AWS Cognito for Secure User Authentication in Django

Introduction to AWS Cognito Integration with Python

Amazon Web Services (AWS) Cognito is a robust user management service that plays a pivotal role in modern software architecture. Building a user authentication system from the ground up, ensuring scalability, and fortifying Single Sign-On (SSO) security can be challenging and resource-intensive. AWS Cognito steps in to streamline these processes and offers seamless accessibility across various platforms.

In this comprehensive guide, we will explore the essential features and steps to integrate AWS Cognito with a Django web application and frontend. This integration not only simplifies user management but also enhances the security and scalability of your application. Let’s delve into the key points of what AWS Cognito has to offer:

Key Features of AWS Cognito

• Cognito User Pools:
  • Enable user sign-in functionality for your application.
  • Seamlessly integrate with API Gateway and Application Load Balancer.
• Cognito Identity Pools (Federated Identity):
  • Provide AWS credentials directly to users, granting access to AWS resources.
  • Integrate with Cognito User Pools as an identity provider for authentication.

Cognito User Pools (CUP) – User Features

• Create a serverless user database for your web and mobile apps.
• Simplify user login with options for username/email and password combinations.
• Offer password reset functionality.
• Verify user identities through email and phone number verification.
• Implement Multi-Factor Authentication (MFA) for added security.
• Federated Identities: Support users from external identity providers like Facebook, Google, and SAML.
• Feature: Detect and block users with compromised credentials.
• User logins generate JSON Web Tokens (JWTs) for secure authentication.

Let’s Connect AWS Cognito with Your Django App and Frontend

Prerequisites

Before you embark on this integration journey, ensure you have the following in place:

• An AWS account.
• A Django web application up and running.
• The “python-jose” library installed.
• The AWS Command Line Interface (CLI) set up.

Setting Up AWS Cognito User Pool

There are two types of users in Cognito: user pools and identity pools. To maintain custom users, we will focus on user pools. Here’s how to set up an Amazon Cognito User Pool:

1. Sign in to the AWS Management Console.
2. Open the Amazon Cognito service.
3. Create a new user pool.
4. Configure the user pool settings, such as password policies and MFA options, to align with your project’s requirements.
5. Define custom user attributes, such as profile pictures and user roles, according to your project’s needs.
6. Create app clients for both your web and mobile apps to authenticate and authorize users across different platforms.
7. Configure authentication flows for your user pool, including username/password, social identity providers (e.g., Google, Facebook), or identity federation with other systems.

Integrating AWS Cognito into Your Web App

To seamlessly integrate Amazon Cognito into your web app, you can use either the AWS Amplify library or the Cognito SDK. This integration empowers users to sign up, sign in, and manage their profiles securely.

Connect AWS cognito with your django app

1. Install the necessary libraries:
   • pip install boto3
   • pip install python-jose
2. Create a custom Django middleware that intercepts incoming API requests and validates Cognito tokens included in the request headers.
3. In the middleware, validate Cognito tokens by decoding and verifying their signatures using libraries like python-jose.
4. Implement user mapping.
   • User mapping is optional, we can sync users details in our DB using Lamda also on cognito triggers. But sync user becomes handy when we want use django user model utils internally. It totally depends on our requirement.
   • After successful token validation, map the Cognito user to a user in your Django database. You can use the Cognito user’s unique identifier (sub) to identify the corresponding Django user.
   • cognito_auth.py
   • cognito_config.py

