AWS cognito documentation change
Summary
Restructured documentation with expanded explanations of managed login, SDK integration, API operations, and configuration requirements. Added details about token exchange flows and Lambda trigger configuration limitations.
Security assessment
Changes focus on improving documentation structure and clarifying implementation details rather than addressing security vulnerabilities. While mentions of authentication flows and Lambda triggers have security implications, there's no evidence of addressing specific vulnerabilities or introducing new security features.
Diff
diff --git a/cognito/latest/developerguide/cognito-integrate-apps.md b/cognito/latest/developerguide/cognito-integrate-apps.md index bd83b4776..accee185a 100644 --- a//cognito/latest/developerguide/cognito-integrate-apps.md +++ b//cognito/latest/developerguide/cognito-integrate-apps.md @@ -9 +9,3 @@ Authentication with AWS AmplifyAuthentication with AWS SDKs -The lowest-effort integration you can create with Amazon Cognito user pools is with [managed login](./cognito-terms.html#terms-managedlogin). User pool authentication with managed login requires OpenID Connect (OIDC) libraries that direct users to hosted sign-in pages. In this series of user-interactive and redirect web endpoints, Amazon Cognito handles the flow of authentication, including third-party sign-in, multi-factor authentication (MFA), and choosing an authentication flow. Your application only has to process the authentication outcome that Amazon Cognito returns in the response. +Implementation of Amazon Cognito is a mix of AWS Management Console or AWS SDK administrative tools, and SDK libraries in applications. The Amazon Cognito console is the visual interface for setup and management of your Amazon Cognito user pools and identity pools. + +The lowest-effort integration you can create with Amazon Cognito user pools is with [managed login](./cognito-terms.html#terms-managedlogin). Managed login is a ready-to-use web-based sign-in application for quick testing and deployment of Amazon Cognito user pools. User pool authentication with managed login requires OpenID Connect (OIDC) libraries that direct users to hosted sign-in pages. In this series of user-interactive and redirect web endpoints, Amazon Cognito handles the flow of authentication, including third-party sign-in, multi-factor authentication (MFA), and choosing an authentication flow. Your application only has to process the authentication outcome that Amazon Cognito returns in the response. @@ -13 +15 @@ You can also add an AWS SDK to your application, custom-build authentication int -###### Topics +For example, your app might invoke managed login for user sign-in, then call the token endpoint from your app code to exchange your user's authorization code for tokens. Then your app must interpret and store your user's tokens, and present them in the appropriate context for authentication and authorization. Amplify adds guided integration tools with built-in functions for these processes. @@ -15,3 +17 @@ You can also add an AWS SDK to your application, custom-build authentication int - * Authentication with AWS Amplify - - * Authentication with AWS SDKs +You can also build your Amazon Cognito resources entirely in code. Identity pools don't have the same managed authentication options as user pools—for access to AWS credentials in your applications, implement identity pools operations in imported SDK modules. To get started with your own custom-built application code, visit the Amazon Cognito [code examples](https://docs.aws.amazon.com/cognito/latest/developerguide/service_code_examples.html) for [AWS SDKs](https://aws.amazon.com/developer/tools/). For integration with the Amazon Cognito as an OpenID Connect identity provider, use [OpenID Connect developer tools](https://openid.net/certified-open-id-developer-tools/). @@ -19 +19 @@ You can also add an AWS SDK to your application, custom-build authentication int - * [How authentication works with Amazon Cognito](./cognito-how-to-authenticate.html) +Before you use Amazon Cognito authentication and authorization, choose an app platform and prepare your code to integrate with the service. For available platforms for AWS SDKs, see Authentication with AWS SDKs. The AWS CLI is a command-line SDK for Amazon Cognito and other AWS services, and is a valuable place to begin to familiarize yourself with Amazon Cognito API operations and their syntax. @@ -21 +21 @@ You can also add an AWS SDK to your application, custom-build authentication int - * [Using this service with an AWS SDK](./sdk-general-information-section.html) +###### Note @@ -23 +23 @@ You can also add an AWS SDK to your application, custom-build authentication int - * [Authorization with Amazon Verified Permissions](./amazon-cognito-authorization-with-avp.html) +Some components of Amazon Cognito can be configured only with the API. For example, you can only set a user pool [custom SMS or email sender](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html) Lambda trigger with a request that updates the `LambdaConfig` property of the [UserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolType.html) class