AWS Cognito for Secure User Authentication in Django
AWS Cognito for Secure User Authentication in Django
Introduction to AWS Cognito Integration with Python
Amazon Web Services (AWS) Cognito is a robust user management service that plays a pivotal role in modern software architecture. Building a user authentication system from the ground up, ensuring scalability, and fortifying Single Sign-On (SSO) security can be challenging and resource-intensive. AWS Cognito steps in to streamline these processes and offers seamless accessibility across various platforms.
In this comprehensive guide, we will explore the essential features and steps to integrate AWS Cognito with a Django web application and frontend. This integration not only simplifies user management but also enhances the security and scalability of your application. Let’s delve into the key points of what AWS Cognito has to offer:
Key Features of AWS Cognito
- Cognito User Pools:
- Enable user sign-in functionality for your application.
- Seamlessly integrate with API Gateway and Application Load Balancer.
 
- Cognito Identity Pools (Federated Identity):
- Provide AWS credentials directly to users, granting access to AWS resources.
- Integrate with Cognito User Pools as an identity provider for authentication.
 
Cognito User Pools (CUP) – User Features
- Create a serverless user database for your web and mobile apps.
- Simplify user login with options for username/email and password combinations.
- Offer password reset functionality.
- Verify user identities through email and phone number verification.
- Implement Multi-Factor Authentication (MFA) for added security.
- Federated Identities: Support users from external identity providers like Facebook, Google, and SAML.
- Feature: Detect and block users with compromised credentials.
- User logins generate JSON Web Tokens (JWTs) for secure authentication.

Let’s Connect AWS Cognito with Your Django App and Frontend
Prerequisites
Before you embark on this integration journey, ensure you have the following in place:
- An AWS account.
- A Django web application up and running.
- The “python-jose” library installed.
- The AWS Command Line Interface (CLI) set up.
Setting Up AWS Cognito User Pool
There are two types of users in Cognito: user pools and identity pools. To maintain custom users, we will focus on user pools. Here’s how to set up an Amazon Cognito User Pool:
- Sign in to the AWS Management Console.
- Open the Amazon Cognito service.
- Create a new user pool.
- Configure the user pool settings, such as password policies and MFA options, to align with your project’s requirements.
- Define custom user attributes, such as profile pictures and user roles, according to your project’s needs.
- Create app clients for both your web and mobile apps to authenticate and authorize users across different platforms.
- Configure authentication flows for your user pool, including username/password, social identity providers (e.g., Google, Facebook), or identity federation with other systems.
Integrating AWS Cognito into Your Web App
To seamlessly integrate Amazon Cognito into your web app, you can use either the AWS Amplify library or the Cognito SDK. This integration empowers users to sign up, sign in, and manage their profiles securely.
Connect AWS cognito with your django app
- Install the necessary libraries:
- pip install boto3
- pip install python-jose
 
- Create a custom Django middleware that intercepts incoming API requests and validates Cognito tokens included in the request headers.
- In the middleware, validate Cognito tokens by decoding and verifying their signatures using libraries like python-jose.
- Implement user mapping.
- User mapping is optional, we can sync users details in our DB using Lamda also on cognito triggers. But sync user becomes handy when we want use django user model utils internally. It totally depends on our requirement.
- After successful token validation, map the Cognito user to a user in your Django database. You can use the Cognito user’s unique identifier (sub) to identify the corresponding Django user.
- cognito_auth.py
- 
		1234567891011121314151617181920212223242526272829303132333435363738394041from django.contrib.auth.backends import BaseBackendfrom django.contrib.auth import get_user_modelfrom jose.backends.cryptography_backend import CryptographyBackendfrom jose.constants import ALGORITHMSimport jose.jwtUser = get_user_model()class CognitoAuthenticationBackend(BaseBackend):def authenticate(self, request, id_token=None):if not id_token:return None # No ID token provided# Verify and decode the ID token using jose.jwt librarytry:claims = jose.jwt.decode(id_token,'YOUR_COGNITO_APP_CLIENT_SECRET',algorithms=ALGORITHMS.RS256,audience='YOUR_COGNITO_APP_CLIENT_ID')# Get the sub (subject) claim from the ID tokensub = claims.get('sub')# Find or create a Django user that corresponds to the Cognito useruser, created = User.objects.get_or_create(username=sub)# You can associate additional user data here if needed# Example: user.profile = ...return userexcept (jose.exceptions.JWTError, User.DoesNotExist):return None # Authentication faileddef get_user(self, user_id):try:return User.objects.get(pk=user_id)except User.DoesNotExist:return None
- settings.py
- 
		1234AUTHENTICATION_BACKENDS = [# ...'your_app.cognito_auth.CognitoAuthenticationBackend',]
- your_view.py
- 
		123456789101112from django.contrib.auth import authenticate, logindef cognito_login_view(request):id_token = request.POST.get('id_token') # Get the ID token from the frontenduser = authenticate(request, id_token=id_token)if user:login(request, user)# Redirect or respond accordingly upon successful authenticationreturn HttpResponse('Authenticated')else:# Handle authentication failurereturn HttpResponse('Authentication failed')
 
- Django Authentication:
- Authenticate the user in Django using your preferred authentication method (e.g., Django’s built-in authentication system, custom authentication backends, or OAuth).
- Create a Django user session or issue a JWT token for authenticated users to maintain their session.
 
