1
00:00:00,150 --> 00:00:02,190
‫So, let's have a look at Cognito.

2
00:00:02,190 --> 00:00:04,830
‫I'm gonna go into the Cognito console

3
00:00:04,830 --> 00:00:07,890
‫and here I am greeted with two options.

4
00:00:07,890 --> 00:00:11,520
‫I can create a user pool or I could create an identity pool.

5
00:00:11,520 --> 00:00:13,050
‫We'll see identity pool later on,

6
00:00:13,050 --> 00:00:16,530
‫so for now, let's just create a user pool.

7
00:00:16,530 --> 00:00:18,990
‫So here, we have the console and we have several options.

8
00:00:18,990 --> 00:00:23,250
‫So, what is the authentication provider to the pool?

9
00:00:23,250 --> 00:00:24,930
‫How do people sign in?

10
00:00:24,930 --> 00:00:27,780
‫So we can have a Cognito user pool sign in with,

11
00:00:27,780 --> 00:00:29,760
‫they can use their user email address,

12
00:00:29,760 --> 00:00:32,130
‫phone number, username, and then a password.

13
00:00:32,130 --> 00:00:35,490
‫Or we can choose to federate identity providers.

14
00:00:35,490 --> 00:00:38,430
‫And if I do so, then they will be able to log in

15
00:00:38,430 --> 00:00:41,850
‫with Google, with Facebook, with Amazon, of your Apple.

16
00:00:41,850 --> 00:00:45,450
‫But if you just want to allow Federated sign in,

17
00:00:45,450 --> 00:00:47,850
‫then it's better to choose an identity pool

18
00:00:47,850 --> 00:00:49,440
‫and we'll see this later on,

19
00:00:49,440 --> 00:00:51,630
‫but if you want more than just the sign in,

20
00:00:51,630 --> 00:00:53,550
‫then you can stay here.

21
00:00:53,550 --> 00:00:57,270
‫Okay, so we'll just keep things as the Cognito user pool.

22
00:00:57,270 --> 00:00:58,620
‫And then, what is the signing option?

23
00:00:58,620 --> 00:00:59,880
‫How do I want users to sign in?

24
00:00:59,880 --> 00:01:01,260
‫Is it by username?

25
00:01:01,260 --> 00:01:04,230
‫Is it by email, by phone number, and so on.

26
00:01:04,230 --> 00:01:06,420
‫So, we can say, okay, username is good

27
00:01:06,420 --> 00:01:08,610
‫and then we'll click on Next.

28
00:01:08,610 --> 00:01:10,710
‫Next, we have the security requirements for Cognito,

29
00:01:10,710 --> 00:01:13,290
‫so what are the passwords requirements?

30
00:01:13,290 --> 00:01:14,400
‫We can use the defaults

31
00:01:14,400 --> 00:01:17,070
‫or we can customize this and say for example,

32
00:01:17,070 --> 00:01:19,140
‫you don't care about all these password requirements

33
00:01:19,140 --> 00:01:20,490
‫for security response.

34
00:01:20,490 --> 00:01:22,950
‫For example, a minimum of six characters

35
00:01:22,950 --> 00:01:24,420
‫and you're good to go.

36
00:01:24,420 --> 00:01:27,210
‫Then, the temporary passwords, set by administrators,

37
00:01:27,210 --> 00:01:28,320
‫when do they expire?

38
00:01:28,320 --> 00:01:30,150
‫Seven days is good.

39
00:01:30,150 --> 00:01:32,130
‫Next, we have multifactor authentication,

40
00:01:32,130 --> 00:01:34,020
‫so do we want our users to use MFA

41
00:01:34,020 --> 00:01:35,880
‫during their signing process?

42
00:01:35,880 --> 00:01:39,000
‫And we can require MFA for added security.

43
00:01:39,000 --> 00:01:39,833
‫Have it optional,

44
00:01:39,833 --> 00:01:42,900
‫so that users choose to control their own security.

