Menu
Amazon Cognito
Developer Guide

Common Amazon Cognito Scenarios

This topic describes six common scenarios for using Amazon Cognito.

The two main components of Amazon Cognito are user pools and identity pools. User pools are scalable user directories that provide sign-up and sign-in for your app users. Identity pools provide AWS credentials to grant your users access to other AWS services.

Authenticate with a User Pool

You can enable your users to authenticate by using a user pool. Your users can sign in either directly through a user pool, or indirectly through a third-party identity provider (IdP). The user pool manages the overhead of handling the tokens that are returned from social sign-in through Facebook, Google, and Amazon, as well as the tokens that are returned from SAML identity providers.

After successful authentication, the user pool returns three JSON Web Tokens (JWTs): an identity token, an access token, and a refresh token to the app. You can use the tokens to grant your users access to backend resources and the Amazon API Gateway. Or, you can exchange them for AWS credentials to access other AWS services. For more information, see User Pool Authentication Flow and Using Tokens with User Pools.


        Authentication overview

Access Backend Resources with a User Pool

You can grant your users access to your backend resources with the user pool tokens from a successful authentication. For more information, see User Pool Authentication Flow and Using Tokens with User Pools.


        Access your backend resources through a user pool

Access API Gateway and Lambda with a User Pool

You can enable your users to access your API through API Gateway. API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.

You can use groups in a user pool to control permissions with API Gateway by mapping group membership to IAM roles. The groups that a user is a member of are included in the ID token provided by a user pool when your web or mobile app user signs in. For more information on user pool groups See Adding Groups to a User Pool.

You can submit your user pool tokens with a request to API Gateway for verification by an Amazon Cognito authorizer Lambda function. For more information on API Gateway, see Using API Gateway with Amazon Cognito User Pools.


        Access API Gateway through a user pool

Authenticate with a User Pool and Access AWS Services with an Identity Pool

A user pool can be an identity provider for an identity pool. So, you can enable your users to authenticate through a user pool, and then access AWS services with an identity pool. For more information, see Integrating User Pools with Identity Pools (Federated Identities) and Getting Started with Amazon Cognito Identity Pools (Federated Identities).


        Access AWS credentials through a user pool with an identity pool

Authenticate with a Third Party and Access AWS Services with an Identity Pool

You can enable your users to access AWS services with an identity pool. An identity pool requires an IdP token from a user that's authenticated by a third-party identity provider (or nothing if it's an anonymous guest). In exchange, the identity pool grants temporary AWS credentials that you can use to access other AWS services. For more information, see Getting Started with Amazon Cognito Identity Pools (Federated Identities).


        Access AWS credentials through a third-party identity provider with an identity
          pool

Access AWS AppSync Resources with Amazon Cognito

You can grant your users access to AWS AppSync resources with tokens from a successful Amazon Cognito authentication (user pool or identity pool). For more information, see Access AWS AppSync and Data Sources with User Pools or Federated Identities.


        Access AWS AppSync resources through a user pool or an identity pool