AWS, Cloud Computing

3 Mins Read

Understanding Amazon Cognito Authentication

What is Amazon Cognito?

Amazon Cognito is a service which provides user-data synchronization and unique identifiers for your end users that helps you securely manage and synchronize app data for users across their mobile devices. You can create unique identifiers for users through a number of public login providers (Amazon, Facebook, Twitter, Digits, Google or any OpenID Connect are compatible provider) or using your own user identity system. It also support unauthenticated guests, as they might do when they first try an app. Amazon Cognito allows you to securely store and sync data to cloud for these users even though they have not logged in.

Amazon Cognito Authentication

In order to access AWS resources, a valid AWS credentials (Access Key and Secret Key) need to be passed for authentication. While passing an AWS credentials, security is always a concern. In order to remove the problem of security of credentials, Amazon Cognito creates a unique identifiers for end users that are kept consistent across devices and platforms. It also provides temporary, limited-privilege credentials to access AWS resources.

Basically there are three flows of authentication:

    1. Basic (Classic) Flow

There are three steps to get credentials using cognito:

      • GetId: It is the first call necessary to establish a new identity in Amazon Cognito.
      • GetOpenIdToken:  This API call is called after you establish identity ID, it returns an OpenID Connect token for that identity.
      • AssumeRoleWithWebIdentity: Once you have an OpenID Connect token, you can exchange token for AWS credentials via AssumeRoleWithWebIdentity API call in AWS SecurityToken Service(STS).


Basic Flow

Basic Flow


Amazon Cognito offers two different roles for your application; one for unauthenticated users and another one for authenticated users, which is explained towards the end of the blog.

    1. Enhanced (Simplified) Flow

The enhanced flow combines the GetOpenIdToken & AssumeRoleWithWebIdentity calls into a new single call GetCredentialsForIdentity. In this way it reduces the call by one. The enhanced flow then becomes:

      • GetId
      • GetCredentialsForIdentity

Enhanced Flow

Enhanced(Simplified) Flow


The GetCredentialsForIdentity API is equivalent to calling GetOpenIdToken followed by AssumeRoleWithWebIdentity, it must be called only after you establish an identity ID.

In order for Amazon Cognito to call AssumeRoleWithWebIdentity on your behalf, your identity pool must have an association with IAM roles associated with it.

    1. Developer Authentication Flow

Amazon Cognito provides developer authentication identities in addition to public logins (Facebook,Google, Amazon and Twitter). With developer authentication process, you can register and authenticate users via your own existing authentication process. It involves authentication between the end user device, your back-end for authentication and Amazon Cognito.

It introduces a new API called GetOpenIdTokenForDeveloperIdentity. When you call this API from your back-end using your AWS credentials, it receives the uniqueID of the cognito identity pool you’re connecting to and one or more identifiers of the user. The response of the API would be a unique Cognito ID and an OpenID Connect token for end user.

You can set the expiration time for token, if you don’t specify the expiration time by default. It is valid for 15 minutes and maximum time you can set up to 24 hours.

      • Login via Developer Provider
        1. Validate the user’s login
        2. GetOpenIdTokenForDeveloperIdentity
      • AssumeRoleWithWebIdentity

Developer Authentication Flow

Developer Authentication Flow


IAM Roles for authenticated and unauthenticated users
Amazon Cognito generates AWS credentials for the users when they logged in to your app, these credentials are associated with specific IAM roles, which defines some set of permissions to access AWS resources.

By default, Amazon Cognito creates a new role with limited permissions – end users only have access to Cognito Sync and Mobile Analytics. You can modify the roles if your application needs access to other AWS resources such as S3 or DynamoDB at time of creation of Identity Pool.

The following policy provides access to the Amazon Cognito Sync and Mobile Analytics for authenticated & unauthenticated users:



This is all from my end for Amazon cognito Authentication.If you have any comments or any questions, please free to leave a comment here. I will be available to answer any doubts or queries

Voiced by Amazon Polly


CloudThat is a leading provider of cloud training and consulting services, empowering individuals and organizations to leverage the full potential of cloud computing. With a commitment to delivering cutting-edge expertise, CloudThat equips professionals with the skills needed to thrive in the digital era.



  1. Michael Watkins

    Nov 12, 2020


    Are the AWS Credentials suitable for accessing API’s using AWS Signature authentication?

    Where should this credentials be stored by the client? e.g. browser session storage, cookie, etc.

  2. Manoj Tyagi

    Mar 1, 2018


    Does Amazon Cognito used to generates AWS credentials only?what if I want to use my own AuthenticationProvider and want to have user creadentials in different data source e.g LDAP or MySQL DB?

  3. Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!