45
00:01:42,900 --> 00:01:45,693
‫Or no MFA, in which case the users cannot use MFA.

46
00:01:45,693 --> 00:01:48,090
‫This is the least secure option.

47
00:01:48,090 --> 00:01:49,710
‫And in case you have MFA

48
00:01:49,710 --> 00:01:51,840
‫do you want to use an authenticator app,

49
00:01:51,840 --> 00:01:54,120
‫or do you want to use an SMS message

50
00:01:54,120 --> 00:01:56,850
‫to send to verified phone number?

51
00:01:56,850 --> 00:01:59,490
‫So right now we'll do no MFA.

52
00:01:59,490 --> 00:02:02,100
‫And then, do you have self-service account recovery?

53
00:02:02,100 --> 00:02:04,140
‫Do you want to basically allow people

54
00:02:04,140 --> 00:02:07,590
‫to have a forgot their password link displayed?

55
00:02:07,590 --> 00:02:08,940
‫Yes, for example.

56
00:02:08,940 --> 00:02:10,890
‫And then, how do you want to deliver

57
00:02:10,890 --> 00:02:12,870
‫the account recovery messages?

58
00:02:12,870 --> 00:02:15,930
‫Is it by email, by SMS, email if available,

59
00:02:15,930 --> 00:02:17,520
‫otherwise SMS and so on.

60
00:02:17,520 --> 00:02:20,730
‫So these options are things you're quite familiar with

61
00:02:20,730 --> 00:02:22,740
‫because they are the options that you have

62
00:02:22,740 --> 00:02:24,540
‫from pretty much any website

63
00:02:24,540 --> 00:02:26,250
‫where you create a user account.

64
00:02:26,250 --> 00:02:28,050
‫But here we have full control over it

65
00:02:28,050 --> 00:02:31,020
‫and that's pretty cool because it's a managed service.

66
00:02:31,020 --> 00:02:33,750
‫Moving on, yes, we want users to be able to sign in

67
00:02:33,750 --> 00:02:35,850
‫by themselves and sign up by themselves.

68
00:02:35,850 --> 00:02:38,610
‫And then, how do we verify these things?

69
00:02:38,610 --> 00:02:39,660
‫So, we can have Cognito

70
00:02:39,660 --> 00:02:42,240
‫to send messages automatically and verify.

71
00:02:42,240 --> 00:02:45,720
‫We verify the email address by sending an email

72
00:02:45,720 --> 00:02:48,030
‫and then how do we verify attributes changed?

73
00:02:48,030 --> 00:02:49,320
‫They changed their email address

74
00:02:49,320 --> 00:02:50,730
‫or they changed their phone number.

75
00:02:50,730 --> 00:02:53,910
‫Again, we can just have Cognito do all these things.

76
00:02:53,910 --> 00:02:57,090
‫Then, what are the required attributes to have?

77
00:02:57,090 --> 00:02:58,950
‫So, right now we have email,

78
00:02:58,950 --> 00:03:01,350
‫but we can also have address, birthdate,

79
00:03:01,350 --> 00:03:02,460
‫family name and so on.

80
00:03:02,460 --> 00:03:04,290
‫So, all these fields that we can require

81
00:03:04,290 --> 00:03:07,590
‫of a user based on what you need for your application.

82
00:03:07,590 --> 00:03:09,810
‫And then, you can add custom attributes.

83
00:03:09,810 --> 00:03:11,220
‫So, what attributes it is?

84
00:03:11,220 --> 00:03:15,660
‫For example, you want to have the favorite color

85
00:03:15,660 --> 00:03:17,310
‫and then you will have it right here,

86
00:03:17,310 --> 00:03:18,930
‫but right now we don't need it.

87
00:03:18,930 --> 00:03:22,560
‫Okay, so next, what has happening for message delivery?

88
00:03:22,560 --> 00:03:26,730
‫So, Cognito is going to uses SES for emails

89
00:03:26,730 --> 00:03:29,760
‫and then is going to use SNS to send a messages,

90
00:03:29,760 --> 00:03:32,250
‫SMS messages to your app users, okay?

