Skip to content

SYSTEM Cited by 2 sources

Amazon Cognito

What it is

Amazon Cognito is AWS's managed identity service — user directory + OIDC/OAuth-compatible authentication for web / mobile / machine-to-machine clients. Issues JWTs (ID + access + refresh tokens); supports federation (SAML, OIDC, enterprise IdPs like Okta); supports the OAuth client-credentials flow for service-to-service.

Core constructs

  • User pool — a directory of end-user identities. Supports email/password, SMS MFA, social IdP federation, SAML/OIDC federation.
  • Machine-to-machine user pool — user-pool variant that issues tokens via OAuth client-credentials to services (not end-users).
  • Identity pool — separate construct for issuing temporary AWS credentials to authenticated users (not used in the Convera article).
  • Pre-token-generation Lambda trigger — a hook Cognito invokes between authentication and token issuance, allowing custom attributes to be added/modified in the access token and/or ID token. See patterns/pre-token-generation-hook.

Token shape

Cognito issues two tokens on authentication:

  • ID token — OIDC identity assertion. Carries claims about who the user is (sub, email, custom identity attributes).
  • Access token — OAuth authorization grant. Carries claims about what the user is allowed to do (cognito:groups, custom authorization attributes).

The pre-token-generation hook typically customizes the access token with authorization-relevant attributes fetched from an application database, so downstream authorizers can evaluate without a second round-trip.

Why it appears with Verified Permissions

Convera's architecture uses Cognito as the identity + token issuer and AVP as the authorization engine. AVP's IsAuthorizedWithToken API natively understands Cognito JWTs — it maps token claims to Cedar principal attributes. Pairing is explicitly called out in the AWS Architecture Blog as one of the reasons Convera chose AVP: "Direct integration with AWS services like Amazon Cognito and Amazon API Gateway." (Source: sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization)

Flows used in Convera

  • Customer-facing: Cognito user pool, users log in directly, pre-token hook reads roles from RDS and enriches the JWT.
  • Internal users: Cognito user pool federates from Okta, pre-token hook reads attributes from DynamoDB and customizes the access token.
  • Machine-to-machine: separate m2m user pool, OAuth client-credentials grant, access tokens carry service identifier, tier, allowed operations, rate limits.
  • Multi-tenant: per-tenant Cognito pool with a custom tenant_id attribute; pre-token hook looks up user_id → tenant_id in DynamoDB and injects tenant_id as a JWT claim.

Caveats

  • Cognito vs IAM: Cognito is application identity; IAM is AWS-resource identity. They interoperate but serve different purposes.
  • Pre-token hook is invoked per authentication, not per request — attributes fetched there are pinned for the life of the access token (typically minutes to hours). Attribute changes mid-session require token refresh.
  • Cognito has regional boundaries and per-pool user limits that are not discussed in the Convera source.

Seen in

Last updated · 200 distilled / 1,178 read