1
00:00:00,000 --> 00:00:01,980
‫So, just a short theory lecture

2
00:00:01,980 --> 00:00:04,980
‫to reiterate on what I've said in the hands-on.

3
00:00:04,980 --> 00:00:06,750
‫So first, we can use Lambda Triggers

4
00:00:06,750 --> 00:00:08,130
‫so that the Cognito User Pools

5
00:00:08,130 --> 00:00:11,040
‫can invoke any Lambda function synchronously

6
00:00:11,040 --> 00:00:12,600
‫on some of these triggers,

7
00:00:12,600 --> 00:00:13,950
‫and we've seen most of them,

8
00:00:13,950 --> 00:00:16,470
‫but so, the important ones are going to be

9
00:00:16,470 --> 00:00:18,600
‫around the authentication events,

10
00:00:18,600 --> 00:00:21,180
‫so pre-authentication, post-authentication

11
00:00:21,180 --> 00:00:22,740
‫and pre-token generation,

12
00:00:22,740 --> 00:00:24,720
‫we can have a Lambda trigger, for example,

13
00:00:24,720 --> 00:00:28,140
‫to accept or deny your sign-in request, to log events

14
00:00:28,140 --> 00:00:31,590
‫after a successful authentication for custom analytics

15
00:00:31,590 --> 00:00:34,290
‫or to augment and suppress token claims.

16
00:00:34,290 --> 00:00:37,230
‫Then for the sign-up, we can do a pre sign-up,

17
00:00:37,230 --> 00:00:40,350
‫post confirmation and migrate user Lambda trigger.

18
00:00:40,350 --> 00:00:42,330
‫This will be helpful, for example, in this one,

19
00:00:42,330 --> 00:00:45,360
‫to give a custom welcome message or event logging

20
00:00:45,360 --> 00:00:48,720
‫for custom analytics after a user has signed up.

21
00:00:48,720 --> 00:00:50,670
‫Finally, we can customize the messages

22
00:00:50,670 --> 00:00:52,920
‫that we send to the user thanks to a Lambda function,

23
00:00:52,920 --> 00:00:55,590
‫and finally, we can modify the token creation

24
00:00:55,590 --> 00:00:58,620
‫by adding or removing attributes in ID tokens.

25
00:00:58,620 --> 00:01:01,770
‫Another very nice thing about the Cognito User Pools

26
00:01:01,770 --> 00:01:04,950
‫is that we had a hosted authentication UI

27
00:01:04,950 --> 00:01:07,470
‫and that was allowing us not to program

28
00:01:07,470 --> 00:01:08,760
‫that UI in our application,

29
00:01:08,760 --> 00:01:11,370
‫we can just reuse the one Cognito has created for us,

30
00:01:11,370 --> 00:01:15,300
‫and with it we can handle the sign-up and signin workflows.

31
00:01:15,300 --> 00:01:17,940
‫In using this hosted UI, we have a foundation

32
00:01:17,940 --> 00:01:21,510
‫with all the integration for social logins, OIDC or SAML,

33
00:01:21,510 --> 00:01:23,580
‫so we don't have to reprogram everything,

34
00:01:23,580 --> 00:01:25,920
‫and if we wanted to include this UI

35
00:01:25,920 --> 00:01:27,540
‫into our own application,

36
00:01:27,540 --> 00:01:30,150
‫then we can customize the logo, as we've seen,

37
00:01:30,150 --> 00:01:32,010
‫and we can customize the CSS

38
00:01:32,010 --> 00:01:34,410
‫to make it look like it belongs to our websites.

39
00:01:34,410 --> 00:01:36,780
‫So this will be a login screen

40
00:01:36,780 --> 00:01:39,990
‫with your own custom logo in big.

41
00:01:39,990 --> 00:01:42,930
‫Now for the hosted UI, you may want to host it

42
00:01:42,930 --> 00:01:46,080
‫on your own domain and therefore a custom domain.

43
00:01:46,080 --> 00:01:47,640
‫So the trick you need to know

44
00:01:47,640 --> 00:01:49,920
‫is that if you're using custom domains

45
00:01:49,920 --> 00:01:54,090
‫with Cognito User Pools, regardless of where it is created,

46
00:01:54,090 --> 00:01:58,020
‫you must create an certificate for using HTTPS.

47
00:01:58,020 --> 00:02:01,650
‫That certificate must be in ACM, okay?