91
00:03:32,250 --> 00:03:34,680
‫So, you can either choose to send emails with SES

92
00:03:34,680 --> 00:03:38,970
‫in which case you need to set up Amazons SES to send emails

93
00:03:38,970 --> 00:03:41,730
‫and you need to have your own configuration sets.

94
00:03:41,730 --> 00:03:44,250
‫Or you can send the emails with Cognito

95
00:03:44,250 --> 00:03:46,650
‫in which case Cognito is going to be sending

96
00:03:46,650 --> 00:03:47,760
‫the emails for you.

97
00:03:47,760 --> 00:03:49,980
‫It's good for development purposes.

98
00:03:49,980 --> 00:03:52,020
‫You can set up to 50 emails a day,

99
00:03:52,020 --> 00:03:53,190
‫but for production,

100
00:03:53,190 --> 00:03:56,010
‫you need to absolutely set up Amazon SES.

101
00:03:56,010 --> 00:03:58,683
‫So right now we'll just have it as this.

102
00:03:59,550 --> 00:04:01,860
‫Next, then, user pool name.

103
00:04:01,860 --> 00:04:03,363
‫So, this is my DemoPool.

104
00:04:05,310 --> 00:04:08,760
‫And then, do I want to use the hosted authentication pages?

105
00:04:08,760 --> 00:04:09,593
‫So, this is pretty cool.

106
00:04:09,593 --> 00:04:10,426
‫We'll see this in a second,

107
00:04:10,426 --> 00:04:13,500
‫but it's a way for you to speed up your sign up

108
00:04:13,500 --> 00:04:15,240
‫and signing flow because Cognito

109
00:04:15,240 --> 00:04:18,030
‫will provide you a hosted UI

110
00:04:18,030 --> 00:04:21,060
‫for you to use and for users to sign in and sign up.

111
00:04:21,060 --> 00:04:24,200
‫So, yes, we want to use the Cognito hosted UI.

112
00:04:24,200 --> 00:04:28,320
‫In the exam I want you to know that this thing exists, okay?

113
00:04:28,320 --> 00:04:30,030
‫Then, you need to have a Cognito domain,

114
00:04:30,030 --> 00:04:32,460
‫so what is the hosted URL?

115
00:04:32,460 --> 00:04:35,430
‫So, this only appears if this is ticked.

116
00:04:35,430 --> 00:04:37,680
‫So, we can use a custom domain

117
00:04:37,680 --> 00:04:41,070
‫if you want to have your own URL or a Cognito domain,

118
00:04:41,070 --> 00:04:44,490
‫so stephane-demo-cognito,

119
00:04:44,490 --> 00:04:45,787
‫and we should be good to go.

120
00:04:45,787 --> 00:04:48,480
‫.auth.eu-central-1.amazoncognito.com,

121
00:04:48,480 --> 00:04:49,890
‫this is perfect.

122
00:04:49,890 --> 00:04:51,540
‫Now, we have an initial app client,

123
00:04:51,540 --> 00:04:54,300
‫so this is to configure a app,

124
00:04:54,300 --> 00:04:57,000
‫which is an app that connects to user pool.

125
00:04:57,000 --> 00:04:58,860
‫And so, we can have multiple app clients,

126
00:04:58,860 --> 00:05:01,290
‫so we'll have a, first, app type.

127
00:05:01,290 --> 00:05:03,690
‫So, this is a Public client where we can use

128
00:05:03,690 --> 00:05:07,350
‫a public app to Cognito, but we can have a private client

129
00:05:07,350 --> 00:05:10,020
‫or Other if you wanted to have more deep settings.

130
00:05:10,020 --> 00:05:12,480
‫So, this one is just DemoAppClients

131
00:05:13,503 --> 00:05:16,590
‫and do we want to generate client secrets, no.