     Python

     from django.contrib.auth.backends import BaseBackend from django.contrib.auth import get_user_model from jose.backends.cryptography_backend import CryptographyBackend from jose.constants import ALGORITHMS import jose.jwt User = get_user_model() class CognitoAuthenticationBackend(BaseBackend): def authenticate(self, request, id_token=None): if not id_token: return None # No ID token provided # Verify and decode the ID token using jose.jwt library try: claims = jose.jwt.decode( id_token, 'YOUR_COGNITO_APP_CLIENT_SECRET', algorithms=ALGORITHMS.RS256, audience='YOUR_COGNITO_APP_CLIENT_ID' ) # Get the sub (subject) claim from the ID token sub = claims.get('sub') # Find or create a Django user that corresponds to the Cognito user user, created = User.objects.get_or_create(username=sub) # You can associate additional user data here if needed # Example: user.profile = ... return user except (jose.exceptions.JWTError, User.DoesNotExist): return None # Authentication failed def get_user(self, user_id): try: return User.objects.get(pk=user_id) except User.DoesNotExist: return None

     1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

     from django.contrib.auth.backends import BaseBackend from django.contrib.auth import get_user_model from jose.backends.cryptography_backend import CryptographyBackend from jose.constants import ALGORITHMS import jose.jwt   User = get_user_model()   class CognitoAuthenticationBackend(BaseBackend):     def authenticate(self, request, id_token=None):         if not id_token:             return None  # No ID token provided           # Verify and decode the ID token using jose.jwt library         try:             claims = jose.jwt.decode(                 id_token,                 'YOUR_COGNITO_APP_CLIENT_SECRET',                 algorithms=ALGORITHMS.RS256,                 audience='YOUR_COGNITO_APP_CLIENT_ID'             )               # Get the sub (subject) claim from the ID token             sub = claims.get('sub')               # Find or create a Django user that corresponds to the Cognito user             user, created = User.objects.get_or_create(username=sub)               # You can associate additional user data here if needed             # Example: user.profile = ...               return user           except (jose.exceptions.JWTError, User.DoesNotExist):             return None  # Authentication failed       def get_user(self, user_id):         try:             return User.objects.get(pk=user_id)         except User.DoesNotExist:             return None

   • settings.py
   • settings.py

     Python

     AUTHENTICATION_BACKENDS = [ # ... 'your_app.cognito_auth.CognitoAuthenticationBackend', ]

     1 2 3 4

     AUTHENTICATION_BACKENDS = [     # ...     'your_app.cognito_auth.CognitoAuthenticationBackend', ]

   • your_view.py
   • views.py

     Python

     from django.contrib.auth import authenticate, login def cognito_login_view(request): id_token = request.POST.get('id_token') # Get the ID token from the frontend user = authenticate(request, id_token=id_token) if user: login(request, user) # Redirect or respond accordingly upon successful authentication return HttpResponse('Authenticated') else: # Handle authentication failure return HttpResponse('Authentication failed')

     1 2 3 4 5 6 7 8 9 10 11 12

     from django.contrib.auth import authenticate, login   def cognito_login_view(request):     id_token = request.POST.get('id_token')  # Get the ID token from the frontend     user = authenticate(request, id_token=id_token)     if user:         login(request, user)         # Redirect or respond accordingly upon successful authentication         return HttpResponse('Authenticated')     else:         # Handle authentication failure         return HttpResponse('Authentication failed')

5. Django Authentication:
   • Authenticate the user in Django using your preferred authentication method (e.g., Django’s built-in authentication system, custom authentication backends, or OAuth).
   • Create a Django user session or issue a JWT token for authenticated users to maintain their session.
6. API Access Control:
   • Implement access control in your Django views or viewsets based on the user’s authentication status and permissions.

Connect AWS cognito with your frontend app

Cognito exposes apis directly from aws, We can use our server as an intermediate also.

