Menu
Engineering
19/02/2022
My Experience with Amazon Cognito
What is Amazon Cognito? Amazon Cognito is an AWS service that handles user authentication. It provides a log in/sign up form, handles email verification and manages user credentials for us. And it’s free if you have up to 50k users per month (at the time of writing this blog post). How it feels using it? […]
#AWS #Cognito
decoration

What is Amazon Cognito?

Amazon Cognito is an AWS service that handles user authentication. It provides a log in/sign up form, handles email verification and manages user credentials for us. And it's free if you have up to 50k users per month (at the time of writing this blog post).

How it feels using it?

I like when I can offload a part of my system to AWS, especially if it involves handling user credentials. I already mentioned Amazon Cognito in the same, security, context in my previous blog post: AWS Security Baseline.

Even though Cognito comes with several limitations, I'm more than willing to make these trade-offs.

I only used User Pools at this point, so all the notes here are about it.

  1. Be sure to understand the difference between User Pools and Identity Pools.
  2. for password change flow, you need to use an SDK (at least at this point) and invoke the API call. It would be great though, if, in future, Cognito provides a way to embed password reset/change buttons to be embedded into the web page (similar to what is possible with sign up/log in form)
  3. once you figure how Cognito works, it can speed up the development (of the MVP) significantly.
  4. it lowers the chance of mismanaging user credentials or authentication flow
  5. there are three types of tokens: id_token, access_token, refresh_token; be sure to understand how they are used and which info each of them contains.
  6. pricing: free until you hit 40k monthly active users (link to the docs what MAU means)

Nuances and Gotchas

  • At this point it appears you cannot design your own sign up forms - Cognito provides you with their own form which you can style to some degree
  • SES (Simple Email Service) is a suggested to be used with Cognito, otherwise you can sign up only up to 50 users per day.
  • SES domain and email need to be active in the same Region as Cognito.
  • Note that when you first start using SES, the service is only available in the sandbox mode - which means that you can only send emails to verified domains (domain that you own) otherwise you’ll get an error like this: "Cognito received the following error from Amazon SES when attempting to send email: Email address is not verified. The following identities failed the check in region EU-WEST-1: milan+test@kombinat.dev"
  • In order to activate production access for SES you need to request it (and explain how you intend to use SES) and it takes up to 24 hours to activate it, after which you can start using it with Cognito. I provided these information and AWS support activated it for me without further questions:

DID YOU KNOW: with Gmail you can add + after the email address and it will automatically treat it as an alias. This means that I can use my gmail account milan@kombinat.dev to create multiple accounts (usually for testing) milan+test@kombinat.dev, milan+test2@kombinat.dev. I learned about this just recently.