in a [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) API request. @@ -24,0 +25 @@ You can also add an AWS SDK to your application, custom-build authentication int +The Amazon Cognito user pools API shares its namespace with several classes of API operations. One class configures user pools and their processes, identity providers and users. Another includes unauthenticated operations for your users in a public client to sign in, sign out, and manage their profiles. The final class of API operations performs user operations that you authorize with your own AWS credentials in a confidential server-side client. You must know your intended app architecture before you begin to implement app code. For more information, see [Understanding API, OIDC, and managed login pages authentication](./authentication-flows-public-server-side.html#user-pools-API-operations). @@ -25,0 +27 @@ You can also add an AWS SDK to your application, custom-build authentication int +###### Topics @@ -26,0 +29 @@ You can also add an AWS SDK to your application, custom-build authentication int + * Authentication with AWS Amplify @@ -28 +31 @@ You can also add an AWS SDK to your application, custom-build authentication int -Implementation of Amazon Cognito is a mix of AWS Management Console or AWS SDK administrative tools, and SDK libraries in applications. The Amazon Cognito console is the visual interface for setup and management of your Amazon Cognito user pools and identity pools. + * Authentication with AWS SDKs @@ -30 +33 @@ Implementation of Amazon Cognito is a mix of AWS Management Console or AWS SDK a -Managed login is a ready-to-use web-based sign-in application for quick testing and deployment of Amazon Cognito user pools. It requires configuration of OIDC libraries in your apps to interact with your user pools. For example, your app might invoke managed login for user sign-in, then call the token endpoint from your app code to exchange your user's authorization code for tokens. Then your app must interpret and store your user's tokens, and present them in the appropriate context for authentication and authorization. Amplify adds guided integration tools with built-in functions for these processes. + * [How authentication works with Amazon Cognito](./cognito-how-to-authenticate.html) @@ -32 +35 @@ Managed login is a ready-to-use web-based sign-in application for quick testing -You can also build your Amazon Cognito resources entirely in code. Identity pools don't have the same managed authentication options as user pools—for access to AWS credentials in your applications, implement identity pools operations in imported SDK modules. To get started with your own custom-built application code, visit the Amazon Cognito [code examples](https://docs.aws.amazon.com/cognito/latest/developerguide/service_code_examples.html) for [AWS SDKs](https://aws.amazon.com/developer/tools/). For integration with the Amazon Cognito as an OpenID Connect identity provider, use [OpenID Connect developer tools](https://openid.net/certified-open-id-developer-tools/). + * [Using this service with an AWS SDK](./sdk-general-information-section.html) @@ -34 +37 @@ You can also build your Amazon Cognito resources entirely in code. Identity pool -Before you use Amazon Cognito authentication and authorization, choose an app platform and prepare your code to integrate with the service. For available platforms for AWS SDKs, see Authentication with AWS SDKs. The AWS CLI is a command-line SDK for Amazon Cognito and other AWS services, and is a valuable place to begin to familiarize yourself with Amazon Cognito API operations and their syntax. + * [Authorization with Amazon Verified Permissions](./amazon-cognito-authorization-with-avp.html) @@ -36 +38,0 @@ Before you use Amazon Cognito authentication and authorization, choose an app pl -###### Note @@ -38 +39,0 @@ Before you use Amazon Cognito authentication and authorization, choose an app pl -Some components of Amazon Cognito can be configured only with the API. For example, you can only set a user pool [custom SMS or email sender](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sender-triggers.html) Lambda trigger with a request that updates the `LambdaConfig` property of the [UserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolType.html) class in a [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) API request. @@ -40 +40,0 @@ Some components of Amazon Cognito can be configured only with the API. For examp -The Amazon Cognito user pools API shares its namespace with several classes of API operations. One class configures user pools and their processes, identity providers and users. Another includes unauthenticated operations for your users in a public client to sign in, sign out, and manage their profiles. The final class of API operations performs user operations that you authorize with your own AWS credentials in a confidential server-side client. You must know your intended app architecture before you begin to implement app code. For more information, see [Understanding API, OIDC, and managed login pages authentication](./authentication-flows-public-server-side.html#user-pools-API-operations).