132
00:05:16,590 --> 00:05:18,180
‫Then, callbacks for the URL,

133
00:05:18,180 --> 00:05:20,160
‫so these are like app specific stuff,

134
00:05:20,160 --> 00:05:21,960
‫but basically this allows you

135
00:05:21,960 --> 00:05:24,310
‫to connect your app to Cognito.

136
00:05:24,310 --> 00:05:25,440
‫Okay, so we're good.

137
00:05:25,440 --> 00:05:28,200
‫Next, so we need to have a callback URL,

138
00:05:28,200 --> 00:05:29,793
‫so example.com.

139
00:05:30,990 --> 00:05:33,450
‫And if I click on Next, I get an error

140
00:05:33,450 --> 00:05:34,920
‫because I cannot use the word Cognito,

141
00:05:34,920 --> 00:05:37,890
‫so just stephane-demo is going to work out.

142
00:05:37,890 --> 00:05:38,910
‫Let's click on Next.

143
00:05:38,910 --> 00:05:41,490
‫So, now, we can review everything that we have,

144
00:05:41,490 --> 00:05:44,310
‫which was quite a lot of configuration, I know,

145
00:05:44,310 --> 00:05:46,530
‫but we see many, many, many options.

146
00:05:46,530 --> 00:05:48,210
‫And then, we create the user pool.

147
00:05:48,210 --> 00:05:49,920
‫So, hopefully, this gives you a good overview

148
00:05:49,920 --> 00:05:52,590
‫into what settings we have for user pool.

149
00:05:52,590 --> 00:05:54,180
‫You can review this in your own time,

150
00:05:54,180 --> 00:05:55,590
‫but once you have this,

151
00:05:55,590 --> 00:05:59,850
‫you really start to understand the idea behind Cognito.

152
00:05:59,850 --> 00:06:01,890
‫So, our DemoPool is not created,

153
00:06:01,890 --> 00:06:04,350
‫but as you can see we have no users for now,

154
00:06:04,350 --> 00:06:06,780
‫so we have to get started and create users.

155
00:06:06,780 --> 00:06:09,030
‫To do so, let's go to App Integration.

156
00:06:09,030 --> 00:06:10,470
‫We have set up our Cognito domain,

157
00:06:10,470 --> 00:06:12,570
‫but if you try to open this in a new tab,

158
00:06:12,570 --> 00:06:14,550
‫you're not gonna get anything but a blank page,

159
00:06:14,550 --> 00:06:15,750
‫that's expected.

160
00:06:15,750 --> 00:06:16,650
‫It's because to log in

161
00:06:16,650 --> 00:06:18,870
‫you need to log in from an app perspective.

162
00:06:18,870 --> 00:06:19,830
‫So we'll scroll down.

163
00:06:19,830 --> 00:06:23,130
‫We actually have created an app as part of our create flow,

164
00:06:23,130 --> 00:06:25,680
‫so let's click on the DemoAppClients.

165
00:06:25,680 --> 00:06:28,410
‫We scroll down, we see that there is a hosted UI,

166
00:06:28,410 --> 00:06:29,243
‫it's available.

167
00:06:29,243 --> 00:06:33,120
‫We have defined the callback URL to be example.com

168
00:06:33,120 --> 00:06:33,953
‫and what we're going to do

169
00:06:33,953 --> 00:06:36,870
‫is that we're going to click on View Hosted UI.

170
00:06:36,870 --> 00:06:39,450
‫From here, I'm able to create a new account

171
00:06:39,450 --> 00:06:40,860
‫by doing a sign up.

172
00:06:40,860 --> 00:06:42,600
‫Username is going to be Stephane,

173
00:06:42,600 --> 00:06:46,200
‫the email is gonna be stephane@mailinator.com

174
00:06:46,200 --> 00:06:48,120
‫and then the password is I'm going to use

175
00:06:48,120 --> 00:06:49,890
‫a password that I know.

176
00:06:49,890 --> 00:06:52,500
‫I sign up, don't save.