48
00:02:01,650 --> 00:02:05,730
‫And the region it needs to be in must be us-east-1.

49
00:02:05,730 --> 00:02:07,740
‫You have no other option.

50
00:02:07,740 --> 00:02:09,210
‫So, this is a trick because,

51
00:02:09,210 --> 00:02:12,510
‫well, even if you have a Cognito User Pool in,

52
00:02:12,510 --> 00:02:14,370
‫say eu-west-1, you must create it

53
00:02:14,370 --> 00:02:16,500
‫in us-east-1, your certificates.

54
00:02:16,500 --> 00:02:19,350
‫Now the custom domain, you must define it

55
00:02:19,350 --> 00:02:23,670
‫in the app integration section of Cognito User Pools

56
00:02:23,670 --> 00:02:25,830
‫because this is going to be a configuration

57
00:02:25,830 --> 00:02:27,480
‫for all app claims.

58
00:02:27,480 --> 00:02:29,493
‫This is a general configuration.

59
00:02:30,390 --> 00:02:33,180
‫Another very nice feature of Cognito User Pools

60
00:02:33,180 --> 00:02:35,430
‫is adaptive authentication.

61
00:02:35,430 --> 00:02:37,170
‫So the idea is that you allow your users

62
00:02:37,170 --> 00:02:40,200
‫to sign-in as normal using their username and password,

63
00:02:40,200 --> 00:02:42,510
‫but then with adaptive authentication,

64
00:02:42,510 --> 00:02:45,300
‫in case there is a suspicious login,

65
00:02:45,300 --> 00:02:46,980
‫then the sign-in can be blocked

66
00:02:46,980 --> 00:02:50,310
‫or we can reqUIre multi-factor authentication.

67
00:02:50,310 --> 00:02:51,360
‫How does it work?

68
00:02:51,360 --> 00:02:52,650
‫Well, each sign-in attempt

69
00:02:52,650 --> 00:02:55,350
‫is going to be examined by Cognito,

70
00:02:55,350 --> 00:02:57,270
‫and then is going to be a risk score,

71
00:02:57,270 --> 00:03:00,480
‫low, medium or high for how likely the sign-in request

72
00:03:00,480 --> 00:03:03,120
‫is going to be from a malicious attacker

73
00:03:03,120 --> 00:03:04,830
‫or an unknown login,

74
00:03:04,830 --> 00:03:07,860
‫and so, if that's the case, then users may be prompted

75
00:03:07,860 --> 00:03:10,890
‫for a second multifactor authentication

76
00:03:10,890 --> 00:03:12,330
‫only when there is risks.

77
00:03:12,330 --> 00:03:15,720
‫So you as a normal user, that Cognito is used to,

78
00:03:15,720 --> 00:03:18,510
‫maybe you log in from your own computer in your workplace,

79
00:03:18,510 --> 00:03:20,760
‫so you're good, you can sign-in using a password,

80
00:03:20,760 --> 00:03:23,670
‫but then if somehow you or someone else's

81
00:03:23,670 --> 00:03:25,740
‫tries to log in from a new location

82
00:03:25,740 --> 00:03:27,990
‫using your password again, Cognito may say, "Hm,

83
00:03:27,990 --> 00:03:29,760
‫that looks like a suspicious login.

84
00:03:29,760 --> 00:03:33,180
‫Please use MFA to verify your identity."

85
00:03:33,180 --> 00:03:36,240
‫So the risk score is based on many different factors,

86
00:03:36,240 --> 00:03:39,690
‫such as if the user is using the same device as usual,

87
00:03:39,690 --> 00:03:42,630
‫the location, the IP address, and so on.

88
00:03:42,630 --> 00:03:45,300
‫And in case of compromised credentials,

89
00:03:45,300 --> 00:03:47,610
‫there is account takeover protection

90
00:03:47,610 --> 00:03:50,880
‫and there will be phone and email verification as well.

91
00:03:50,880 --> 00:03:53,790
‫On top of it, any kind of work done

92
00:03:53,790 --> 00:03:56,310
‫by the adaptive authentication mechanism

93
00:03:56,310 --> 00:03:58,500
‫is going to be seen in CloudWatch logs,

94
00:03:58,500 --> 00:03:59,970
‫such as the sign-in attempts,

95
00:03:59,970 --> 00:04:03,243
‫the risk score, the fail challenges, and so on.

