This pattern discusses how you can configure Amazon Cognito user pools and identity pools, and then enable an ASP.NET Core app to access AWS resources after successful authentication.
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. The two main components of Amazon Cognito are user pools and identity pools.
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers such as Google, Facebook, Amazon, or Apple, and through SAML identity providers.
Amazon Cognito identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers. With an identity pool, you can obtain temporary, limited-privilege AWS credentials to access other AWS services. Before you can begin using your new Amazon Cognito identity pool, you must assign one or more AWS Identity and Access Management (IAM) roles to determine the level of access you want your application users to have to your AWS resources. Identity pools define two types of identities: authenticated and unauthenticated. Each identity type can be assigned its own role in IAM. Authenticated identities belong to users who are authenticated by a public login provider (Amazon Cognito user pools, Facebook, Google, SAML, or any OpenID Connect providers) or a developer provider (your own backend authentication process), whereas unauthenticated identities typically belong to guest users. When Amazon Cognito receives a user request, the service determines whether the request is authenticated or unauthenticated, determines which role is associated with that authentication type, and then uses the policy attached to that role to respond to the request.
