I first worked with Amazon Web Services (AWS) Cognito in 2018 while building a financial web app that was deeply tied to the AWS infrastructure. It made use of AWS lambas, AWS Dynamo DB, the API gateway and AWS Cognito to process data from banks and create a rewards platform for businesses. Cognito’s documentation then, as AWS’s documentation tends to be, was quite difficult to work through. I pieced together a usable solution but didn’t foresee Cognito and I meeting again.
Fast-forward a few weeks ago and I needed to evaluate both Cognito and Firebase as an authentication service to use for a powerful insurance web app. While it is almost 4 years since that fateful encounter with Cognito, the nightmares are still fresh, and I still bear the scars. I’d have loved to immediately call it for Firebase but I took a number of key technical factors into consideration and Cognito came out on top. So, we meet again, my old
I went in, silently hoping Cognito had changed her ways. The joke was on me. Several days later, I realized Cognito might have only gotten worse (in documentation) over the years 🙂
In case you’ve had similar challenges, here’s a high-level walk-through of how I went about implementing Cognito for a JS front-end [Vue.js] and a Django backend.
I’ll break this down into a series of articles:
- Implementing Cognito on the frontend
- Implementing Cognito on the backend and migrating your users (if you had an existing app)
To set the stage, it is quite useful to know [or get a refresher] on JSON web tokens (JWTs). To do that, check out this article
In it, you see that we follow the following steps:
- The application or client requests authorization to the authorization server, in this case Cognito. This is performed through one of the different authorization flows.
- When the authorization is granted, the authorization server [Cognito] returns an access token to the client application.
- The client application uses the access token when making all requests to the backend API
Based on this flow, you’d change your front-end to talk to AWS Cognito, retrieve a JWT and then from that point forward, use that JWT with all your API requests.
So basically, as you look at changing your app to start using Cognito, you need to do two things:
- Change your frontend to retrieve a Cognito token on login, then use that token going-forward with every API call it makes.
- Change your backend to retrieve the token given to it, verify it and grant access to the parts of the application the user can have access to.
Some extra steps you might consider doing on the frontend:
- If the token expires, reach out to Cognito for a new one. Amazon’s documentation covers that here but this is a useful article as well. Alternatively, you can just logout the user so they need to re-login
- Make it possible for users to register. When a user registers, register them with Cognito
- Add the ability for a user to reset their password
- Support Groups and custom user permissions
I called these steps optional because you have the option to use Cognito’s self-hosted UI to do them. It would save you lots of hours of coding time.
In the following articles, I’ll get into how to get into changing your frontend and your backend as well.