aws service difference between cognito user pool and federated identity
Asked Answered
A

6

32

AWS provides cognito which provides the developer with sign-up and sign-in functionality including federations with OpenId compatible identity providers such as facebook, google etc.

There are two types of categories in cognito developer console. These are managing user pool and managing federated identities.

I'm just a little bit confused because both are very similar even we want to provide our client to login with their facebook account. The cognito user pool itself provides federation and federation identity pool also provide it by authentication providers.

The question is that if I want to allow my clients to use their own facebook account for sign-in, which categories should I use? user pool or federated identities?

In addition, if I want to configure authorizer in API gateway I have to create cognito user pool but federated identity pool. Is that the main reason choosing the cognito category?

Amos answered 21/9, 2017 at 2:22 Comment(0)
D
30

You can think of user pools as sort of a directory which contains user attributes such as name, email, phone number etc. This also provides sign up, sign in capability. You can federate users into user pools. Currently you can use Facebook, Google, and SAML as identity providers for user pools.

Cognito Federated identities lets you federate users into AWS and vends AWS credentials that can be used to access the resources you allow in your policy. For Cognito Federated Identities, you also have a variety of identity providers that you can configure such as Facebook, Google, and also Cognito User Pools can be an identity provider.

What you use depends on your use case. If you don't require AWS resources for your app, probably User Pools is all you need.

Diverse answered 21/9, 2017 at 2:31 Comment(1)
Thank you for your answer. It helps me to understand the differences between them.Amos
M
40

Cognito user pool:

Amazon Cognito User Pool makes it easy for developers to add sign-up and sign-in functionality to web and mobile applications. It serves as your own identity provider to maintain a user directory. It supports user registration and sign-in, as well as provisioning identity tokens for signed-in users.

Cognito Federated Identities or Identity Pool:

Cognito Identity Pool (or Cognito Federated Identities) on the other hand is a way to authorize your users to use the various AWS services. Say you wanted to allow a user to have access to your S3 bucket so that they could upload a file; you could specify that while creating an Identity Pool. And to create these levels of access, the Identity Pool has its own concept of an identity (or user). The source of these identities (or users) could be a Cognito User Pool or even Facebook or Google.

Relationship between User pool and Identity pool:

The Cognito Identity Pool simply takes all the identity providers and puts them together (federates them). And with all of this it can now give your users secure access to your AWS services, regardless of where they come from.

Relationship between User pool and Identity pool

So in summary, the Cognito User Pool stores all the users which then plugs into Cognito Identity Pool which can give the users access to AWS services.

source

Maharajah answered 6/6, 2018 at 12:28 Comment(5)
I really appreciate your answer. Thank you so much.Amos
I have another question. I'm currently interested in AWS API Gateway, IAM and Cognito. As you stated before, Cognito Identity Pool is used to give user an authorized access to AWS resources including AWS API Gateway. When I manage APIs via AWS API Gateway, I can configure authorizers. There are two types of authorizer which either lamba or cognito. If I use cognito as API Authorizer, I have to specify cognito user pool not the identity pool. In this case, Cognito identity pool is not required to access AWS API Gateway that is one of the AWS resources.Amos
@Amos you are right about the API Gateway. API Gateway is different from the other services. we can access other services like s3,dynamodb etc through it like the cognito identity pool. That's why authorization mechanism is integrated with it. But cognito user pool can't directly provide access to aws resources.Maharajah
facebook login is completed and where can i find whether user created or not in AWS?Electrophone
The problem with this image is that it makes it look like identity pools are mandatory, while they actually aren't. See my answer for more details.Nikianikita
D
30

You can think of user pools as sort of a directory which contains user attributes such as name, email, phone number etc. This also provides sign up, sign in capability. You can federate users into user pools. Currently you can use Facebook, Google, and SAML as identity providers for user pools.

Cognito Federated identities lets you federate users into AWS and vends AWS credentials that can be used to access the resources you allow in your policy. For Cognito Federated Identities, you also have a variety of identity providers that you can configure such as Facebook, Google, and also Cognito User Pools can be an identity provider.

What you use depends on your use case. If you don't require AWS resources for your app, probably User Pools is all you need.

Diverse answered 21/9, 2017 at 2:31 Comment(1)
Thank you for your answer. It helps me to understand the differences between them.Amos
R
25

I believe AWS should separate User Pool and Identity Pool, and change the names. Because mixing up different services under the same name causes confusions, and the names do not give any clue about the services.

  • User Pool -> AWS Authentication and Token vending service, similar to Auth0. You can use Auth0 instead of unnecessarily complicated User Pool
  • Identity Pool -> AWS IAM Authorization service for the authentication tokens such as Auth0 token or AWS JWT token (from User Pool)

An analogy would be:

  • Use Pool is an agency in your country that identifies who you are and issues a VISA (The VISA is the token which the Identity Provider provides you as a user).

  • Identity Pool is the border control of the foreign country called "AWS" that you visit with the VISA. They verify who you are with the VISA and authorize what you can do in there. If the border control does not recognize the VISA, you cannot do anything. If they recognize it, then they have fine grained rules defined for each VISA what actions are allowed and where.


Forget about User Pool

Better focus on Identity Pool. Because User Pool is just another Identity Provider service like MSAD, Google, Facebook, Auth0, etc. An Identity Provider authenticates and provides a token e.g. Kerberos Token for a MS AD users, or a Cognito Userpool JWT token for a AWS Cognito Userpool user. Then Identity Pool can utilize the token to authorize access to AWS resources.