1. User Sign-In (Log In):
   • POST: https://your-user-pool-domain.auth.your-region.amazoncognito.com/login
   • This endpoint is used for user login (sign-in). Users provide their username/email and password. After successful authentication, the user receives Cognito tokens (ID Token, Access Token, Refresh Token).
2. User Sign-Up (Registration):
   • POST: https://your-user-pool-domain.auth.your-region.amazoncognito.com/signup
   • This endpoint is used for user registration (sign-up). Users provide their registration details, including username/email and password. After successful registration, the user can log in.
3. Password Reset (Forgot Password):
   • POST:https://your-user-pool-domain.auth.your-region.amazoncognito.com/forgotPassword
   • This endpoint allows users to initiate a password reset by providing their username or email address. Cognito will send a password reset code to the user’s email address, allowing them to create a new password.
4. Token Refresh (Refresh Token):
   • After the initial login, users can use the Refresh Token to obtain a new Access Token without requiring them to re-enter their credentials. This process is typically handled by the Amazon Cognito SDK used in your frontend application.
5. Decoding a ID Token: JWT – JSON Web Token:
   • CUP issues JWT tokens (Base64 encoded): Header, Payload, Signature 
   • The signature must be verified to ensure the JWT can be trusted 
   • Libraries can help you verify the validity of JWT tokens issued by Cognito User Pools
   • The payload will contain the user information(sub UUID, given_name, email, phone_number, attributes…)
   • 

Do you really need AWS Cognito for your project?

Well, with extra features and convenience there is an extra cost. Cognito makes our lives easier but it’s not needed everywhere. Let’s discuss where we need to integrate it and where we should avoid it.

Consider Using AWS Cognito When:

1. Cross-Platform Compatibility: If your project involves multiple platforms (e.g., web, mobile) and you want a unified authentication system across all of them, Cognito can provide a consistent authentication experience.
2. Scalability: If your application is expected to grow rapidly or has variable user loads, Cognito’s managed scalability can be beneficial, as it automatically scales to handle increased authentication requests.
3. Third-Party Identity Providers: If you want to allow users to sign in using social identity providers like Google, Facebook, or Amazon, Cognito simplifies the integration of these external authentication systems.
4. User Federation: When you need to federate user identities with other identity providers or systems (e.g., SAML-based Single Sign-On), Cognito supports this functionality.
5. Multi-Factor Authentication (MFA): Cognito provides built-in support for MFA, making it easier to implement an extra layer of security for your users.
6. Global Reach: If your application serves a global audience and you need to handle internationalization and localization of authentication, Cognito provides tools for this purpose.
7. Cognito User Pools for User Management: If your project requires user registration, authentication, and profile management features, Cognito’s User Pools offer these functionalities out of the box.

Consider Using Only Django User Management When:

1. Simplicity and Control: If your project is relatively small and you prefer to have fine-grained control over the user management process without relying on external services, Django’s built-in user management system may be sufficient.
2. Backend-Focused: If your project primarily serves as a backend API without the need for user authentication on multiple platforms, you might choose to rely solely on Django’s authentication system.
3. Custom Authentication Requirements: When your application has very specific authentication requirements or uses a different authentication method not supported by Cognito, Django’s flexibility allows you to implement custom authentication logic.
4. Minimized Complexity: If you want to keep your project as simple as possible and avoid introducing additional AWS services and dependencies, you might opt for Django’s user management.

Conclusion

In the world of modern web development, ensuring robust user authentication and identity management is paramount. For Django developers seeking a scalable, secure, and cross-platform solution, Amazon Cognito emerges as a valuable ally.

Amazon Cognito seamlessly integrates with Django applications, offering a plethora of advantages. It simplifies user registration, login, and profile management, streamlines multi-factor authentication, and enables third-party identity provider integration. With Cognito, developers can focus on building application features while relying on a managed authentication service backed by Amazon Web Services.

However, the choice to use Amazon Cognito isn’t one-size-fits-all. Smaller, backend-focused projects may find Django’s native user management sufficient, while larger, multi-platform applications will benefit from Cognito’s scalability and cross-platform compatibility.

Ultimately, the decision should align with your project’s specific needs and scalability requirements. Amazon Cognito stands as a robust solution in the realm of user authentication, offering a bridge between Django’s powerful framework and the world of modern, secure identity management.

References

Documentation

API Reference