(mbl401) social logins for mobile apps with amazon cognito | aws re:invent 2014
DESCRIPTION
Streamline your mobile app sign-up experience with Amazon Cognito. In this session, we demonstrate how to use Cognito to build secure mobile apps without storing keys in them. Learn how to apply policies to existing Facebook, Google, or Amazon identities to secure access to AWS resources, such as personnel files stored in Amazon S3. Finally, we show how to handle anonymous access to AWS from mobile apps when there is no user logged in.TRANSCRIPT
![Page 1: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/1.jpg)
![Page 2: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/2.jpg)
![Page 3: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/3.jpg)
MBL310 MBL311
![Page 4: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/4.jpg)
![Page 5: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/5.jpg)
web identity federation
![Page 6: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/6.jpg)
![Page 7: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/7.jpg)
![Page 8: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/8.jpg)
![Page 9: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/9.jpg)
Manage authenticated
and guest users across
identity providers
Guest
Identity Management
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Securely access AWS
services from mobile
devices and platforms
Secure AWS Access
Guest Your own
Auth
MBL301
![Page 10: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/10.jpg)
• Identity Pool: Pool of app users. Can be
shared across apps.
• Identity: An individual user. Consistent
across identity providers. Can be a guest
user.
• Login: Identifier in a login provider
AWS Account
Dataset
IdentityIdentityIdentity
DatasetLogin
Identity
Pool
1:60
1:n
0:n
![Page 11: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/11.jpg)
Sign up for an AWS account and login to the AWS Management
Console
Download and integrate the AWS Mobile SDK
Create an identity pool for authenticated and unauthenticated
users in the AWS Management Console
![Page 12: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/12.jpg)
![Page 13: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/13.jpg)
![Page 14: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/14.jpg)
Login
![Page 15: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/15.jpg)
![Page 16: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/16.jpg)
![Page 17: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/17.jpg)
AssumeRoleWithWebIdentity
![Page 18: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/18.jpg)
Login
AssumeRoleWithWebIdentity
All this is handled by the credentials provider.
![Page 19: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/19.jpg)
Cognito
STS
![Page 20: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/20.jpg)
![Page 21: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/21.jpg)
![Page 22: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/22.jpg)
![Page 23: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/23.jpg)
![Page 24: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/24.jpg)
![Page 25: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/25.jpg)
– Identity Provider Access
![Page 26: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/26.jpg)
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
![Page 27: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/27.jpg)
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust Cognito
![Page 28: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/28.jpg)
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust identities from our pool
![Page 29: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/29.jpg)
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud":
"us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
} ]
}
Defines that we should trust unauthenticated identitities
![Page 30: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/30.jpg)
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
![Page 31: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/31.jpg)
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
Grants access to Analytics and Cognito Sync
![Page 32: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/32.jpg)
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [ "*" ]
}]
}
May seem too permissive, but Cognito Sync prevents
identities accessing others data.
![Page 33: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/33.jpg)
![Page 34: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/34.jpg)
![Page 35: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/35.jpg)
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
![Page 36: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/36.jpg)
${cognito-identity.amazonaws.com:sub}
${cognito-identity.amazonaws.com:sub}
Will be replaced by the identity ID
![Page 37: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/37.jpg)
${cognito-identity.amazonaws.com:sub}
![Page 38: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/38.jpg)
${cognito-identity.amazonaws.com:sub}
Will be replaced by the identity ID
![Page 39: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/39.jpg)
![Page 40: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/40.jpg)
Your own UsernameAnd Password
Your own user authentication system
Several apps prefer to have their own username
and password instead of public identity providers
for authentication.
Manage mappings easily
Cognito manages the mappings across login
systems (public or private) using a unique Cognito
ID
Easily integrate with existing systems
Implement GetOpenIdTokeForDeveloperIdentity()
using our server-side SDKs like Java, Python,
Ruby etc.
![Page 41: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/41.jpg)
Lo
gin
![Page 42: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/42.jpg)
GetOpenIdTokenForDeveloperIdentity
![Page 43: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/43.jpg)
![Page 44: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/44.jpg)
AssumeRoleWithWebIdentity
![Page 45: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/45.jpg)
Lo
gin
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
This is handled by the credentials provider.
![Page 46: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/46.jpg)
Lo
gin
GetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
How does this feed to
credentials provider?
![Page 47: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/47.jpg)
![Page 48: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/48.jpg)
![Page 49: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/49.jpg)
acce
ss_
toke
n
![Page 50: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/50.jpg)
GetOpenIdTokenForDeveloperIdentity
![Page 51: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/51.jpg)
![Page 52: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/52.jpg)
AssumeRoleWithWebIdentity
![Page 53: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/53.jpg)
acce
ss_
toke
nGetOpenIdTokenForDeveloperIdentity
AssumeRoleWithWebIdentity
This can be handled
by custom
AWSIdentityProvider
![Page 54: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/54.jpg)
![Page 55: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/55.jpg)
• AWS Mobile Homehttp://aws.amazon.com/mobile
• AWS Mobile Bloghttp://mobile.awsblog.com
• Twitter@awsformobile
• Forumshttp://forums.aws.amazon.com
• StackOverflowhttp://stackoverflow.com/tags/amazon-cognito
• GitHubhttp://github.com/aws/
http://github.com/awslabs/
![Page 56: (MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014](https://reader033.vdocuments.mx/reader033/viewer/2022052907/55908d8b1a28ab736d8b45ef/html5/thumbnails/56.jpg)
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals