Cognito is AWS’s service for managing user authentication and access control. Although it was originally associated with AWS’s mobile backend-as-a-service offering (MBaaS), it has recently gained the attention of the serverless crowd, who are looking for ways to offload user management concerns to a service provider. Cognito solves this problem by providing a fully-managed, scalable and cost-effective sign-up/sign-in service—but at the cost of a steep learning curve. One of the reasons for this is because Cognito is actually comprised of two services—User Pools and Identity Pools (a.k.a. Federated Identities)—that are similar on the surface but different under-the-hood. These two services solve the same problem (i.e. authentication and authorization) but do so in very different ways. They can also be used separately or together, providing both flexibility and a source of confusion.
In this article, we’ll provide a gentle introduction to User Pools and Identity Pools, including the nuanced relationship between them. Before we dive into the explanation, however, we first need to explain two core security concepts: authentication vs. authorization and identity providers.