177
00:06:52,500 --> 00:06:55,530
‫And then, I need to go to mailinator.com,

178
00:06:55,530 --> 00:06:59,550
‫which is like a temporary email to go to the Stephane one

179
00:06:59,550 --> 00:07:01,080
‫and I'm gonna check my mailbox.

180
00:07:01,080 --> 00:07:01,920
‫And as you can see

181
00:07:01,920 --> 00:07:04,830
‫I've received a verification code from Cognito.

182
00:07:04,830 --> 00:07:06,960
‫So in here, I have the confirmation code here.

183
00:07:06,960 --> 00:07:09,420
‫I can just copy it and paste it here,

184
00:07:09,420 --> 00:07:13,020
‫confirm the account and my account is now confirmed.

185
00:07:13,020 --> 00:07:15,750
‫And as you can see now, I am on example.com.

186
00:07:15,750 --> 00:07:20,750
‫And example.com is the callback URL of my hosted UI,

187
00:07:20,820 --> 00:07:23,820
‫which shows that after people are successfully logged in,

188
00:07:23,820 --> 00:07:24,990
‫they go to the callback URL.

189
00:07:24,990 --> 00:07:26,370
‫So you can make it whatever you want

190
00:07:26,370 --> 00:07:28,113
‫for your application, of course.

191
00:07:29,040 --> 00:07:31,500
‫And then, you can also customize the hosted UI,

192
00:07:31,500 --> 00:07:34,590
‫so you can just click on, Use client-level settings.

193
00:07:34,590 --> 00:07:36,720
‫You can upload a logo,

194
00:07:36,720 --> 00:07:40,740
‫and for example I'm going to choose my beach.JPEG file.

195
00:07:40,740 --> 00:07:42,420
‫Let's save the changes.

196
00:07:42,420 --> 00:07:44,807
‫And if you go in here now back into the hosted UI,

197
00:07:44,807 --> 00:07:48,240
‫as you can see, I get back the Example Domain

198
00:07:48,240 --> 00:07:49,890
‫because I'm already logged in,

199
00:07:49,890 --> 00:07:52,740
‫but if I copy this link right here,

200
00:07:52,740 --> 00:07:55,410
‫open a private window and paste it.

201
00:07:55,410 --> 00:07:58,170
‫As you can see now my login UI has been customized

202
00:07:58,170 --> 00:07:59,430
‫and I have seen my beach.

203
00:07:59,430 --> 00:08:01,320
‫But you can do a lot of things with this, actually.

204
00:08:01,320 --> 00:08:03,120
‫You can edit this hosted UI

205
00:08:03,120 --> 00:08:07,260
‫and you can add your own custom CSS file

206
00:08:07,260 --> 00:08:10,380
‫to really customize everything there is in this UI,

207
00:08:10,380 --> 00:08:12,090
‫which is very nice.

208
00:08:12,090 --> 00:08:15,450
‫So now, if you go back into our pool, our DemoPool,

209
00:08:15,450 --> 00:08:17,340
‫and we look at Users, we can see that, yes,

210
00:08:17,340 --> 00:08:20,370
‫my user Stephane has been created, the email is verified,

211
00:08:20,370 --> 00:08:22,740
‫and the status is confirmed, which is awesome.

212
00:08:22,740 --> 00:08:24,870
‫You can also choose to manually create a user

213
00:08:24,870 --> 00:08:27,360
‫if you wanted to, and send an email invitation,

214
00:08:27,360 --> 00:08:29,760
‫enter username, email address, and so on.

215
00:08:29,760 --> 00:08:32,190
‫So, it's one way, either users sign up on their own

216
00:08:32,190 --> 00:08:34,350
‫or you sign them up from here.

217
00:08:34,350 --> 00:08:35,670
‫You can group users together,

218
00:08:35,670 --> 00:08:38,460
‫which is really good for security.

219
00:08:38,460 --> 00:08:41,850
‫Also, what we can do is for the signing experience,

220
00:08:41,850 --> 00:08:44,250
‫we can also have a federated identity provider.

