1 00:00:00,030 --> 00:00:05,810 Welcome back to BackSpace Academy, in this lab on authentication and 2 00:00:05,810 --> 00:00:11,940 synchronization of JavaScript apps with AWS Cognito we're first off going to be 3 00:00:11,940 --> 00:00:19,080 creating an AWS Cognito user pool which will store information on users of our 4 00:00:19,080 --> 00:00:24,090 application, we're then going to build a trust relationship between this user 5 00:00:24,090 --> 00:00:32,579 pool that contains our users to the AWS Cognito ID service, once we've done that 6 00:00:32,579 --> 00:00:38,520 we can then write an application that can authenticate a user in that Cognito 7 00:00:38,520 --> 00:00:44,910 user pool and then provide them with temporary credentials to access our AWS 8 00:00:44,910 --> 00:00:51,030 resources safely, we're then going to use those credentials to write and sync to 9 00:00:51,030 --> 00:00:57,719 the AWS Cognito sync service now that is a key store and database service that 10 00:00:57,719 --> 00:01:04,049 operates on Cognito and it allows that data to be synchronized across all of 11 00:01:04,049 --> 00:01:07,890 the devices that your end user will be logged into, whether it be a mobile 12 00:01:07,890 --> 00:01:13,710 application or a desktop computer or whatever, and then we'll also look at 13 00:01:13,710 --> 00:01:19,560 using it outside of Cognito and use it with the AWS s3 service to upload an 14 00:01:19,560 --> 00:01:24,479 object to Amazon s3, just to show that we don't need to be confined to AWS 15 00:01:24,479 --> 00:01:29,490 Cognito we can use these credentials with any of these AWS services, provided 16 00:01:29,490 --> 00:01:36,780 that the role that we create that Cognito user allows that to happen. 17 00:01:36,780 --> 00:01:42,540 Of all of the requests that I get through Backspace' Academy Cognito would be the 18 00:01:42,540 --> 00:01:46,439 number one of those requests, a lot of developers want to know about Cognito, 19 00:01:46,439 --> 00:01:51,720 how to use it, how to work their way through the minefield that is the AWS 20 00:01:51,720 --> 00:01:57,049 documentation on Cognito, and what I would say is that I have a lot of 21 00:01:57,049 --> 00:02:05,180 experience on Cognito, back in late 2014 I was part of the beta testers of 22 00:02:05,180 --> 00:02:11,220 Cognito when it came out, and at that stage it wasn't very good, the 23 00:02:11,220 --> 00:02:15,480 documentation was atrocious and it was very difficult especially 24 00:02:15,480 --> 00:02:20,519 with nodejs and JavaScript, it really wasn't a very good service at all, you 25 00:02:20,519 --> 00:02:26,209 had to actually juggle between your Facebook tokens, get them through to 26 00:02:26,209 --> 00:02:31,109 STS service, bring him back into here, and bring him back there, and we you ended up 27 00:02:31,109 --> 00:02:35,939 having all of these multiple security tokens all over the place just to be 28 00:02:35,939 --> 00:02:39,480 able to log in and do something that really wasn't really doing much because 29 00:02:39,480 --> 00:02:43,829 back then we didn't have user pools so all these Cognito service could really 30 00:02:43,829 --> 00:02:50,280 do is is it could use Facebook or Google or whatever to log in and give you a Cognito 31 00:02:50,280 --> 00:02:55,950 ID and then you could use a sync store database to store some key values, you 32 00:02:55,950 --> 00:03:01,049 could also use those credentials as well to access s3 and other AWS services but, 33 00:03:01,049 --> 00:03:06,000 it wasn't really doing that much. So the good thing was that I did complain to 34 00:03:06,000 --> 00:03:11,000 AWS about this and they listened and so at that stage we we did have a 35 00:03:11,000 --> 00:03:16,200 support account with AWS and so that certainly was a handy thing to have to 36 00:03:16,200 --> 00:03:20,639 be able to go through those channels and then escalate it up to get it all fixed, 37 00:03:20,639 --> 00:03:28,769 and so what AWS came out with was a really good JavaScript SDK