Front-End Web & Mobile

Understanding Amazon Cognito Authentication Part 4: Enhanced Flow

Amazon Cognito helps you create unique identifiers for your end users that are kept consistent across devices and platforms. Amazon Cognito also delivers temporary, limited-privilege credentials to your application to access AWS resources. In previous posts (Part 1, Part 2, and Part 3), I covered several aspects of Amazon Cognito authentication flow. In this post, I want to discuss the newer default enhanced flow and the benefits it provides.

Basic (Classic) Flow

To review what I covered in Part 1, the basic flow requires three API calls:

  1. GetId (API reference)
  2. GetOpenIdToken (API reference)
  3. AssumeRoleWithWebIdentity (API reference)

Enhanced (Simplified) Flow

The enhanced flow reduces the number of calls by one. It accomplishes this by combining the GetOpenIdToken and AssumeRoleWithWebIdentity calls into a new GetCredentialsForIdentity call. The enhanced flow then becomes:

  1. GetId (API reference)
  2. GetCredentialsForIdentity (API reference)

When calling GetCredentialsForIdentity, Amazon Cognito is actually making the call to AssumeRoleWithWebIdentity on your behalf. In order to do so, Amazon Cognito must have an association between your identity pool and the roles the identities in that pool can assume. The Amazon Cognito console can do this for you, or you can use the SetIdentityPoolRoles API directly.

Enhanced Flow with Developer Authenticated Identities

To review what I covered in Part 2, developer authenticated identities allows you to support your own developer provider to authenticate your users. Previously, you would take the token returned from GetOpenIdTokenForDeveloperIdentity and call AssumeRoleWithWebIdentity from the device.

With the enhanced flow, you can replace the call on the device with a call to GetCredentialsForIdentity, meaning even for your developer authenticated identities you can gain the benefits of the enhanced flow:

When using an Amazon Cognito token with GetCredentialsForIdentity, you use the key in the logins parameter. If you follow the same pattern as our end-to-end example, the AWS Mobile SDKs will handle this for you.

Which Flow Should I Use?

If you created an identity pool after February 2015 and used the supplied example code, you are already using the enhnaced flow.

For most customers, the enhanced flow is the correct choice, it offers many benefits over the basic flow:

  1. One less network call to get credentials on the device.
  2. All calls are made to Amazon Cognito, meaning it is also one less network connection.
  3. Roles no longer need to be embedded in your application, only an identity pool id and region are necessary to start bootstrapping credentials.

You may still wish to use the Basic Flow if you want to use more than the two default roles configured when creating a new identity pool from the console.


I hope this further clarifies how Amazon Cognito authentication works and how the credentials providers in the various SDKs can handle these details for you. If you have any comments or questions, please free to leave a comment here or visit our forums and we will try to assist you.