Understanding Amazon Cognito Authentication Part 4: Enhanced Flow
Amazon Cognito helps you create unique identifiers for your end users that are kept consistent across devices and platforms. Amazon Cognito also delivers temporary, limited-privilege credentials to your application to access AWS resources. In previous posts (Part 1, Part 2, and Part 3), I covered several aspects of Amazon Cognito authentication flow. In this post, I want to discuss the newer default enhanced flow and the benefits it provides.
Basic (Classic) Flow
To review what I covered in Part 1, the basic flow requires three API calls:
Enhanced (Simplified) Flow
The enhanced flow reduces the number of calls by one. It accomplishes this by combining the
AssumeRoleWithWebIdentity calls into a new
GetCredentialsForIdentity call. The enhanced flow then becomes:
GetCredentialsForIdentity, Amazon Cognito is actually making the call to
AssumeRoleWithWebIdentity on your behalf. In order to do so, Amazon Cognito must have an association between your identity pool and the roles the identities in that pool can assume. The Amazon Cognito console can do this for you, or you can use the
SetIdentityPoolRoles API directly.
Enhanced Flow with Developer Authenticated Identities
To review what I covered in Part 2, developer authenticated identities allows you to support your own developer provider to authenticate your users. Previously, you would take the token returned from
GetOpenIdTokenForDeveloperIdentity and call
AssumeRoleWithWebIdentity from the device.
With the enhanced flow, you can replace the call on the device with a call to
GetCredentialsForIdentity, meaning even for your developer authenticated identities you can gain the benefits of the enhanced flow:
When using an Amazon Cognito token with
GetCredentialsForIdentity, you use the key
cognito-identity.amazonaws.com in the
logins parameter. If you follow the same pattern as our end-to-end example, the AWS Mobile SDKs will handle this for you.
Which Flow Should I Use?
If you created an identity pool after February 2015 and used the supplied example code, you are already using the enhnaced flow.
For most customers, the enhanced flow is the correct choice, it offers many benefits over the basic flow:
- One less network call to get credentials on the device.
- All calls are made to Amazon Cognito, meaning it is also one less network connection.
- Roles no longer need to be embedded in your application, only an identity pool id and region are necessary to start bootstrapping credentials.
You may still wish to use the Basic Flow if you want to use more than the two default roles configured when creating a new identity pool from the console.
I hope this further clarifies how Amazon Cognito authentication works and how the credentials providers in the various SDKs can handle these details for you. If you have any comments or questions, please free to leave a comment here or visit our forums and we will try to assist you.