2.1.1 Federated Access (Cognito)
Amazon Cognito
User Pools (Authentication — “Who are you?”)
User directory quản lý sign-up, sign-in, MFA.
| Feature | Mô tả |
|---|
| Sign-up/Sign-in | Email, phone, username |
| MFA | SMS, TOTP (authenticator app) |
| Social providers | Google, Facebook, Apple, SAML, OIDC |
| Hosted UI | Pre-built login page |
| Lambda triggers | Pre/post authentication, custom message, pre token generation |
JWT Tokens
| Token | Mô tả | Dùng cho |
|---|
| ID Token | User identity (claims: email, name, groups) | Application authorization |
| Access Token | Scopes, permissions | API authorization |
| Refresh Token | Lấy tokens mới khi expired | Token renewal |
Identity Pools (Authorization — “What can you do?”)
- Cung cấp temporary AWS credentials (STS)
- Federation sources: User Pools, social providers, SAML, OpenID Connect
- Map authenticated/unauthenticated users to IAM roles
- Fine-grained access control với policy variables
Typical Authentication Flow
1. User → Cognito User Pool → Sign in
2. User Pool → JWT Tokens (ID, Access, Refresh)
3. JWT Token → Cognito Identity Pool
4. Identity Pool → STS → Temporary AWS Credentials
5. Credentials → Access AWS Services (S3, DynamoDB, etc.)
User Pool vs Identity Pool
| User Pool | Identity Pool |
|---|
| Purpose | Authentication | Authorization (AWS access) |
| Output | JWT Tokens | AWS Credentials |
| User management | ✅ | ❌ |
| Federation | Social, SAML, OIDC | User Pools, social, SAML |
Exam Tip: User Pool = authentication (JWT tokens). Identity Pool = authorization (AWS credentials). Cần cả hai khi user cần truy cập AWS services trực tiếp.