Jun 16th, 2021

The Best User Management Service: AWS Cognito

#AWSCognitoUserPool

#AWSCognitoIdentityPool

#AWSCognitoLoginExample

Image shows AWS Cognito Overview

As we all know, user management has become much more important these days. While some companies keep their users on on-prem servers and provide user management by themselves, some large companies such as Auth0, Okta, OneLogin also provide services in this field. When it comes to user management, we should think of not only a server where users are stored, but also an identity provider for the following requirements:

  • Authentication & authorization mechanisms
  • Token generation, distribution, and security
  • Password storage and protection
  • User management APIs (Register, login, forgot password, logout, etc.)
  • Additional security mechanisms (MFA, suspicious IP blocking, account locking, etc.)

Today, we will discuss one of our favorites, AWS Cognito. AWS Cognito has two aspects:

  • AWS Cognito User Pools
  • AWS Cognito Identity Pools

AWS Cognito User Pool provides user management (register, login, logout, forgot password, reset password, etc.) and access control to our web and mobile app users in a quick and easy way. It also supports sign-in with social identity providers, such as Google, Facebook, Apple, and Amazon, SAML 2.0, and OpenID Connect. We don’t have to worry about where users’ passwords or information are stored, Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users with JWT (JSON Web Token) mechanism. It also complies with HIPAA, PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27018, and ISO 9001, so you can use AWS Cognito with your critical infrastructure apps. To understand Cognito deeply, let’s get our hands dirty! We need a free tier AWS account which you can access by following the steps here.

First of all, we should search Cognito on AWS Management Console and select Cognito.

Image shows Amazon Cognito on AWS Management Console

We should select ‘Manage User Pools”. If there are no issues related to your AWS account settings, you can see the “Your User Pools” blank page. If there is an error, please check your AWS account registration payment settings. On this page, we should select “Create A User Pool”. We should give a name to our user pool to identify in the future. We can create our user pool with review default settings or step-through settings one by one. In this case, we choose step-through settings so we can see AWS Cognito settings in detail.

Image shows AWS Cognito Create UserPool Page

On the “Attributes” tab, we should select “How do we want our users to sign in? Username, E-mail or Phone Number?” This selection is critical because you cannot change this setting after the creation of the Cognito User Pool. Select Email address or phone number and “Allow email address” option.

Image shows AWS Cognito Sign in Options

What are the attributes that we want from the users on the sign-up process? We can select register (sign-up) attributes on the same page. There are two options: Required or Custom Attributes. If you select Required Attributes, users must provide all of them. On the other hand, if you select custom attributes, users can send them with null values (blank on the register page). You can use the custom attributes for your custom user management, database, or multi-tenancy solutions. We recommend using custom attributes instead of required attributes if they are not critical for development or production purposes. In this case, we choose email for the required attributes.

Image shows AWS Cognito Add Custom Attributes

In the next step, we can set up our password policy, and users can sign-up by themselves or not. This option can be useful for critical and internal apps where the users can only be registered by the admin. Also, we can edit the temporary password expiration time. In this case, we did not make any changes and kept the default values. We recommend you construct a strong password policy in the production environment.

Image shows AWS Cognito Password Policy

After this page, we will see the “MFA and verifications” page. MFA options will be discussed in a different blog post.

Image shows AWS Cognito MFA Options

On the “Message Customization” page, we can modify our user verification and temporary code mail details. AWS Cognito uses AWS SES for email sending operations. You can select your verification type and email message details here. In our case, we selected the verification link and changed the Email message content a little bit.

Image shows AWS Cognito Customize Email Settings

We can add additional tags for management purposes on the “Tags” page.

Image shows AWS Cognito Tags

On the “Devices” page, you will see the “Remember User Devices?” option. This option allows us to collect the details of the devices that users sign in to. This option can be useful for security purposes. In this case, we choose the “Always” option here.

Image shows AWS Cognito Remember User Devices

After this page. we should see a critical option “App Clients”. You can create multiple apps for a user pool. Generally, an app corresponds to the platform of an app. For example, you might create an app for Android and Web. Each app has its own app client ID. In addition to this, we can set our tokens (id, access, and refresh) expiration time for every app client here. We only disabled the “Generate client secret” option here. The client secret option can be useful for cloud-cloud integrations, but we don’t need a client secret value here.

Image shows AWS Cognito App Client Settings

At the bottom of the same page, you should see the “Set attribute read and write permissions” option. If you add a custom attribute value, you should select read and write permissions here. Otherwise, you can not get any error, but you cannot see your user custom attribute values on the Cognito User Page. This can be confusing, so you should be careful about this option.

Image shows AWS Cognito Attribute Permissions

After this, we reach one of the favorite Cognito features step: Cognito Triggers. These options can be very useful when we want to operate in user register, sign-and getting user token processes. To use triggers, we should use AWS Lambda functions.

Image shows AWS Cognito Triggers

After all of these, we can create our user pool successfully. You can see your user pool ID on the main page of your user pool.

Image shows AWS Cognito Create Userpool Successfully

Now, we can register a user and sign in. AWS Cognito provides us with the Hosted UI page for testing purposes. We can select “App Integration → Domain Name” from the left bar on User Pool Page that we have created. We need an AWS Cognito Domain for sign-in, sign-up, and forgot password operations. We selected “test-medium” as the domain name, checked availability and saved changes. You can also get your domain with AWS ACM.

Image shows AWS Cognito Add Domain to Userpool

Finally, you should set a callback sign-in and sign-out URL for your app client. We chose http://localhost:8000 for test purposes. After saving these configurations, you will see the “Launch hosted UI” button below.

Image shows AWS Cognito Add callback URLs to app client

After we launch hosted UI, we can sign-up our users. You should think of the Hosted UI as your app register or login page. We selected the sign-up option here because we have not a registered a user.

Image shows AWS Cognito Hosted UI

On the sign-up process, we registered with a test e-mail address and password.

Image shows AWS Cognito Sign Up

To verify the email address, AWS Cognito sends a verification link to the email address. (Keep in mind that we have configured this option above.)

Image shows AWS Cognito Verify Email

After clicking the verification email, AWS Cognito verifies the email address. The user can sign in successfully and get the tokens. You can see tokens on your browser’s bar. Also, on the “Users and Groups” option in your user pool configuration page, you can see your entire user list and user data.

Image shows AWS Cognito User Details

If you liked this post, share it now!

Our Recent Posts

Introduction to Burp Suite’s Latest Extension DOM-Invader

Learn about the Burp Suite 2021.7 release and the DOM Invader extension features. Explore the n...

Read More

The Ultimate Guide to SQL Injection [AppSec Blog Series Part 4]

Learn about SQL Injection and explore the types of SQLi. Explore real-life SQL Injection attack...

Read More

What Awaits Us with the PCI DSS 4.0 Timeline Release?

Explore the most controversial changes proposed in the PCI DSS V4.0 Timeline Release. Ensure th...

Read More