that included 38 00:03:28,769 --> 00:03:33,750 an object that allowed it to to get those credentials for Cognito 39 00:03:33,750 --> 00:03:38,099 really within one object, and so it was a really streamlined process and it was 40 00:03:38,099 --> 00:03:42,389 really great but at that stage the documentation hadn't caught up and was 41 00:03:42,389 --> 00:03:49,040 going to take some time for that to catch up, so what I did was back in early 42 00:03:49,040 --> 00:03:56,310 2015 I developed a number of Cognito tutorials on Nodejs and PhoneGap 43 00:03:56,310 --> 00:04:01,949 Cordova browser, whole heap of stuff and was extremely popular, Cognito was very 44 00:04:01,949 --> 00:04:06,659 very popular and I received thousands, upon thousands, upon thousands of hits 45 00:04:06,659 --> 00:04:11,069 and literally hundreds of emails over the last few years on Cognito helping 46 00:04:11,069 --> 00:04:19,889 people out, and that was great. Now one thing I would say about Cognito 47 00:04:19,889 --> 00:04:24,659 is that parts of it are great and parts of it are not so great and over the last 48 00:04:24,659 --> 00:04:28,620 few years it kind of has progressed and a rate of knots and they're 49 00:04:28,620 --> 00:04:34,889 introducing a lot of that appears to be cool stuff but not stuff that you really 50 00:04:34,889 --> 00:04:39,949 need and not stuff that really works out well and if you have a look at the user 51 00:04:39,949 --> 00:04:46,470 forums for AWS and have a look at the Cognito issues that are out there that 52 00:04:46,470 --> 00:04:51,599 are unresolved there's a lot of them and a lot of them around these additional 53 00:04:51,599 --> 00:04:56,069 SDKs that they've created, we don't just have the AWS 54 00:04:56,069 --> 00:05:03,569 JavaScript SDK, we also have the AWS Cognito JavaScript SDK, the AWS 55 00:05:03,569 --> 00:05:09,960 Cognito ID JavaScript SDK, the AWS Cognito sync manager SDK, we have the 56 00:05:09,960 --> 00:05:15,319 AWS Amplifi SDK, we have the Android, Oh my god we've got them everywhere! 57 00:05:15,319 --> 00:05:20,430 Unfortunately you don't really need them and if you want to avoid all those 58 00:05:20,430 --> 00:05:27,509 difficulties just use the JavaScript SDK. This is a course on development for 59 00:05:27,509 --> 00:05:34,199 certification and you know you need to know how to use the AWS JavaScript SDK 60 00:05:34,199 --> 00:05:39,240 it is what I use, I do not use AWS amplify I do not use any of this other 61 00:05:39,240 --> 00:05:44,639 stuff because I want to know what works and what works reliably and so what 62 00:05:44,639 --> 00:05:47,969 I'm going to do is lead you through this landmine because if you have a look at 63 00:05:47,969 --> 00:05:52,380 here at the the documentation a lot of this stuff just doesn't work, the 64 00:05:52,380 --> 00:05:59,639 JavaScript code that is in this documentation does not work and when you 65 00:05:59,639 --> 00:06:04,620 look at AWS Amplify there's a whole heap of issues around AWS Amplify but the 66 00:06:04,620 --> 00:06:09,569 good thing is that they've kept a JavaScript SDK in there and for the most 67 00:06:09,569 --> 00:06:16,349 part that does work, so if you're looking for documentation on Cognito for 68 00:06:16,349 --> 00:06:22,940 JavaScript go to the AWS Amplify github page and I'll just get that up here and 69 00:06:22,940 --> 00:06:32,130 then navigate to packages and then go to Cognito identity.js and that will give 70 00:06:32,130 --> 00:06:38,310 you the JavaScript SDK that is current and is being used by AWS amplify and 71 00:06:38,310 --> 00:06:41,129 that's the one that you should be using if you're going to be you 72 00:06:41,129 --> 00:06:47,789 using a Cognito JavaScript SDK but that said a lot of times you will find that 73 00:06:47,789 --> 00:06:55,489 the standard AWS JavaScript SDK which has all of the all of these services for 74 00:06:55,489 --> 00:07:01,199 AWS in it does perform better so I use a combination of both 75 00:07:01,199 --> 00:07:06,419 