Menu
Amazon Cognito
Developer Guide

Accessing Resources After a Successful User Pool Authentication

You can enable your users to authenticate by using a user pool. Your users can sign in either directly through a user pool, or indirectly through a third-party identity provider (IdP). The user pool manages the overhead of handling the tokens that are returned from social sign-in through Facebook, Google, and Amazon, as well as the tokens that are returned from SAML identity providers.

After successful authentication, the user pool returns three JSON Web Tokens (JWTs): an identity token, an access token, and a refresh token to the app. You can use the tokens to grant your users access to backend resources and the Amazon API Gateway. Or, you can exchange them for AWS credentials to access other AWS services. For more information, see User Pool Authentication Flow and Using Tokens with User Pools.


      Authentication overview

Access Backend Resources with a User Pool

You can grant your users access to your backend resources with the user pool tokens from a successful authentication. For more information, see User Pool Authentication Flow and Using Tokens with User Pools.


        Access your backend resources through a user pool

Accessing Resources with API Gateway and Lambda

You can enable your users to access your API through API Gateway. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.

You can use groups in a user pool to control permissions with API Gateway by mapping group membership to IAM roles. The groups that a user is a member of are included in the ID token provided by a user pool when your web or mobile app user signs in. For more information on user pool groups See Adding Groups to a User Pool.

You can submit your user pool tokens with a request to API Gateway for verification by an Amazon Cognito authorizer Lambda function. For more information on API Gateway, see Using API Gateway with Amazon Cognito User Pools.


        Access API Gateway

Access AWS Services with an Identity Pool

A user pool can be an identity provider for an identity pool. So, you can enable your users to authenticate through a user pool, and then access AWS services with an identity pool. For more information, see Integrating User Pools with Identity Pools (Federated Identities) and Getting Started with Amazon Cognito Identity Pools (Federated Identities).


        Access AWS credentials through a user pool with an identity pool

For an overview of Amazon Cognito access use cases see Common Amazon Cognito Scenarios.