221
00:08:44,250 --> 00:08:47,490
‫So, I said before, you can do a Facebook, Google,

222
00:08:47,490 --> 00:08:51,420
‫Amazon's Apple login or SAML or OIDC.

223
00:08:51,420 --> 00:08:54,150
‫So for example, if I choose Google to have a Google login,

224
00:08:54,150 --> 00:08:56,550
‫I have to enter the client ID of Google,

225
00:08:56,550 --> 00:08:58,680
‫the Client's secret, the authorized scopes,

226
00:08:58,680 --> 00:09:00,600
‫and as soon as this is done,

227
00:09:00,600 --> 00:09:03,480
‫then my users will be able to do a Google login

228
00:09:03,480 --> 00:09:06,453
‫and sign up for my page, which is very awesome.

229
00:09:07,410 --> 00:09:09,960
‫Finally, let's have a look at a very important feature,

230
00:09:09,960 --> 00:09:12,150
‫which is under, User pool properties,

231
00:09:12,150 --> 00:09:14,640
‫you will find the Lambda triggers.

232
00:09:14,640 --> 00:09:17,790
‫So, Lambda triggers allow you to react to things happening

233
00:09:17,790 --> 00:09:20,670
‫within your user pool, and then you trigger Lambda function

234
00:09:20,670 --> 00:09:22,500
‫and that allows you to build any kind

235
00:09:22,500 --> 00:09:23,820
‫of integration you want.

236
00:09:23,820 --> 00:09:26,280
‫For example, you may want to have a Lambda function

237
00:09:26,280 --> 00:09:29,100
‫that it gets triggered whenever a user is signed up,

238
00:09:29,100 --> 00:09:31,320
‫or whenever there is authentication,

239
00:09:31,320 --> 00:09:34,080
‫or a custom authentication, or messaging and so on.

240
00:09:34,080 --> 00:09:35,120
‫So for sign up, for example,

241
00:09:35,120 --> 00:09:36,360
‫we have different trigger types.

242
00:09:36,360 --> 00:09:38,010
‫You have the Pre-sign up trigger.

243
00:09:38,010 --> 00:09:40,650
‫This is used to validate a user when they sign up

244
00:09:40,650 --> 00:09:42,510
‫and then you customize their attributes,

245
00:09:42,510 --> 00:09:45,420
‫or Post to send customized welcome messages

246
00:09:45,420 --> 00:09:47,640
‫or log events for custom analytics,

247
00:09:47,640 --> 00:09:50,250
‫or Migrate user when you are migrating a user

248
00:09:50,250 --> 00:09:51,810
‫from another directory.

249
00:09:51,810 --> 00:09:53,400
‫So, say you want to Pre-sign up trigger

250
00:09:53,400 --> 00:09:55,470
‫to validate users because you wanna make sure,

251
00:09:55,470 --> 00:09:56,370
‫I don't know, that the user

252
00:09:56,370 --> 00:09:59,640
‫is also in your own internal database.

253
00:09:59,640 --> 00:10:02,100
‫So to do so, you would create a Lambda function,

254
00:10:02,100 --> 00:10:05,700
‫and then, Cognito would invoke it and you'd be good to go.

255
00:10:05,700 --> 00:10:07,530
‫So this is very helpful and something that can come up

256
00:10:07,530 --> 00:10:08,640
‫in the exam as well.

257
00:10:08,640 --> 00:10:10,110
‫Have a look at Authentication.

258
00:10:10,110 --> 00:10:12,330
‫Have a look at Custom and Messaging.

259
00:10:12,330 --> 00:10:14,580
‫This can really help you understand the use cases

260
00:10:14,580 --> 00:10:16,020
‫for Lambda triggers.

261
00:10:16,020 --> 00:10:17,340
‫Okay, so that's it for this lecture.

262
00:10:17,340 --> 00:10:20,070
‫We've seen a lots of things about Cognito user pools.

263
00:10:20,070 --> 00:10:21,270
‫I hope you liked it,

264
00:10:21,270 --> 00:10:23,220
‫and I will see you in the next lecture.