Amazon Cognito terms

Typically, a mobile application. In this guide, app is often a shorthand for a web application or mobile app that connects to Amazon Cognito.

A model where an app determines access to resources based on the properties of a user, like their job title or department. Amazon Cognito tools to enforce ABAC include ID tokens in user pools and principal tags in identity pools.

A web-based system that generates JSON web tokens. The Amazon Cognito user pools federation endpoints are the authorization-server component of the two authentication and authorization methods in user pools. The other method is the user pools API.

An application that users connect to remotely, with code on an application server and access to secrets. This is typically a web application.

A service that stores and verifies user identities. Amazon Cognito can request authentication from external providers and be an IdP to apps.

A JSON-formatted document that contains claims about an authenticated user. ID tokens authenticate users, access tokens authorize users, and refresh tokens update credentials. Amazon Cognito receives tokens from external providers and issues tokens to apps or Amazon STS.

The requirement that users provide additional authentication after providing their username and password. Amazon Cognito user pools have MFA features for local users.

An IdP to a user pool or identity pool that provides JWT access and refresh tokens. Amazon Cognito user pools automate interactions with social providers after users authenticate.

An IdP to a user pool or identity pool that extends the OAuth specification to provide ID tokens. Amazon Cognito user pools automate interactions with OIDC providers after users authenticate.

An application that is self-contained on a device, with code stored locally and no access to secrets. This is typically a mobile app.

An API with access control. Amazon Cognito user pools also use resource server to describe the component that defines the configuration for interacting with an API.

A model that grants access based on a user's functional designation. Amazon Cognito identity pools implement RBAC with differentiation between IAM roles.

An application that relies on an IdP to assert that users are trustworthy. Amazon Cognito acts as an SP to external IdPs, and as an IdP to app-based SPs.

An IdP to a user pool or identity pool that generates digitally signed assertion documents that your user passes to Amazon Cognito.

A 128-bit label that is applied to an object. Amazon Cognito UUIDs are unique per user pool or identity pool.

A collection of users and their attributes that serves that information to other systems. Amazon Cognito user pools are user directories, and also tools for consolidation of users from external user directories.

A set of authentication and authorization API operations that you can add to your app with an Amazon SDK. The API can sign in local users and linked users.

A feature of advanced security that detects potential malicious activity and applies additional security to user profiles.

An optional component that adds tools for user security.

A component that defines the settings for a user pool as an IdP to one app.

A setting in an app client and a parameter in requests to user pools federation endpoints. The callback URL is the initial destination for authenticated users in your app.

A feature of advanced security that detects user passwords that attackers might know, and applies additional security to user profiles.

The process that determines that the prerequisites have been met to permit a new user to sign in. Confirmation is typically done through email address or phone number verification.

An extension of authentication processes with Lambda triggers that define additional user challenges and responses.

An authentication process that replaces MFA with sign-in that uses the ID of a trusted device.

An IdP that has a trust relationship with a user pool.

A user in a user pool who was authenticated by an external provider.

A set of webpages on your user pool domain that host services for interaction with IdPs and apps.

A set of interactive webpages on your user pool domain that host services for user authentication.

A function in Amazon Lambda that a user pool can automatically invoke at key points in user authentication processes. You can use Lambda triggers to customize authentication outcomes.

A user profile in the user pool user directory that wasn't created by authentication with an external provider.

A user from an external provider whose identity is merged with a local user.

The outcome of a pre token generation Lambda trigger that modifies a user's ID or access token at runtime.

An Amazon resource with authentication and authorization services for applications that work with OIDC IdPs.

A website name that you add to a user pool. The domain is the base URL for the hosted UI and federation endpoints.

The process of confirming that a user owns an email address or phone number. A user pool sends a code to a user who has entered a new email address or phone number. When they submit the code to Amazon Cognito, they verify their ownership of the message destination and can receive additional messages from the user pool. Also, see confirmation.

An entry for a user in the user directory. All users have a profile in their user pool.

An implementation of attribute-based access control in identity pools. Identity pools apply user attributes as tags to user credentials.

An authentication process where you can customize the request for user credentials.

An authentication process that authorizes identity pool user credentials with developer credentials.

The IAM API keys of an identity pool administrator.

An authentication flow that selects an IAM role and applies principal tags according to the logic that you define in your identity pool.

A UUID that links an app user and their user credentials to their profile in an external user directory that has a trust relationship with an identity pool.

An Amazon resource with authentication and authorization services for applications that use temporary Amazon credentials.

A user who has not signed in with an identity pool IdP. You can permit users to generate limited user credentials for a single IAM role before they authentication.

Temporary Amazon API keys that users receive after identity pool authentication.