Table of Contents
Cognito
| Cognito Identity | Behind the identity ther is a person. The identity is an abstraction of a login / userid, because the userid or login can come from different systems, like facebook, google etc. |
| Identity Pool alias Federated Identities | Identity pools allow you to grant users authenticated by third parties (e.g. login with Google) temporary IAM credentials to use you AWS resources in a limited way. Identity pools are free of cost and you only pay for the resources your users use via the IAM credentials. See the federation tokes, which are given to users from “User pool”. |
| User pool | User pools allow you to store your own users, they can sign up directly to the user pool and not have to use a third party provider like Google or Facebook. Confusingly user pools also have a 'federation' option (Identity providers) but this will actually create externally federated users in the pool. User pools provide OpenID tokens (access, id, refresh), not IAM credentials, which you can use with your own endpoints (ec2, fargate, api-gateway). User pools have costs associated with them based on the active users per month. |
| Federation tokens | Are provided in the Identity pool. At the end, they are associated with an IAM role and get access to AWS resources |
| Federated Identities > External Identity Providers | Apps on Facebook, Google+ or other platforms may be added to use Cognito API, in order to access AWS resources. Supported protocols: SAML, OpenID |
| OpenID | About authentication. |
| Oauth 2.0 | About authorization. |
| Token | This is a OpendId Connect compliant id token issued by Cognito Identity which asserts the users identity in a signed and verifiable way. Consider this token as a digital identity card which can be used by clients to verify the identity of users. You can refer to cognito API documentation for details on how to obtain this token and this documentation for more details on how to validate this token as a client. |
| SessionToken | This token is issued by the service as a descriptor of users AWS session along with the temporary AWS credentials. Cognito calls STS on your behalf and returns the temporary credentials returned. When using other AWS resources using the issued temporary credentials, this token should be a part of the passed temporary credentials. Refer to cognito API reference and STS documentation for more details. |
| SyncSessionToken | Is an identitfier issued by Cognito Sync service after initializing a sync operation. This sync operation is used as a unit for Cognito sync pricing. A sync operation is marked complete when you perform a successful write/update records using this token or this token expires. |