AWS has been mixing up this Identity Provider/Authentication service with Identity Pool/Authorization service, besides their strange naming, hence causing massive confusions, incurring the questions.

The name "Identity Pool" does not make any sense as it has no indication on what the service does. A word must navigate thinking that leads to understanding, not confusion. AWS exactly does the opposite.

Preparation

Before jumping to what Identity Pool does/is, better to understand a few things.

AWS STS Token

Naively saying, AWS STS Token allow us to create, use, update, delete AWS resources programmatically.

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • AWS_SESSION_TOKEN

If you have an AWS account user, you can get AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for the user, and then get a STS token using e.g. MFA.

IAM Role

In reality, an IAM Role defines which actions allowed on which AWS resources for a STS token. It may not allow delete but create. So it depends on the IAM Role what a STS Token allows us to do.

However, the point to note is, there is a association between an IAM Role and a STS Token you get, and someone must define the association for you.

What Identity Pool gives you

It gives a STS Token, using which you can manipulate AWS resources in an AWS account.


Situation where Identity Pool is useful

Another problem of AWS for me is their documentation does not declare This is when you need Identity Pool, but instead keep repeating the word Federation which does not point to what Identity Pool does, allow you to manipulate AWS resources with a STS Token.

If you are in the situation where:

  • I want to manipulate AWS resources in an AWS account, and
  • I do not have an AWS IAM User (or I do not want to use it), but
  • I have an account in Corporate AD, or in Google, or in Facebook, or in Auth0, or ..., or in Cognito User Pool.

Then you can use Identity Pool to get a STS token for the account e.g Google you logged in, and can manipulate the AWS resource.

For instance, if you have 1000+ users in your corporate AD and want to let them use AWS resources somehow. Would you create 1000+ AWS IAM users? Or find a way to map them to a few IAM roles such as "Administrator", "Accounting", "Finance", "IT"?


What Identity Pool does

Identity Pool maps an Identity Provider token (e.g. Google token) to an IAM Role in an AWS account, and gives a STS Token.

AWS calls this "mapping" as Federation, in my understanding.

I would recommend completely forgetting User Pool when discussing Identity Pool. User Pool is just another Identity Provider which you may not need at all.

Likewise, when discussing User Pool, I would recommend completely forgetting Identity Pool.

I do hope AWS will separate Identity Provider Service (User Pool) from Token Mapping service (Identity Pool) to stop causing confusions.

enter image description here

Romney answered 14/3, 2020 at 9:54 Comment(8)
This is probably the best answer, I have been scanning medium.com posts, aws docs for whole day.Passionate
I have a minor doubt, suppose a user first time signs up with google and identity pool gives it temporarily token to access aws resources. But next time, do the user have to signup again. How to make user sign in for next time and not signupPassionate
Thanks for the elaborated answer. +1 What's the source of the image you linked? I guess you only added some remarks there, didn't you?Markson
@mon, Very nice diagram! Still I cannot understand something - if the Cognito user pool is just one of the identity providers, which can be used with Cognity identity pool, why you can integrate the other identity providers (Facebook, etc.) inside the cognito user pool itself?Levelheaded
@Levelheaded Authentication with Userpool used to only happens with at Userpool. Then AWS introduced a way to negotiate the authentication with other identity provider e.g. Facebook via Userpool on behalf of the user.Romney
@Jaxx, may not be a good analogy but we can login to Stackoverflow using Google. Stackoverflow negotiate the authentication and Google does the authentication part. If replace Stackoverflow with a internet service that uses cognito userpool as its backend.Romney
@mon, So the new "better" approach for web identities like Google/Facebook is to authenticate them through the Cognito user pool and authorize the cognito user through the Cognito identity pool? While previously the web identities were both authenticated and authorized through the Cognito identity pool?Levelheaded
@PeterWippermann, the image is my own. You cannot find it anywhere.Romney
N
4

The best summary I have ever heard is:

  • user pools return JSON Web Tokens (JWTs) which are used to access APIs that you built (using api gateway or appsync)
  • identity pools return Security Token Service (STS) tokens that are used to access APIs that aws built (s3, dynamodb, etc.)

Watch this cognito deep dive video for more details.

Nikianikita answered 25/9, 2021 at 20:8 Comment(0)
M
0

AWS Cognito user pool:

  • AWS Cognito user pool is a way to provide Authentication to a user of an Application.
  • User pool basically stores user’s login credentials details or user related information and it is more of authentication process.
  • Once a user is authenticated user will get the JWT token back.

Identity pool :

  • Identity pool does both Authentication and authorization , but it uses Amazon Cognito User Pool for authenticating users. Not just Cognito User Pool ,Identity pool relies on any Federated identity for authenticating users.

  • Once user is successfully authenticated by the user pool in next step flow goes User identity pool, i.e. with the help of the identity pool, we get the AWS credentials which decides the authorization step such as whether the user has access to use the AWS resources or not.
    In case if the user pool fails to authenticate the user then also Identity pool will give a temporary guest access.

Moneyer answered 18/10, 2023 at 7:49 Comment(0)
I
-1

The below picture is a good answer to the question (User pool Vs Identity Pool) User Pool VS Identity Pool

Inrush answered 21/4, 2021 at 1:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.