2020-12-8

1. Cognito Overview

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图1
we’re going to see:

  • Cognito User Pools
  • Cognito Identity Federation
  • Cognito Sync

Amazon Cognito

  • 希望给我们的用户一个身份,以便他们能够与我们的应用程序进行交互。
    • 这里的users 指的是application的user
  • sign in 整合在 API Gateway 和 ALB上
  • 使用 Cognito User Pools

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图2

  • 用户可以直接访问AWS resources通过AWS 的credentials
  • 使用 Cognito Identity Pools或者叫Federated Identity

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图3

  • 同步数据,通过一个新的服务叫做AppSync
  • 使用 Cognito Sync

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图4

  • 区分Cognito和IAM
    • 管理员身份使用IAM
    • 用户身份使用Cognito

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图5

2. Cognito User Pools

Cognito User Pools(CUP)—— User Features

  • 给客户创建一个关于移动app的无服务的数据库
    • 因此客户就可以使用账户名和密码来登录
    • 可以重设密码
    • 可以设置Email和电话号码验证
    • 设置MFA
    • 可以设置联合身份验证:例如Facebook,Google,SAML
    • 特性:可以block user
    • login可以返回JWT

Cognito User Pools(CUP)—— Diagram

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图6

Cognito User Pools(CUP)—— Integrations

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图7

第一种形式:将CUP结合API Gateway
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图8
两个地方进行双重验证

第二种形式:将CUP结合ALB

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图9

3. Cognito User Pools Hands On

搜索进入 Cognito
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图10
用户池用来控制用户的login
身份池是用来控制用户访问AWS

先点击进入“管理用户池”
然后命名并点击“逐步介绍设置”
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图11
然后下面的设置保持默认,点击下一步
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图12

最后点击创建,也可以以默认的值的形式创建
创建成功~
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图13

然后选择创建 App Client
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图14
创建一个名字,然后点击创建
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图15
创建如下 域
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图16

然后访问
一系列操作可以注册保存刚刚创建的用户
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图17

4. Cognito User Pools - Others

Cognito User Pools - Lambda Triggers

CUP 可以同步的调用 lambda function 通过以下触发器(trigger):
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图18

Cognito User Pools - Hosted Authentication UI(托管认证用户界面)

  • Cognito 可以有一个托管认证用户界面去处理APP的注册和登录的用户流
  • 可以结合OIDC 或者 SAML
  • 可以自定义logo和CSS

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图19

5. Cognito Identity Pools

Cognito Identity Pools (Federated Identities 联合身份认证)

  • 创建一个外部访问AWS内部service的pool
  • 他们需要temporary AWS credentials
  • 不能将这些users 设置为IAM users,因为他们太多了不能很好地扩展,并且可信度不高
  • CIP 可以允许 未经授权的(宾客)权限的访问

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图20

  • 用户可以通过API Gateway直接访问 AWS Service

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图21

Cognito Identity Pools - Diagram

通常过程
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图22
期间加入了STS作缓存
加入exchange token来做aws 证书

Cognito Identity Pools - Diagram with CUP

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图23

Cognito Identity Pools - IAM Roles

  • 使用default IAM roles即可
  • 可以通过policy variables来分配用户的权限

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图24

Cognito Identity Pools - Guest User example

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图25

Cognito Identity Pools - Policy variable on S3

23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图26

Cognito Identity Pools - DynamoDB


23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图27

6. Cognito Identity Pools Hands On

搜索进入Cognito,点击进入“管理身份池”
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图28
这里在“未经验证的身份”下面的打钩,可以允许guest访问
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图29
在下面分别设置两个ID

然后在下面可以创建两个分别是AWS内部访问和AWS里未经允许的访问
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图30

然后就可以下载SDK的代码了
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图31

7. Cognito User Pools vs Cognito Identity Pools

两者的区别:
前者(CUP)是使用一个database存用户信息来访问应用
后者是访问AWS服务,通过IAM来实现
后者可以在前者的基础上深化从而达到后者的目的
23. Cognito Cognito User Pools, Cognito Identity Pools & Cognito Sync - 图32
2020-12-9

8. Cognito Sync

  • deprecated service
    • use AWS AppSync now
  • 存储特性,配置,app的状态
  • 跨平台同步
  • 离线可用性(当上线时可以立马同步)
  • Push Sync(推送同步):当身份数据改变时,可以静态的通知所有设备
  • Cognito Stream:可以将数据从 Cognito 流向 Kinesis 中
  • Cognito Event:可以执行lambda function 来回应数据