16

To me, it looks 'AWS Cognito' is the 'IdentityServer of AWS'. I did a POC - created users through sign-up API calls. The users are created in AWS Cognito User Pool and access tokens are returned. However, in order to relate things, I want to create the users in a user table in DynamoDB rather than in the User Pool.

Expected scenario:

1) New user --> Sign up --> AWS Cognito --> A new user record is added in DynamoDB --> Access token is returned by AWS Cognito

2) Existing active user --> Sign in --> AWS Cognito --> user details are retrieved from DynamoDB --> Access token is returned by AWS Cognito

Qn -1: Something similar to creating IdentityServer users in SQL Server DB tables. Can this be done in AWS Cognito? Can the User Pool be bypassed and the user data obtained from a DB? Even if not bypassed, can user pool map its users from a DB table?

Qn - 2: Where are the users pool users stored? Somewhere in a DB ultimately?

Note: The following question looks similar to mine but it is not answered yet:

User sessions and storing aws cognito users in local DB

MAK
  • 1,915
  • 4
  • 20
  • 44

1 Answers1

16

User pool cannot be bypassed in your scenario. You can however map your user to dynamoDB and can even restrict access using a custom policy. To use this policy, you must structure your DynamoDB table so the Cognito user ID is the partition key.

Simply add a lambda trigger post sign up and sign in to add the user to dynamoDB. Add whatever you want except the password as you can use cognito to authenticate then restrict row access by cognito ID.

As for the second part of your question, cognito has its own internal table. AWS has not specified what exactly they use but I'd hazard a guess that it is NoSQL due to flexibility of custom attributes.

Ninad Gaikwad
  • 4,272
  • 2
  • 13
  • 23
  • Thank you, let me try that. May I know where AWS stores the users in user pool ultimately? In a DB? Can we store additional custom user info viz., pin code in the user pool itself (not in DB)? – MAK Apr 03 '19 at 05:37
  • Cognito stores users in an internal table. AWS hasn't specified much more about this but it is probably a NoSQL table. And yes, you can add custom attributes in userpool. You can find this setting under attributes in aws console when you open user pool settings. – Ninad Gaikwad Apr 03 '19 at 05:44
  • 1
    Yes! And we can add custom attributes even. So, I guess, leaving user storage to AWS Cognito is better. – MAK Apr 03 '19 at 05:47
  • //Simply add a lambda trigger post sign up and sign in to add the user to dynamoDB// Is there any chance of failing? Do we have something like transaction here? – MAK Apr 03 '19 at 05:48
  • 1
    If you need to retrieve this data often or want to perform some analytics as an admin, it would be better to use dynamoDB. If you just want to store and retrieve when user logs in then you can just use cognito pool storage. – Ninad Gaikwad Apr 03 '19 at 05:49
  • 1
    The lambda tries thrice if it runs into a failure. But it will be a simple add and retrieve operation on dynamoDB so it shouldn't fail. Just test it out a bit. – Ninad Gaikwad Apr 03 '19 at 05:50
  • 1
    Sure, let me try. Thank you so much :) – MAK Apr 03 '19 at 05:51