AWS Cognito Tutorial: Setting Up a Mobile App with Authentication

What Is AWS Cognito? 

AWS Cognito is an authentication, authorization, and user management service provided by Amazon Web Services. It allows developers to add user sign-up, sign-in, and access control to web and mobile applications quickly without dealing with the backend infrastructure for handling authentication. 

Cognito supports multiple identity providers, including social media platforms like Facebook, Google, and Amazon, as well as enterprise identity providers via SAML 2.0.

The service offers two main components: User Pools that manage user directories for sign-in functionalities and Identity Pools (Federated Identities) that grant users access to other AWS services. 

In this article:

Using Amazon Cognito: Example Use Case 

To illustrate a typical use of Cognito, consider a scenario where an ASP.NET Core web application is developed to run on AWS Lambda (a serverless compute service), with Amazon API Gateway serving as the entry point. In this setup, Amazon Cognito’s user pool is responsible for handling user registration, authentication, and management.

Source: AWS

Upon successful authentication, the client-side application receives a JSON Web Token (JWT) from Amazon Cognito. This token is then used to make authenticated requests to the web app’s API methods by including it in the HTTP Authorization header. The API Gateway validates this JWT before granting access to the Lambda function hosting the ASP.NET Core application, ensuring that only authenticated users can invoke the application logic.

AWS Cognito Tutorial: Setting an Android App with Flutter 

In this tutorial, we will create a basic Android application using Flutter that integrates with Amazon Cognito for user authentication. The app will allow users to sign up, confirm their email, and sign in, demonstrating the core functionalities of Cognito user pools. The process involves setting up an Android Studio project and configuring it to communicate with a Cognito user pool. The instructions below are adapted from the Cognito documentation.

Create a User Pool

To create a user pool, follow these steps:

1. Sign into your AWS account and navigate to the Amazon Cognito Console.
2. Click on User Pools on the left navigation pane.
3. Click the Create user pool button located in the top-right corner of the page.
4. In the user pool creation wizard, choose the identity providers (IdPs) that will be used with this user pool. Ensure only the Cognito user pool option is selected under Provider types.
5. For sign-in options, select User name without additional user name requirements.
6. To configure security requirements:
   • Set the Password policy mode to Cognito defaults.
   • Under Multi-factor authentication (MFA), select Optional MFA and choose Authenticator apps and SMS message as MFA methods.
   • Ensure Enable self-service account recovery is selected with Email only as the recovery message delivery method.
7. To configure the sign-up experience:
   • Ensure Enable self-registration is selected to allow open sign-ups.
   • Select the option Allow Cognito to automatically send messages to verify and confirm.
   • Verify that Attributes to verify is set to Send email message, verify email address.
   • Ensure email is listed under Required attributes.
8. Continue to the Configure message delivery section. For the email provider, choose Send email with Cognito using the default email sender.
9. For SMS, create a new IAM role with permissions for Amazon Cognito to send SMS messages.
10. In the Integrate your app section, name your user pool and create an app client.
11. Ensure the app type is set to Public client and Don’t generate a client secret is selected.
12. Add ALLOW_USER_PASSWORD_AUTH to the list of authentication flows.
13. Review your configurations and make any necessary adjustments.
14. Click Create user pool to finalize the process.
15. Note the User pool ID and Client ID from the user pool overview and app integration tab.

Create an Application 

To create an example Android app using Flutter and integrate it with AWS Cognito, follow these steps:

1. To set up a development environment, install Android Studio and command-line tools from developer.android.com.
2. In Android Studio, install the Flutter plugin.
3. Create a new Android Studio project using the contents of the cognito_flutter_mobile_app directory.
4. Edit the assets/config.json file, specifying the IDs from your Cognito user pool and app client.
5. Install Flutter and add it to your PATH variable.
6. Accept Android licenses by running flutter doctor –android-licenses.
7. Verify your Flutter environment and install any missing components by running flutter doctor. If there are missing components, use flutter doctor -v to get details on fixing the issues.
8. Navigate to your Flutter project directory and install the necessary packages:
   • flutter pub add amazon_cognito_identity_dart_2
   • flutter pub add flutter_secure_storage

