A Cognito Federated Identity authentication flow to access AWS services has two forms: classic flow and enhanced flow.
Classic flow can be summarized as follows:
- The user logs in with an external IDP such as Amazon, Google, or Facebook
- The IDP returns an OAuth token
- The client will then make a request to Cognito with the OAuth token
- Cognito will validate the OAuth token with the IDP and if successful, return a token back
- The client will then make an AssumeRoleWithWebIdentity call to STS, passing this token
- STS will validate the token and return with temporary credentials (access key ID and secret access key)
- The client can now use the temporary credentials to access AWS services
Enhanced flow can be summarized as follows:
- User logs in with an external IDP such as Amazon, Google, or Facebook
- The IDP returns an OAuth token
- The client will then make a request to Cognito with the OAuth token
- Cognito will validate the OAuth token with the IDP and if successful, return a token back
- The client will then make a GetCredentialsForIdentity call with Cognito itself
- Cognito will validate the token, negotiate with STS, and return temporary credentials (access key ID and secret access key)
- The client can now use the temporary credentials to access AWS services
We followed the enhanced flow in this recipe.