media sharing mobile app Send push notifications Store shared data Store media Store user-generated photos Media and share them Bring users back to your app by sending messages reliably Store and query fast NoSQL data across users and devices Collect real-time clickstream logs and take actions quickly Stream real-time data
Authenticate users Authorize access Synchronize app state Send push notifications Amazon Cognito (Identity Broker) AWS Identity and Access Management Amazon Cognito (Sync) Amazon SNS Mobile Push Store and share media Amazon S3 Transfer Manager Store shared data Amazon DynamoDB (Object Mapper) Stream real-time data Amazon Kinesis (Recorder) Media sharing mobile app
User identity and sync with Amazon Cognito
Amazon Cognito Overview Manage authenticated and guest users across identity providers Identity Management Synchronize user’s data across devices and platforms via the cloud Data Synchronization Securely access AWS services from mobile devices and platforms Secure AWS Access Guest
Amazon Cognito: Use cases
Identity across the web and mobile
State transition
State transition
State transition
Game state
Amazon Cognito: Identity
Amazon Cognito Identity Providers Unique IdentitiesJoe Anna Bob Any Device Any Platform Any AWS Service Helps implement security best practices Securely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management Support Multiple Login Providers Easily integrate with major login providers for authentication. Unique Users vs. Devices Manage unique identities. Automatically recognize unique user across devices and platforms. Mobile Analytics S3 DynamoDB Kinesis
Amazon Cognito unauthenticated Unique Identifier for Your “Things” “Headless” connected devices can also securely access cloud services. Save Data to the Cloud Save app and device data to the cloud and merge them after login Guest User Access Securely access AWS resources and leverage app features without the need to create an account or logging in Visitor Preferences Cognito Store Guest EC2 S3 DynamoDB Kinesis
Amazon Cognito Authenticated Flow
Developer Authenticated Identities – Support Any Login
Amazon Cognito: Security best practices
Amazon Cognito Security Set granular access permissions on AWS resources Get fine-grained access control to cloud resources. Safeguard AWS Credentials No need to embed credentials in the app anymore. Get least-privileged temporary credentials. Helps implement security best practices Securely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine EC2 S3 DynamoDB Kinesis
Amazon Cognito: Cloud sync
What have customers told us about “Synchronized Profile” People have multiple devices and want to transition between devices. Implementing a user profile that syncs across devices, OS, apps is hard. It not only has to work when offline, but easy to integrate with existing apps.
Amazon Cognito Sync Features • Store App Data, Preferences and State Save app and user data to the cloud • Work Offline Data persisted to local storage first. Local data is available regardless of connectivity • No Backend Simple client SDK eliminates need for server side code User Data Identity Pool
Sync Data Model • Identity Pool: Pool of app users. Can be shared across apps. • Identity: An individual user. Consistent across identity providers. Can be a guest user. • Dataset: Per user grouping of data. The most granular level of sync. Up to 1MB. • Record: Key/Value pair user data AWS Account Dataset Identity IdentityIdentity Dataset Dataset Identity Pool 1:60 1:n 1:20 Dataset Dataset Record 1:1024
Let’s build our app 2. Identity with Amazon Cognito
Amazon Cognito Security Architecture End Users App with AWS Mobile SDK Access to AWS Services Login OAUTH/OpenID Access Token Cognito ID, Temp Credentials Access Token Pool ID Role ARNs Cognito ID (Temp Credentials) DynamoDB Developer Cognito Identity S3 Mobile Analytics Cognito Sync Store AWS Management Console
Amazon Cognito
Amazon Cognito
Amazon Cognito
Amazon Cognito
Create an unauthenticated identity AWSCognitoCredentialsProvider *credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:@"AWS_ACCOUNT_ID" identityPoolId:@"COGNITO_IDENTITY_POOL" unauthRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/UNAUTHENTICATED_ROLE" authRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/AUTHENTICATED_ROLE"]; AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
Link a social profile, authenticated identities NSString *token = FBSession.activeSession.accessTokenData.accessToken; credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): token }; • Logins is a Map • Can contain tokens from all supported providers • Amazon • Facebook • Google • Your own identity system
Identity state changes [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(identityIdDidChange:) name:AWSCognitoIdentityIdChangedNotification object:nil]; -(void)identityDidChange:(NSNotification*)notification { NSDictionary *userInfo = notification.userInfo; NSLog(@"identity changed from %@ to %@", [userInfo objectForKey: AWSCognitoNotificationPreviousId], [userInfo objectForKey: AWSCognitoNotificationNewId]); }
Let’s build our app 3. Synchronize app state
Save and sync preferences and state // Create sync client and open dataset AWSCognito *syncClient = [AWSCognito defaultCognito]; AWSCognitoDataset *dataset = [syncClient openOrCreateDataset:@”mediashare"]; // Save the current state of the application [dataset setString:self.currentPhotoName forKey:@”latest_photo"]; [dataset synchronize];

