stackoom
  简体   繁体   中英

Which one to use Cognito User Pool or Identity Pool For Social signIn?

 原文  2019-12-13 21:55:17       amazon-web-services/ aws-api-gateway/ amazon-cognito

Question

We are using ECS for deploying our flask based application and API gateway for allowing the Authenticated users. Only Application hosted on ECS should hit the Database, and no way end-user can hit DB.

My Question is, If the user sign-in from Cognito user pool (either from facebook or google), will he able to surpass the api gateway and reach the ECS and hit DB? or will the user faces Issues regarding the AWS credentials and Permissions by API gateway?

(I am aware that If user sign-in through Identity pool Idp's end-user will be allocated IAM-Permissons and AWS manages it from then)

Thanks

1 answers

solution1
 0  2019-12-14 23:09:58

You can use both. However I would recommend using Cognito User Pool and Hosted UIs. Cognito User Pool has the capability of integrating Identity Providers like Facebook and Google for Social Sign In, with the possibility of attributes mapped to Cognito User Pool attributes automatically. You can then configure a Cognito Identity Pool to register users that have signed up/ signed in to Cognito User Pool (through social identity providers or through regular sign in) to obtain temporary AWS credentials.

Sample code:


const AWS = require('aws-sdk');
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
                IdentityPoolId: <identity pool id>,
                Logins: {
                    'cognito-idp.<region>.amazonaws.com/<user pool id>': <user jwt token>
                }
});

Also bear in mind that you have three ways of authorizing access to API Gateway:

  1. IAM through Identity Pool (Sign requests with AWS signer)

  2. Cognito (by supplying JWT directly through Authorization: 'Bearer <jwt>' headers in your request).

  3. Custom Lambda authorizer ( implement custom logic but have to decode JWT yourself using public key available at https://cognito-idp .{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json )

Using both identity and user pool, you can implement fined grained RBAC by choosing either to pass role through token (uses roles granted by group role for example) or through rules you set up based on user attributes from user pool.

More info on that here

Hope I have been of help :)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cognito Identity user ID or User Pool user ID? Which to use? AWS Cognito User pool federated signIn Getting cognito user pool username from cognito identity pool identityId AWS Cognito, Failure to Integrate a User in a User Pool with an Identity Pool Get Cognito user pool identity in Lambda function Stop Unauthenticated Cognito Identity User Pool Signup AWS Cognito user pool identity REST examples AWS Cognito - User Pool Federation vs Identity Pool Federation AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity? cross account usage of AWS cognito user pool for signin
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM