As a developer, you don’t like reinventing the wheel. You need to add authentication and authorization to your API and you’ve decided to use a third-party service, instead of rolling your own users management system. You are familiar with AWS, so Cognito is the way to go. You check the docs and try to understand what is User Pools, what is Identity Pools and what is the difference between them.
No worries, we’ve all been there. It’s really confusing, specially if you’re not an expert on authentication and authorization protocols (I include myself there). Both services seem to be built for the same purpose, so choosing one or another can become a tough task.
If you’d like to access AWS resources directly from the client side (be it a mobile or a web app), use Cognito Identity Pools (CID). Go for User Pools (CUP) otherwise.
Even though User Pools and Identity Pools seem to be similar, there are some aspects that make them quite different. First, we should pay attention at what the outcome of the authorization process is in both cases. User Pools provides us with a JSON Web Token, so we can use it as an authorizer for any existing API, while with Identity Pools we get temporary AWS credentials, which means that is meant to utilize AWS resources. We can definitely use it as an API authorizer, but only if it’s exposed through AWS API Gateway.
Taking note of what is the type of credentials delivered by CUP and CIP made me realize which use cases each service is suited for, although there are more features that could make you lean on one or another. With CUP you get the whole users management system, you’ll be able to let your users sign up with their email and password (and additional attributes if you like), or through another identity provider, such as Facebook or Google. You can also include additional security measures, like Multi-Factor Authentication, or have a customized sign up flow, by verifying users’ emails or mobile phone numbers. On the other hand, CID doesn’t count with an users directory, it fully relies on trusted third-party identity providers for authentication . Some other feature supported by CUP is OAuth2 compliance and support of scopes, which would allow third-party applications access your users’ accounts on their behalf and open up your secure API to the Internet.
In brief, you could follow the flowchart below to help you choose the service you want based on your needs:
You can see below some common scenarios where you could be hesitating about which service suits your needs:
Cognito is a confusing AWS service and, let’s be honest, its documentation doesn’t help. However, as soon as you get your head around the fundamentals of its variations, the choice between them becomes easier. I hope this article helped you to understand them better!