We will discuss about the capabilities of AWS Cognito and Lambda to create a complete user management system without maintaining any servers or database
We will be present with the configuration Amazon Cognito and Lambda functions to demonstrate the usage of multiple SDK’s of Cognito.
Other Components which are used in the architecture.
- API Gateway
- AppSync and Amplify (Sample Federated Identities)
Let’s look at the high level architecture. The Website is an responsive user self service portal where following functionalities are incorporated
- User Sign Up
- Confirmation of email
- User Login In
- User Sign out
- Forget password
- Inventory page ( Other AWS Service : AppSync)
- User Details
Inventory Page (AWS AppSync) is a different topic which has been incorporated into the frontend responsive web app as an integration plugin using AWS Amplify . The configuration is not part of this post. However, We will show how pre configured cognito user pools are used as federated identity services in AppSync and Amplify to validate authorization.
In the Above Diagram, We have all the API Gateway which are endpoints to all the fleets of Lambda implementing the Cognito User Management Function. The User Management System is defined in the following ways:
- User Sign’s up using the firstName,lastName,userName and password.
- Provided all the validation policies satisfies, User is created as UNCONFIRMED and email is send to the userName with a link.
- When the User Clicks on the above link, they become CONFIRMED users inside cognito user pool and are able to login using the same password.
Cognito User Pool Configuration
We configure the pool with the Password Policies and other mandatory attributes link given_name(firstName),family_name(lastName) and email(username).We customize the body of the email which will be sent when the user sign’s up.
Once the above configuration is completed in the Cognito Console. We take note of the Pool_Id and App Client Id which will be used for integrating the SDK’s of Cognito in the Lambda Functions.
Triggers(Optional) : The User Pool also has options of multiple triggers which can be added which any users are added in the pool. However, We will skip these section as it an optional and can be used if we need to invoke any other services along with the cognito
API Gateway and Lambda Configuration
We have created the Rest Endpoints using API Gateway and integrated the back end with lambda functions which consume the congnito sdk’s where we provide the APP Client Id and Pool Id which were created above.
The above python implementation is the example of sign up functionality using cognito sdk’s in the lambda serverless services. We have similar implementations of all the other functionalities of user management like sign in, signout, forgotpassword. All of these implementations are exposed by a separate API endpoints.
Sample Request for Sign in
Sample Response for Sign in
Once the user is confirmed , then 3 tokens are fetched using the sign in functions. All of the these tokens have their own importance which can be read in this post.
Using Cognito as Authority Identity Federated Services
In the responsive web app, we have use Amplify , AppSync to implement the user inventory table functionality mentioned above. To Provide the access to the above services only for the user logged in through the User Pools and Confirmed Users using Identity Federated Services.
These are only one of the few services which are shown in the example, however this can be extended to multiple important services of AWS like S3 , DynamoDB. Cognito User Pool and Identity Federation Pool can be utilized to perform an important secured user management system.
The Above example shows how cognito can be used to maintain user data’s as well as cater to the web app responsive tool using the toggle between Confirmed / UnConfirmed status. This same orchestration can be extended to many of the other services which can take advantage of this authorization capabilities of the user pool and identity federation to control who can access or who are denied from any services. There is no need of provisioning of database or any 3pp to maintain the user data’s or status.