AWS say just to use the Cognito identity JavaScript SDK and then they're saying 76 00:07:06,419 --> 00:07:10,499 now that well you should use AWS amplify despite the fact that AWS 77 00:07:10,499 --> 00:07:16,580 Amplify has a whole heap of issues, what I'll do is I'll show you how to use this 78 00:07:16,580 --> 00:07:23,759 Cognito identity SDK and then for the rest of it we're going to use a standard 79 00:07:23,759 --> 00:07:30,149 AWS JavaScript SDK and we're also going to use that for the Cognito sync 80 00:07:30,149 --> 00:07:37,409 service as well, which has its own SDK as well which you don't need, ok so here we 81 00:07:37,409 --> 00:07:43,019 are in the Amazon Cognito console we've got two options here manager user pools 82 00:07:43,019 --> 00:07:47,149 or manage your federated identity so to scroll down here we can see that the 83 00:07:47,149 --> 00:07:52,769 options available for us with user pools we can add signup and sign-in capability 84 00:07:52,769 --> 00:07:58,039 for our applications using user pools and that information will be managed and 85 00:07:58,039 --> 00:08:05,159 authenticated with Amazon Cognito on AWS we also have federated user identities 86 00:08:05,159 --> 00:08:10,019 and so what they can do is it can provide temporary credentials to enable 87 00:08:10,019 --> 00:08:17,159 our federated users to access our AWS resources that could be not only from a 88 00:08:17,159 --> 00:08:22,979 Cognito user pool but it also could be from Facebook or Twitter through an 89 00:08:22,979 --> 00:08:30,419 OAuth process as well we also have the Cognito sync datastore which enables us 90 00:08:30,419 --> 00:08:37,560 to store key value data across our devices and that will be managed again 91 00:08:37,560 --> 00:08:43,319 by AWS so the first thing we need to do is to create a user port and we won't be 92 00:08:43,319 --> 00:08:47,519 doing any federated identities with Facebook or anything like that will just 93 00:08:47,519 --> 00:08:51,839 use Cognito to sign our users in so the first thing we need to do manage our 94 00:08:51,839 --> 00:08:55,490 user pools we'll create a user pool 95 00:08:56,040 --> 00:09:08,140 and then we click on create a user pool we'll give it a name so once we give it 96 00:09:08,140 --> 00:09:12,730 a name we can step through our settings we can just user defaults we might do 97 00:09:12,730 --> 00:09:16,480 that we want to learn here plus we do want to make some changes to the 98 00:09:16,480 --> 00:09:20,620 defaults so we just step through these settings so the first thing we've got 99 00:09:20,620 --> 00:09:24,130 here is how do we want our end users to sign in so we can get them to sign in 100 00:09:24,130 --> 00:09:29,920 with just a username and password or we can also you get them to use a verified 101 00:09:29,920 --> 00:09:33,340 email address as well so instead of just typing in their username they can still 102 00:09:33,340 --> 00:09:37,030 do that but if they forget their username they can always put in their 103 00:09:37,030 --> 00:09:40,090 email address so that's probably good one we might worry about using a 104 00:09:40,090 --> 00:09:46,960 verified phone number or a preferred username so we can actually have it 105 00:09:46,960 --> 00:09:51,040 signing into the preferred username if we if we would like but we'll just leave 106 00:09:51,040 --> 00:09:56,520 it like that so they can use their username and and and their email address 107 00:09:56,520 --> 00:10:04,360 next we have a standard attributes that we can attach so when they sign up we 108 00:10:04,360 --> 00:10:07,330 can get information from them so the first thing that we are going to get is 109 00:10:07,330 --> 00:10:12,010 going to be an email we're also going to grab a preferred username so instead of 110 00:10:12,010 --> 00:10:15,400 just giving them a username we'll give them the opportunity to choose a 111 00:10:15,400 --> 00:10:18,640 username and to type that in that's always a good thing 112 00:10:18,640 --> 00:10:25,270 will