9. In Android Studio, use the device manager to create a new virtual device. Alternatively, in the command line, run flutter emulators –create –name android-device.
10. Launch the virtual device using flutter emulators –launch android-device.
11. Deploy the app to your virtual device from Android Studio by selecting the deploy icon.
12. In the CLI, run flutter run.
13. To interact with the app, navigate to the running virtual device in Android Studio.
14. Sign up a new user with a valid email address, retrieve the confirmation code from the email, and enter it in the application.
15. Sign in with the registered username and password.

AWS Cognito Limitations

When using AWS Cognito, it’s important to be aware of its limitations. Here are some important issues users have reported on the G2 platform.

Complex Configuration 

Setting up AWS Cognito can be complex. The multitude of options and configurations available allows for customization but can also overwhelm new users. Navigating through the setup involves understanding various components like user pools, identity pools, app clients, and triggers. 

Integrating AWS Cognito with other services and applications adds further complexity. Developers must ensure that the authentication flow is correctly implemented across different platforms, which may involve dealing with SDKs, APIs, and specific configurations for each service. 

Limited Customization of the Login Interface 

One of the constraints of using AWS Cognito is the limited ability to customize the login interface. While it allows for some level of customization, such as changing colors and adding a logo, developers often find these options insufficient for creating a fully branded user experience. 

The hosted UI provided by AWS Cognito, although convenient for quickly setting up authentication, may not meet all design and functionality requirements. Developers seeking more control over the UI/UX must implement custom authentication flows, which introduces additional complexity and development overhead.

Token Expiration Limitations 

While token expiration is a critical aspect of security in authentication systems, Cognito enforces a strict expiration policy on the tokens it generates, which can sometimes disrupt user experience. Tokens have predefined lifetimes that cannot be adjusted dynamically based on user behavior or context, leading to access issues for users engaged in longer sessions.

Addressing token expiration requires developers to implement mechanisms for token refreshment, which can add complexity to the application logic. Although AWS Cognito provides refresh tokens to help with this issue, managing these tokens and ensuring seamless user experiences without forcing frequent re-authentications demands additional coding.

Complex Documentation 

Navigating AWS Cognito’s documentation can be a challenge for developers, especially those new to the service or identity management in general. The documentation often assumes a high level of pre-existing knowledge. Without clear examples or simplified explanations, users may struggle to understand how to implement certain functionalities. When integrating Cognito with other AWS services, interdependencies are not always clearly documented.

Cost

Some users have expressed concerns about Cognito’s pricing. It starts at $0.01 per monthly active user (MAU), but costs can quickly escalate. Also, there is no free trial available. Thus, alternative solutions may be more cost-effective for many use cases.

Frontegg: The Ultimate Amazon Cognito Alternative

Frontegg is a cloud-based platform that provides an end-to-end user management solution for building and operating web and mobile applications. It aims to simplify the process of building and scaling SaaS applications by providing a set of pre-built and customizable building blocks that can be easily integrated in a self-served and user-friendly manner.

Frontegg provides the following features:

• Authentication and authorization: Frontegg allows developers to authenticate and authorize users for their applications using various identity providers, such as email, Google, and Facebook.
• Self-served SSO: Once you integrate Frontegg’s SSO solution, your customers can configure their SSO completely on their own.
• MFA and passwordless: Frontegg provides the most advanced multi-factor authentication (MFA) and passwordless authentication with advanced security measures.
• Role and permission management: Allows developers to create, read, update, and delete users, as well as retrieve information about the specific users.
• Auditing and monitoring: Allows developers to track and log user activity and system events in their applications.
• Data storage: Allows developers to easily store and retrieve data in their applications, including support for various data types, such as text, numbers, and files.
• Notifications: Allows developers to send push notifications and email notifications to users in their applications.

Get started for free