Storing and managing end-user accounts was simple when applications were accessed through a single laptop or desktop. But as more data and applications move to the cloud, users access data from multiple devices. And those users expect the same experience -- no matter which device they grab. One solution to the single-user, multi-device conundrum is to store user data in the cloud and synchronize it across all user devices.
Amazon Web Services (AWS) Cognito provide core back-end services for identity management, as well as a key value data store, to enable a consistent user environment across devices. Amazon Cognito stores data in the cloud and locally on user devices using a SQLite relational database. In this case, data is stored in key value pairs; this data model is sufficient for the types of data stored in Cognito -- names, interface preferences, bookmarks and other values associated with user identity.
Revealing Amazon Cognito features
Amazon Cognito creates an identity for each user and stores it in a data structure known as an identity pool. Pools can be associated with more than one application; identities can be stored in more than one pool. The number of pools you use for an application depends on the nature of the application.
A suite of related collaboration and social media apps, for example, could share an identity pool; a specialized reporting app for managers would likely have its own identity pool. Guest access is also available. Amazon Cognito can also provide temporary access to AWS resources while saving user data if the user becomes a subscriber or premium account holder.
Administrators apply access control restrictions on a per-user basis. When using an identifier, for example, some users may have open access to Simple Storage Service resources while others are more restricted. Amazon Cognito pricing does not include the use of AWS storage resources.
An important aspect of Cognito's data structure is the sync store; user-specific sync stores enable identity syncing. Sync stores are made up of 20 1-MB data sets, each holding up to 1,024 key-value pairs. A single sync store holds up to 20 MB of data. An application call triggers syncing. Developers control the number of sync operations that occur and make local device storage a must.
For authentication, AWS Cognito is compatible with any OpenID provider, such as Facebook, Amazon and Google. Cognito authentication uses a token, taken from the identity provider (IdP), which is then moved through the app to Cognito. The service provides its own identity token to authenticate to other AWS Services.
Amazon Cognito stores only identity tokens -- no user credentials are stored in the service. In addition, all data in the sync store, as well as data transmissions between the service and the app, are encrypted. It does not provide local data encryption. If you need local data encryption for some applications, you will have to implement it yourself.
Amazon Cognito is priced on a per-use basis. The first 10 GB of sync storage and one million sync operations every month are free. Beyond the free tier, the service costs $0.15 per GB of storage and $0.15 for every 10,000 sync operation per month.
About the author:
Dan Sullivan holds a Master of Science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.