select birthdate probably a good thing to grab family name gender given 113 00:10:25,270 --> 00:10:33,700 name what else can we put on them we'll put the website on them and I 114 00:10:33,700 --> 00:10:40,660 think that'll do us for now so now we'll scroll down to custom attributes so if 115 00:10:40,660 --> 00:10:44,410 what we're collecting there is not enough for us for a profile of this user 116 00:10:44,410 --> 00:10:48,430 we can add a cups custom attribute there so just say for example might be a 117 00:10:48,430 --> 00:10:53,470 professional site and we want to get their LinkedIn page as well so we can do 118 00:10:53,470 --> 00:11:00,670 s add custom attribute here and we're going to put in LinkedIn okay all 119 00:11:00,670 --> 00:11:06,070 lowercase we'll click on next step next we'll have a look at what past word 120 00:11:06,070 --> 00:11:10,040 strength do you require so we can see here we require numbers 121 00:11:10,040 --> 00:11:14,750 special characters uppercase I'll leave that as it is minimum 8 8 for length 122 00:11:14,750 --> 00:11:21,230 that sounds ok do you want to allow users to sign themselves up so we can 123 00:11:21,230 --> 00:11:25,010 have the opportunity for them to sign themselves up which you would probably 124 00:11:25,010 --> 00:11:28,940 use or if you just want to have a you know private access and you won't only 125 00:11:28,940 --> 00:11:32,630 want administrators to to sign people up then you can you can have that as well 126 00:11:32,630 --> 00:11:39,440 but we're going to allow anyone to sign themselves up and if administrators sign 127 00:11:39,440 --> 00:11:43,000 up you want those to expire how long and so we're just gonna leave that at 7 days 128 00:11:43,000 --> 00:11:47,540 so they don't expire they sign themselves up but if you sign someone up 129 00:11:47,540 --> 00:11:54,590 and they don't take a sign in then it or we can delete those old accounts quite 130 00:11:54,590 --> 00:12:00,740 quickly all those old users in our user pool click on next step do you want to 131 00:12:00,740 --> 00:12:04,790 enable multi-factor authentication great we can do that if we want we won't for 132 00:12:04,790 --> 00:12:11,540 this it's just a simple website so but that capability is available for us do 133 00:12:11,540 --> 00:12:15,800 you want to require verification of emails or phone numbers so yes we're 134 00:12:15,800 --> 00:12:20,060 going to be using an email to log in and you know we want them if we're going to 135 00:12:20,060 --> 00:12:24,500 sign people up we might as well get their email address and we need to 136 00:12:24,500 --> 00:12:29,600 provide a role to allow Amazon Cognito to send SMS messages no we don't need to 137 00:12:29,600 --> 00:12:36,050 worry about that because we haven't got multi-factor authentication done them so 138 00:12:36,050 --> 00:12:41,900 we don't need access to a SMS service so we don't need to worry about that just 139 00:12:41,900 --> 00:12:48,140 leave it as it is and we'll just click on next step now when someone signs up 140 00:12:48,140 --> 00:12:53,270 they're going to receive an e-mail verification because we've we've told 141 00:12:53,270 --> 00:12:57,730 cognate oh that we want all these emails to be verified so they can send a 142 00:12:57,730 --> 00:13:05,180 verification code so when someone signs up a message will pop up saying into 143 00:13:05,180 --> 00:13:09,260 your verification code and then they go back to their email address and they get 144 00:13:09,260 --> 00:13:13,910 that verification code type it in I think that's a little bit of work so 145 00:13:13,910 --> 00:13:18,620 we're just going to use a link so when they sign up they will receive an email 146 00:13:18,620 --> 00:13:21,510 with a link they may leave verify the email 147 00:13:21,510 --> 00:13:28,430 for them so this we can we can customize this so your verification you link for 148 00:13:28,430 --> 00:13:34,920 we can customize our SMS messages and we're not using SMS here so we're not 149 00:13:34,920 --> 00:13:40,320 going to worry about that we can customize our email invitation messages 150 00:13:40,320 --> 00:13:48,540 if we want do you want to customize your email address so normally it would just 151 00:13:48,540 --> 00:13:55,190 come with a random or not a random but a generic email address no reply to 152 00:13:55,190 --> 00:14:00,330 whatever so you can actually put your own from address or reply to address in 153 00:14:00,330 --> 00:14:07,170 there we won't worry about that for this and we'll click on next step you want to 154 00:14:07,170 --> 00:14:10,680 add tags to this user for we can add tags if we want to keep track of things 155 00:14:10,680 --> 00:14:15,780 we're not going to worry about that here do you want to remember your users 156 00:14:15,780 --> 00:14:23,730 devices we won't worry about that either and which app clients will have access 157 00:14:23,730 --> 00:14:29,250 to this user porn so what we're going to do we get we are going to have an app 158 00:14:29,250 --> 00:14:34,290 that we're going to be using that will be accessing this user pool so we need 159 00:14:34,290 --> 00:14:38,190 to actually grant access and build a relationship or trust between that 160 00:14:38,190 --> 00:14:45,630 application and this client in this user pool so we add an app client we're going 161 00:14:45,630 --> 00:14:52,170 to give that a name now we don't do generate client secret we keep that off 162 00:14:52,170 --> 00:14:59,250 we don't need that you don't just stop our application from working so we just 163 00:14:59,250 --> 00:15:05,940 leave it at that give it a give it a name and create that apps client now we 164 00:15:05,940 --> 00:15:12,540 also have the option of having customized workflows with triggers so we 165 00:15:12,540 --> 00:15:17,910 can actually implement a trigger that can implement a lambda function to go 166 00:15:17,910 --> 00:15:22,590 ahead and do something so before we sign up we can have a lambda function that 167 00:15:22,590 --> 00:15:26,550 has to do something you know ask them to enter the words Kalamazoo or whatever it 168 00:15:26,550 --> 00:15:30,570 does so we can we can make that happen when we have pre authentication so we 169 00:15:30,570 --> 00:15:34,590 have a whole heap of triggers that we can introduce into that workflow which 170 00:15:34,590 --> 00:15:40,440 provides a lot more our for our authentication service we're 171 00:15:40,440 --> 00:15:49,290 just going to leave everything as it is and it will click on next step so we can 172 00:15:49,290 --> 00:16:00,360 just review it now which looks fine and create pool so user pool was created 173 00:16:00,360 --> 00:16:05,400 successfully it was quite easy to do now the next thing we need to do is to 174 00:16:05,400 --> 00:16:10,080 modify some of this stuff here so we need to go into app client settings and 175 00:16:10,080 --> 00:16:18,060 click on that and we need to add a cog need to Cognito user pool we can do a 176 00:16:18,060 --> 00:16:22,140 sign-in and sign-out URLs so the callback use we'll just leave that as it 177 00:16:22,140 --> 00:16:30,180 is and save the changes for that what we can do now is choose a domain name as 178 00:16:30,180 --> 00:16:41,090 well for our application so I'm just going to call this one backspace - slip 179 00:16:41,090 --> 00:16:46,980 and check the availability so it needs to be something that's unique this 180 00:16:46,980 --> 00:16:50,010 domain is available so if you try and use backspace - letters are going to 181 00:16:50,010 --> 00:16:53,070 work for it's just like an s3 bucket needs to be unique so you know use 182 00:16:53,070 --> 00:16:58,470 backspace - your surname or something like that so just Save Changes now that 183 00:16:58,470 --> 00:17:04,380 we know that's in they all say the domain has been successfully created so 184 00:17:04,380 --> 00:17:09,480 now that that's all done we now need to go in and do our federated identities 185 00:17:09,480 --> 00:17:13,459 which we will do in the next part