skip to Main Content

After going through AWS Cognito documentation I am extremely confused with how it is implemented with API Gateway.

From what I understood, it is very easy to implement user pools with api gateway (just by adding the user pool as an authenticator) but I am confused how identity pools enter the picture here. What use is only authorizing my users on my API gateway with user pools?

So the concrete two questions would be:

How do I use identity pools AND user pools with API Gateway (if possible)

What is the point of only using user pools with API gateway, without identity pools?

2

Answers


  1. The article which @jarmod shared explains the difference between identity pool and user pool use cases.

    In order to use Cognito with API Gateway, You can use a cognito authorizer or a custom lambda authorizer of your choice.

    You can add your authorizer in front of your GET, POST requests to limit access to only authorized people. This makes sure that only people authenticated through Cognito can see the API results.

    Login or Signup to reply.
  2. Amazon Cognito User Pool= OIDC Identity Provider (aka IdP) for you customers. This can handle your sign-up, sign-in, profile management, etc. This can house native users or federate with other social IdPs, SAML IdPs, or OIDC IdPs.

    Amazon Cognito Identity Pools= Credential Broker. This essentially allows you to grant access to other AWS services. It integrates seamlessly with a Cognito User Pool (serving as the IdP) or any SAML or OIDC compliant IdP. You’re essentially exchanging JWT tokens or SAML assertions for AWS credentials using AWS Security Token Service (STS).

    For example, say you had a photo sharing application, you could use a Cognito User pool to sign-up & sign-in users. API Gateway could be used as a proxy to get data from DynamoDB and API Gateway could be used as the authorizer for your users. The photos being uploaded in this simple example could be stored in S3. Your application could now use a Cognito Identity Pool to exchange the User Pool tokens for AWS credentials in order to upload/download the users photos to the specific S3 bucket. Hopefully this very simple example can help.

    Here’s some links that could be helpful:

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search