Common Amazon Cognito terms and concepts
Amazon Cognito provides credentials for web and mobile apps. It draws from and builds on terms that are common in identity and access management. Many guides to universal identity and access terms are available. Some examples are:
-
Terminology
in the IDPro Body of Knowledge -
Glossary
from NIST CSRC
The following lists describe terms that are unique to Amazon Cognito or have a specific context in Amazon Cognito.
General
The terms in this list aren't specific to Amazon Cognito and are widely recognized among identity and access management practitioners. The following isn't an exhaustive list of terms, but a guide to their specific Amazon Cognito context in this guide.
- App
-
Typically, a mobile application. In this guide, app is often a shorthand for a web application or mobile app that connects to Amazon Cognito.
- Attribute-based access control (ABAC)
-
A model where an app determines access to resources based on the properties of a user, like their job title or department. Amazon Cognito tools to enforce ABAC include ID tokens in user pools and principal tags in identity pools.
-
A web-based system that generates JSON web tokens. The Amazon Cognito user pools federation endpoints are the authorization-server component of the two authentication and authorization methods in user pools. The other method is the user pools API.
- Confidential app, server-side app
-
An application that users connect to remotely, with code on an application server and access to secrets. This is typically a web application.
- Identity provider (IdP)
-
A service that stores and verifies user identities. Amazon Cognito can request authentication from external providers and be an IdP to apps.
- JSON web token (JWT)
-
A JSON-formatted document that contains claims about an authenticated user. ID tokens authenticate users, access tokens authorize users, and refresh tokens update credentials. Amazon Cognito receives tokens from external providers and issues tokens to apps or Amazon STS.
- Multi-factor authentication (MFA)
-
The requirement that users provide additional authentication after providing their username and password. Amazon Cognito user pools have MFA features for local users.
- OAuth 2.0 (social) provider
-
An IdP to a user pool or identity pool that provides JWT access and refresh tokens. Amazon Cognito user pools automate interactions with social providers after users authenticate.
- OpenID Connect (OIDC) provider
-
An IdP to a user pool or identity pool that extends the OAuth specification to provide ID tokens. Amazon Cognito user pools automate interactions with OIDC providers after users authenticate.
- Public app
-
An application that is self-contained on a device, with code stored locally and no access to secrets. This is typically a mobile app.
- Resource server
-
An API with access control. Amazon Cognito user pools also use resource server to describe the component that defines the configuration for interacting with an API.
- Role-based access control (RBAC)
-
A model that grants access based on a user's functional designation. Amazon Cognito identity pools implement RBAC with differentiation between IAM roles.
- Service provider (SP), relying party (RP)
-
An application that relies on an IdP to assert that users are trustworthy. Amazon Cognito acts as an SP to external IdPs, and as an IdP to app-based SPs.
- SAMLprovider
-
An IdP to a user pool or identity pool that generates digitally signed assertion documents that your user passes to Amazon Cognito.
- Universally Unique Identifier (UUID)
-
A 128-bit label that is applied to an object. Amazon Cognito UUIDs are unique per user pool or identity pool, but don't conform to a specific UUID format.
- User directory
-
A collection of users and their attributes that serves that information to other systems. Amazon Cognito user pools are user directories, and also tools for consolidation of users from external user directories.
User pools
When you see the terms in the following list in this guide, they refer to a specific feature or configuration of user pools.
- Amazon Cognito user pools API
-
A set of authentication and authorization API operations that you can add to your app with an Amazon SDK. The API can sign in local users and linked users.
- Adaptive authentication
-
A feature of advanced security that detects potential malicious activity and applies additional security to user profiles.
- Advanced security features
-
An optional component that adds tools for user security.
- App client
-
A component that defines the settings for a user pool as an IdP to one app.
- Callback URL, redirect URI
-
A setting in an app client and a parameter in requests to user pools federation endpoints. The callback URL is the initial destination for authenticated users in your app.
- Compromised credentials
-
A feature of advanced security that detects user passwords that attackers might know, and applies additional security to user profiles.
- Confirmation
-
The process that determines that the prerequisites have been met to permit a new user to sign in. Confirmation is typically done through email address or phone number verification.
- Custom authentication
-
An extension of authentication processes with Lambda triggers that define additional user challenges and responses.
- Device authentication
-
An authentication process that replaces MFA with sign-in that uses the ID of a trusted device.
- External provider, third-party provider
-
An IdP that has a trust relationship with a user pool.
- Federated user
-
A user in a user pool who was authenticated by an external provider.
- Federation endpoints
-
A set of webpages on your user pool domain that host services for interaction with IdPs and apps.
- Hosted UI
-
A set of interactive webpages on your user pool domain that host services for user authentication.
- Lambda trigger
-
A function in Amazon Lambda that a user pool can automatically invoke at key points in user authentication processes. You can use Lambda triggers to customize authentication outcomes.
- Local user
-
A user profile in the user pool user directory that wasn't created by authentication with an external provider.
- Linked user
-
A user from an external provider whose identity is merged with a local user.
- Token customization
-
The outcome of a pre token generation Lambda trigger that modifies a user's ID or access token at runtime.
- User pool, Amazon Cognito identity provider,
cognito-idp
, Amazon Cognito user pools -
An Amazon resource with authentication and authorization services for applications that work with OIDC IdPs.
- User pool domain
-
A website name that you add to a user pool. The domain is the base URL for the hosted UI and federation endpoints.
- Verification
-
The process of confirming that a user owns an email address or phone number. A user pool sends a code to a user who has entered a new email address or phone number. When they submit the code to Amazon Cognito, they verify their ownership of the message destination and can receive additional messages from the user pool. Also, see confirmation.
- User profile, user account
-
An entry for a user in the user directory. All users have a profile in their user pool.
Identity pools
When you see the terms in the following list in this guide, they refer to a specific feature or configuration of identity pools.
- Attributes for access control
-
An implementation of attribute-based access control in identity pools. Identity pools apply user attributes as tags to user credentials.
- Basic (classic) authentication
-
An authentication process where you can customize the request for user credentials.
- Developer authenticated identities
-
An authentication process that authorizes identity pool user credentials with developer credentials.
- Developer credentials
-
The IAM API keys of an identity pool administrator.
- Enhanced authentication
-
An authentication flow that selects an IAM role and applies principal tags according to the logic that you define in your identity pool.
- Identity
-
A UUID that links an app user and their user credentials to their profile in an external user directory that has a trust relationship with an identity pool.
- Identity pool, Amazon Cognito federated identities, Amazon Cognito identity,
cognito-identity
-
An Amazon resource with authentication and authorization services for applications that use temporary Amazon credentials.
- Unauthenticated identity
-
A user who has not signed in with an identity pool IdP. You can permit users to generate limited user credentials for a single IAM role before they authentication.
- User credentials
-
Temporary Amazon API keys that users receive after identity pool authentication.