More Related Content

Amazon Cognito

  • 1. Authenticate users Authorize access Synchronize app state Manage users and identity providers Securely access cloud resources Sync user prefs across devices Media sharing mobile app Send push notifications Store shared data Store media Store user-generated photos Media and share them Bring users back to your app by sending messages reliably Store and query fast NoSQL data across users and devices Collect real-time clickstream logs and take actions quickly Stream real-time data
  • 2. Authenticate users Authorize access Synchronize app state Send push notifications Amazon Cognito (Identity Broker) AWS Identity and Access Management Amazon Cognito (Sync) Amazon SNS Mobile Push Store and share media Amazon S3 Transfer Manager Store shared data Amazon DynamoDB (Object Mapper) Stream real-time data Amazon Kinesis (Recorder) Media sharing mobile app
  • 3. User identity and sync with Amazon Cognito
  • 4. Amazon Cognito Overview Manage authenticated and guest users across identity providers Identity Management Synchronize user’s data across devices and platforms via the cloud Data Synchronization Securely access AWS services from mobile devices and platforms Secure AWS Access Guest
  • 6. Identity across the web and mobile
  • 12. Amazon Cognito Identity Providers Unique IdentitiesJoe Anna Bob Any Device Any Platform Any AWS Service Helps implement security best practices Securely access any AWS Service from mobile device. It simplifies the interaction with AWS Identity and Access Management Support Multiple Login Providers Easily integrate with major login providers for authentication. Unique Users vs. Devices Manage unique identities. Automatically recognize unique user across devices and platforms. Mobile Analytics S3 DynamoDB Kinesis
  • 13. Amazon Cognito unauthenticated Unique Identifier for Your “Things” “Headless” connected devices can also securely access cloud services. Save Data to the Cloud Save app and device data to the cloud and merge them after login Guest User Access Securely access AWS resources and leverage app features without the need to create an account or logging in Visitor Preferences Cognito Store Guest EC2 S3 DynamoDB Kinesis
  • 15. Developer Authenticated Identities – Support Any Login
  • 16. Amazon Cognito: Security best practices
  • 17. Amazon Cognito Security Set granular access permissions on AWS resources Get fine-grained access control to cloud resources. Safeguard AWS Credentials No need to embed credentials in the app anymore. Get least-privileged temporary credentials. Helps implement security best practices Securely access any AWS Service. It simplifies the interaction with Security Token Service and removes the need of Token Vending Machine EC2 S3 DynamoDB Kinesis
  • 19. What have customers told us about “Synchronized Profile” People have multiple devices and want to transition between devices. Implementing a user profile that syncs across devices, OS, apps is hard. It not only has to work when offline, but easy to integrate with existing apps.
  • 20. Amazon Cognito Sync Features • Store App Data, Preferences and State Save app and user data to the cloud • Work Offline Data persisted to local storage first. Local data is available regardless of connectivity • No Backend Simple client SDK eliminates need for server side code User Data Identity Pool
  • 21. Sync Data Model • Identity Pool: Pool of app users. Can be shared across apps. • Identity: An individual user. Consistent across identity providers. Can be a guest user. • Dataset: Per user grouping of data. The most granular level of sync. Up to 1MB. • Record: Key/Value pair user data AWS Account Dataset Identity IdentityIdentity Dataset Dataset Identity Pool 1:60 1:n 1:20 Dataset Dataset Record 1:1024
  • 22. Let’s build our app 2. Identity with Amazon Cognito
  • 23. Amazon Cognito Security Architecture End Users App with AWS Mobile SDK Access to AWS Services Login OAUTH/OpenID Access Token Cognito ID, Temp Credentials Access Token Pool ID Role ARNs Cognito ID (Temp Credentials) DynamoDB Developer Cognito Identity S3 Mobile Analytics Cognito Sync Store AWS Management Console
  • 28. Create an unauthenticated identity AWSCognitoCredentialsProvider *credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:@"AWS_ACCOUNT_ID" identityPoolId:@"COGNITO_IDENTITY_POOL" unauthRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/UNAUTHENTICATED_ROLE" authRoleArn:@"arn:aws:iam::AWS_ACCOUNT_ID:role/AUTHENTICATED_ROLE"]; AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
  • 29. Link a social profile, authenticated identities NSString *token = FBSession.activeSession.accessTokenData.accessToken; credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): token }; • Logins is a Map • Can contain tokens from all supported providers • Amazon • Facebook • Google • Your own identity system
  • 30. Identity state changes [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(identityIdDidChange:) name:AWSCognitoIdentityIdChangedNotification object:nil]; -(void)identityDidChange:(NSNotification*)notification { NSDictionary *userInfo = notification.userInfo; NSLog(@"identity changed from %@ to %@", [userInfo objectForKey: AWSCognitoNotificationPreviousId], [userInfo objectForKey: AWSCognitoNotificationNewId]); }
  • 31. Let’s build our app 3. Synchronize app state
  • 32. Save and sync preferences and state // Create sync client and open dataset AWSCognito *syncClient = [AWSCognito defaultCognito]; AWSCognitoDataset *dataset = [syncClient openOrCreateDataset:@”mediashare"]; // Save the current state of the application [dataset setString:self.currentPhotoName forKey:@”latest_photo"]; [dataset synchronize];