How to integrate AWS Cognito with API gateway – Amazon Web Sevices

Amazon Cognito User Pool= OIDC Identity Provider (aka IdP) for you customers. This can handle your sign-up, sign-in, profile management, etc. This can house native users or federate with other social IdPs, SAML IdPs, or OIDC IdPs.

Amazon Cognito Identity Pools= Credential Broker. This essentially allows you to grant access to other AWS services. It integrates seamlessly with a Cognito User Pool (serving as the IdP) or any SAML or OIDC compliant IdP. You’re essentially exchanging JWT tokens or SAML assertions for AWS credentials using AWS Security Token Service (STS).

For example, say you had a photo sharing application, you could use a Cognito User pool to sign-up & sign-in users. API Gateway could be used as a proxy to get data from DynamoDB and API Gateway could be used as the authorizer for your users. The photos being uploaded in this simple example could be stored in S3. Your application could now use a Cognito Identity Pool to exchange the User Pool tokens for AWS credentials in order to upload/download the users photos to the specific S3 bucket. Hopefully this very simple example can help.

Here’s some links that could be helpful:

• https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-accessing-resources-api-gateway-and-lambda.html
• https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
• Look at pattern 2 of this blog post: https://aws.amazon.com/blogs/architecture/web-application-access-control-patterns-using-aws-services/
• Here’s a blog post that is highlighting how Amazon Cognito User Pools work together with Identity Pools: https://aws.amazon.com/blogs/architecture/web-application-access-control-patterns-using-aws-services/