3

I don't understand auth. vs. unauth. user access within AWS Cognito. While learning about Cognito I came across several articles on the Internet and questions here within Stackoverflow concerning this and I'm just not grasping the concept.

I'm gathering that a simple use case for unauth. user access within Cognito is when we have users who need to access some AWS resource(s) who have an account but aren't "logged-in." But how is this possible? In other to get an access token, wouldn't you need a valid username and password? If by unauth. we mean a user who has a valid access token but can't access some resources [based on some user pool parameter], I suppose that makes sense, but I don't understand how Cognito works in this regard.

I've searched for hours on this w/o grasping this concept and I really just need a little help from the community if anyone would be willing to share.

UPDATE: What's confusing to me is that "unauth." is a non-logged in user already, no? Why do I have to or want to get an access-token for a non-logged in user? What is the purpose of this?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Charles Saag
  • 611
  • 5
  • 20
  • 1
    Authenticated means *having gone through the process of having identity confirmed*. Unauthenticated means that the user has not gone through that process, so you don't know them. Consider this site - unauthenticated users (who may or may not have an account) can read any post and can post answers to them, but nothing else (no voting, commenting, editing, etc.). Users who are authenticated can usually do considerably more, because SO knows who they are and what privileges they've earned. – Ken White Aug 23 '18 at 01:59
  • But aren’t you unauthenticated by default? That’s my confusion here. What’s difference between unauthorized and a user on internet? – Charles Saag Aug 23 '18 at 12:02
  • Why do you think there's necessarily a difference between *unauthenticated* and *a user on the internet*? – Ken White Aug 23 '18 at 12:08
  • There's an IAM role that we create for unauthenticated users of a Cognito user pool. So there's def. a difference. – Charles Saag Aug 23 '18 at 13:42
  • John, you're really sharp and appear to know your stuff. I'm just not getting this. Is there a place where I can read about it more? The AWS documentation isn't making sense to me. – Charles Saag Aug 23 '18 at 13:43

1 Answers1

6

Something that is confusing when starting out with AWS Cognito, is that it is actually two services. Cognito User Pools is a user store that authenticates users and Cognito Identity Pools authorizes users.

Unauth:

When referring to a unauthenticated flow, you're skipping the authentication process and really just authorizing with an identity pool. To do this in code, you setup a credentials provider, and make a call to GetID. This generates an identityID in the identity pool and retrieves authorization tokens that give access based on the IAM role for unauthenticated users. Example here

Auth:

Now for the authenticated flow, before you authorize with the identity pool, you have to have authentication tokens. These can be retrieved by authenticating with a third party (Facebook for example), or with a Cognito User Pool. You authenticate with those services by providing a username/email and a password. The tokens delivered by those services can then be "passed" to a credentials provider. When done this way, authorizing with the identity pool will return access tokens that give access based on the IAM role for authenticated users. In addition, a user can "log out" and later "log back in" and they will be able to receive the same identity ID that was generated for them the first time they authorized with the identity pool.

I hope that all makes sense. I'll give an example of why you may combine the two

Example

Let's say we're building a web platform that lists events around our city. This platform needs to:

  • Store events in a database

  • Allow city organizers to add events to the database

  • Allow residents to view the events

We wouldn't want the residents to have to login to view publicly listed events, so when they visit the event's page of our website, unknown to them, they actually authorize with an identity pool. Thus they are provided unauth IAM role access to make a GET API call to our database, to retrieve the events.

Of course, we don't want just anyone adding events to the database. So for city organizers, there is a login form. This login form takes a username and password to authenticate them with a user pool. The user pool tokens are then used to authorize with the identity pool, giving them auth IAM role access to make a POST call to our API, allowing them to add events to our database.

OhNoNotALinkerError
  • 323
  • 1
  • 8
  • Thanks, very helpful and crystal clear. Just one follow up question - why do I need to get an auth. code for a user who isn’t going to login. Couldn’t I just provide him/her access to resources without any identity pool and/or user pool by making resources available to the public . It seems less efficient to get an auth code for a user who doesn’t login. – Charles Saag Aug 27 '18 at 23:41
  • If by auth code you mean tokens from an identity pool, then, you need those because AWS still needs to know what role the caller has. If there were no roles, they could be making any call they want, including admin calls or even EC2 instance changes, causing security and billing risks. What you could do is use API Gateway & Lambda to setup an API where it's endpoints do not need any type of auth/unauth/IAM signing. That way the security offered from IAM roles is placed on your backend Lambda functions(or whatever you choose to use) and the user can just make straight calls to your API. – OhNoNotALinkerError Aug 28 '18 at 05:39
  • There are 2 scenarios: 1.) Access to a protected AWS resource - ... in this scenario, I understand why we need an access token as we don't want every user on the Internet making use of our infrastructure. 2.) Access to a resource that doesn't require a login - ... in this case, whether we get an auth code via a user pool that doesn't require a login, or make it publicly avail. ... it has the same effect. Isn't it easier to just make the resource publicly avail., like an S3 bucket for files? What's benefit of an auth code vs. publicly avail? – Charles Saag Aug 28 '18 at 17:55
  • Ah I see. In cases like S3, if you are truly sure that it can be publicly available, then there is no need to use auth with Cognito. But beware of billing risks, see this question for more: https://serverfault.com/questions/888487/why-does-aws-recommend-against-public-s3-buckets – OhNoNotALinkerError Aug 29 '18 at 08:28