Amazon cognito - authorization for non-aws resources

Question

Is it possible to provide access control for resources other than AWS resources using Amazon cognito ? Assume that I have an REST API endpoint which has to be access controlled. How can I provide authorization for these end points using Amazon cognito ?

Answer 1

Cognito Federated Identity service can create unique identities for your users and federate them with identity providers, With an identity, you can obtain temporary, limited-privilege AWS credentials to synchronize data with Amazon Cognito Sync, or directly access other AWS services. For more info, please refer here: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html

Therefore, Cognito Federated Identity service does not provide access control for non-aws resources.

Answer 2

There are two types of Cognito Services available namely, AWS Cognito UserPools and AWS Cognito Federated Identities.

AWS Cognito UserPools is an identity provider that supports Authentication for any application, internal or external to AWS.

Assume that I have an REST API endpoint which has to be access controlled. How can I provide authorization for these end points using Amazon cognito?

You can configure AWS Cognito UserPools to issue a JWT token called id_token (If openid scope is specified) that can be verified at internal or external service. For more details on verifying the JWT token refer Using ID Tokens and Access Tokens in your Web APIs.

However AWS Cognito Federated Identities are there to federate AWS Resource access to external applications. This might not fit your use case.