- API Access Control:
- Implement access control in your Django views or viewsets based on the user’s authentication status and permissions.
 
Connect AWS cognito with your frontend app
Cognito exposes apis directly from aws, We can use our server as an intermediate also.
- User Sign-In (Log In):
- POST: https://your-user-pool-domain.auth.your-region.amazoncognito.com/login
- This endpoint is used for user login (sign-in). Users provide their username/email and password. After successful authentication, the user receives Cognito tokens (ID Token, Access Token, Refresh Token).
 
- POST: 
- User Sign-Up (Registration):
- POST: https://your-user-pool-domain.auth.your-region.amazoncognito.com/signup
- This endpoint is used for user registration (sign-up). Users provide their registration details, including username/email and password. After successful registration, the user can log in.
 
- POST: 
- Password Reset (Forgot Password):
- POST:https://your-user-pool-domain.auth.your-region.amazoncognito.com/forgotPassword
- This endpoint allows users to initiate a password reset by providing their username or email address. Cognito will send a password reset code to the user’s email address, allowing them to create a new password.
 
- Token Refresh (Refresh Token):
- After the initial login, users can use the Refresh Token to obtain a new Access Token without requiring them to re-enter their credentials. This process is typically handled by the Amazon Cognito SDK used in your frontend application.
 
- Decoding a ID Token: JWT – JSON Web Token:
- CUP issues JWT tokens (Base64 encoded): Header, Payload, Signature
- The signature must be verified to ensure the JWT can be trusted
- Libraries can help you verify the validity of JWT tokens issued by Cognito User Pools
- The payload will contain the user information(sub UUID, given_name, email, phone_number, attributes…)
 
 
Do you really need AWS Cognito for your project?
Well, with extra features and convenience there is an extra cost. Cognito makes our lives easier but it’s not needed everywhere. Let’s discuss where we need to integrate it and where we should avoid it.
Consider Using AWS Cognito When:
- Cross-Platform Compatibility: If your project involves multiple platforms (e.g., web, mobile) and you want a unified authentication system across all of them, Cognito can provide a consistent authentication experience.
- Scalability: If your application is expected to grow rapidly or has variable user loads, Cognito’s managed scalability can be beneficial, as it automatically scales to handle increased authentication requests.
- Third-Party Identity Providers: If you want to allow users to sign in using social identity providers like Google, Facebook, or Amazon, Cognito simplifies the integration of these external authentication systems.
- User Federation: When you need to federate user identities with other identity providers or systems (e.g., SAML-based Single Sign-On), Cognito supports this functionality.
- Multi-Factor Authentication (MFA): Cognito provides built-in support for MFA, making it easier to implement an extra layer of security for your users.
- Global Reach: If your application serves a global audience and you need to handle internationalization and localization of authentication, Cognito provides tools for this purpose.
- Cognito User Pools for User Management: If your project requires user registration, authentication, and profile management features, Cognito’s User Pools offer these functionalities out of the box.
Consider Using Only Django User Management When:
- Simplicity and Control: If your project is relatively small and you prefer to have fine-grained control over the user management process without relying on external services, Django’s built-in user management system may be sufficient.
- Backend-Focused: If your project primarily serves as a backend API without the need for user authentication on multiple platforms, you might choose to rely solely on Django’s authentication system.
- Custom Authentication Requirements: When your application has very specific authentication requirements or uses a different authentication method not supported by Cognito, Django’s flexibility allows you to implement custom authentication logic.
- Minimized Complexity: If you want to keep your project as simple as possible and avoid introducing additional AWS services and dependencies, you might opt for Django’s user management.
Conclusion
In the world of modern web development, ensuring robust user authentication and identity management is paramount. For Django developers seeking a scalable, secure, and cross-platform solution, Amazon Cognito emerges as a valuable ally.
Amazon Cognito seamlessly integrates with Django applications, offering a plethora of advantages. It simplifies user registration, login, and profile management, streamlines multi-factor authentication, and enables third-party identity provider integration. With Cognito, developers can focus on building application features while relying on a managed authentication service backed by Amazon Web Services.
However, the choice to use Amazon Cognito isn’t one-size-fits-all. Smaller, backend-focused projects may find Django’s native user management sufficient, while larger, multi-platform applications will benefit from Cognito’s scalability and cross-platform compatibility.
Ultimately, the decision should align with your project’s specific needs and scalability requirements. Amazon Cognito stands as a robust solution in the realm of user authentication, offering a bridge between Django’s powerful framework and the world of modern, secure identity management.
References
Related content
Auriga: Leveling Up for Enterprise Growth!
Auriga’s journey began in 2010 crafting products for India’s