96
00:04:04,140 --> 00:04:06,930
‫Now, when you log in with a Cognito User Pool,

97
00:04:06,930 --> 00:04:08,610
‫what you get back from the pool

98
00:04:08,610 --> 00:04:12,960
‫is a JWT Token or a JSON Web Token.

99
00:04:12,960 --> 00:04:15,540
‫And so these are Base64 encoded.

100
00:04:15,540 --> 00:04:17,040
‫You'll have what's called the header,

101
00:04:17,040 --> 00:04:19,380
‫the payload and the signature,

102
00:04:19,380 --> 00:04:22,050
‫and so Base64 is allowing you to transmit

103
00:04:22,050 --> 00:04:23,640
‫that over the network easily,

104
00:04:23,640 --> 00:04:26,370
‫and then it's going to be decoded and it looks like this.

105
00:04:26,370 --> 00:04:29,430
‫So this is a JWT Token payload.

106
00:04:29,430 --> 00:04:31,170
‫The header is not represented,

107
00:04:31,170 --> 00:04:32,460
‫that's the first line

108
00:04:32,460 --> 00:04:34,950
‫and the token signature is not represented,

109
00:04:34,950 --> 00:04:36,120
‫that's the last line.

110
00:04:36,120 --> 00:04:38,520
‫What I've shown you is the payload,

111
00:04:38,520 --> 00:04:40,020
‫and the payload indicates a lot

112
00:04:40,020 --> 00:04:41,310
‫of information about the user.

113
00:04:41,310 --> 00:04:43,920
‫We'll go over it in a second, but first,

114
00:04:43,920 --> 00:04:48,920
‫when you receive a JWT, to trust what's in the payload,

115
00:04:49,320 --> 00:04:52,050
‫you need to verify the signature.

116
00:04:52,050 --> 00:04:54,270
‫So, the signature is the thing at the very bottom,

117
00:04:54,270 --> 00:04:56,077
‫and there is an algorithm that allows you to say,

118
00:04:56,077 --> 00:04:58,020
‫"Okay, if the signature is correct

119
00:04:58,020 --> 00:05:01,140
‫then I can trust whatever information is in the payload,

120
00:05:01,140 --> 00:05:03,150
‫because otherwise, if that wasn't the case,

121
00:05:03,150 --> 00:05:05,430
‫you could declare here whatever user,

122
00:05:05,430 --> 00:05:08,520
‫and so there are libraries to verify a JWT Token,

123
00:05:08,520 --> 00:05:11,400
‫and once it's done, you can use the payload,

124
00:05:11,400 --> 00:05:14,100
‫and so the payload contains user information.

125
00:05:14,100 --> 00:05:17,250
‫So here for example, we have the sub UUID,

126
00:05:17,250 --> 00:05:19,080
‫which represents the user ID

127
00:05:19,080 --> 00:05:21,660
‫in the Cognito User Pool database.

128
00:05:21,660 --> 00:05:25,800
‫So using that sub UUID, you could, for example,

129
00:05:25,800 --> 00:05:28,050
‫recover any kind of information you want

130
00:05:28,050 --> 00:05:31,260
‫about your user that you've stored in the Cognito database.

131
00:05:31,260 --> 00:05:33,420
‫So, from the Cognito database, you could recover,

132
00:05:33,420 --> 00:05:36,270
‫for example, the user email, the given name,

133
00:05:36,270 --> 00:05:38,550
‫the phone number, any attributes you've defined

134
00:05:38,550 --> 00:05:40,980
‫as part of your Cognito User Pool.

135
00:05:40,980 --> 00:05:42,720
‫Then there's some other fields we can look at.

136
00:05:42,720 --> 00:05:46,320
‫For example, you'll have the username, the Cognito groups.

137
00:05:46,320 --> 00:05:49,920
‫You may have also the expiry of this Jason Web Token,

138
00:05:49,920 --> 00:05:52,140
‫all of this, as part of the payload,

139
00:05:52,140 --> 00:05:54,420
‫but again, if you need extra information,

140
00:05:54,420 --> 00:05:57,420
‫please look up the user in the Cognito user portal database

141
00:05:57,420 --> 00:06:00,000
‫using the user ID with the sub UUID.

142
00:06:01,050 --> 00:06:02,700
‫Okay, so that's it.

143
00:06:02,700 --> 00:06:06,180
‫We've seen all we need to know about Cognito User Pools.

144
00:06:06,180 --> 00:06:09,723
‫I hope you liked it, and I will see you in the next lecture.