Cognito User Pool vs Identity Pool

From @jayair on Mon Apr 10 2017 00:58:51 GMT+0000 (UTC)

Link to chapter -

Copied from original issue:

From @Pwntus on Sun Apr 30 2017 03:50:36 GMT+0000 (UTC)

Hi. Great guide!
I see that in the guide you’re using a User Pool resource as authorizer.
This is good and all, but I was wondering what happens when you start federating multiple identities?
The use case would be to identify a single user “logging in” with multiple identity providers.

The sub claim used in the guide is only unique to the AWS User Pool, I suppose.

From @jayair on Mon May 01 2017 00:06:46 GMT+0000 (UTC)

@Pwntus you are right the current guide is just for the User Pool. If there is enough interest; we might do one in the future for Federated Identities.

From @geovanisouza92 on Fri Jun 09 2017 22:07:16 GMT+0000 (UTC)

Am I right to think that User Pool stands for Authentication, as Identity Pool stands for Authorization?

From @jayair on Sun Jun 11 2017 19:38:30 GMT+0000 (UTC)

@geovanisouza92 Hmm not quite. The User Pool is basically allowing AWS to store and manage all your users (they store it in their database and you access it through their SDK). And Identity Pool (or Federated Identities) is where you can bring your own identity providers (like FB or Google) and AWS created a unified user system for you.

From @iwilsonq on Thu Jun 22 2017 07:11:15 GMT+0000 (UTC)

I’m building a project that started with this tutorial and we’ve been loving the features of the serverless stack. That said, I’m having a very hard time integrating Google and Facebook with Cognito. Does your team have any examples of this, where, we could have users signup/login with those providers or simply use Email/Password?

Ideally, after authenticating with Google/Facebook, we’d get back a userToken to authenticate against all requests to Lambda. Any help be greatly appreciated, the AWS docs have not been kind :sweat:

From @jayair on Thu Jun 22 2017 23:19:03 GMT+0000 (UTC)

@iwilsonq Yeah I mentioned this elsewhere. It is a bit tricky to do and the docs aren’t great. I think we might look into writing about this next. But you are creating a Cognito Identity Pool with Goole and Facebook as the Identity Providers and assign those users an IAM role. You then use that IAM role in the serverless.yml as the authorizer. Serverless Framework recently added support for this and it wasn’t possible to do when we had first put this tutorial together.

From @dbeja on Fri Oct 20 2017 16:39:14 GMT+0000 (UTC)

I was able to add Google/Facebook login using the federated user pool but I’m finding hard how do I clear the session or how do I check if user is logged in using the Identity pool.
Anyone found out how to do it?


1 Like

From @jayair on Fri Oct 20 2017 17:37:15 GMT+0000 (UTC)

@dbeja There isn’t really a concept of logging in to the Identity Pool. We use the AWS JS SDK on the frontend to generate temporary credentials for a user pool authenticated user. And using these temporary credentials we are able to make calls to our AWS services.

When a user logs out we clear these credentials here -

From @dbeja on Fri Oct 20 2017 17:43:33 GMT+0000 (UTC)

Yes, but when I use an Identity Pool, instead of a Cognito User Pool, so that I can login with Facebook, I get my credentials in a different way (AWS.CognitoIdentityCredentials), so I don’t have the object CognitoUserPool (because it’s for a User Pool) and so I don’t have the signout method.

What I need is to login on my application with social login and Identity Pool allows me to do that but I don’t find anywhere how could I do the same you do on clearing the session or getting the current user using this instead.

Hi anomalyinnovations,

I am in the same situation and struggling to get Google/FB Authentication. I am able to Authenticate in to application using Google, But Not able to invoke API.

Can you share some sample code for below:

  • How did you initialize aws-amplify ? (I have some config for aws amplify in index.js which have got userpoolid, identitypoolid, region, mangatorysignin when I configured to use AWS User Pool). Should I remove anything here ?
  • Once you get Google response, I used AWS SDK to get the identity-pool id, but nothing progressed after that.

Can you please help with some sample code if you have ?

Here is what I have:
In index.js:

  Auth: {
    mandatorySignIn: true,
    region: config.cognito.REGION,
    userPoolId: config.cognito.USER_POOL_ID,
    identityPoolId: config.cognito.IDENTITY_POOL_ID,
    userPoolWebClientId: config.cognito.APP_CLIENT_ID

In Home.js:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'ap-south-1:xxxxxxxxxxxxxxxxxxxxxx',
        Logins: {
           '': response.Zi.id_token

     AWS.config.credentials.get(function(err) {
      if (!err) {
        console.log('Cognito Identity Id: ' + AWS.config.credentials.identityId); -- I am getting the identityId as expected
        API.get("liststores","/liststores"); -- This fails
        console.log('Cognito Identity Id: ' +err);

API - is instance of aws-amplify

There shouldn’t be a change to the way you invoke the API. Can you check that an identity was created in your Cognito Identity Pool after your authentication?

Hi @jayair ,

Yes, I see that identity is created in Identity pool.

When I am initializing Amplify, Should I remove the userpool details?

Auth: {
mandatorySignIn: true,
region: config.cognito.REGION,
userPoolId: config.cognito.USER_POOL_ID,
identityPoolId: config.cognito.IDENTITY_POOL_ID,
userPoolWebClientId: config.cognito.APP_CLIENT_ID

Note: I am not using Userpool. I have configured Cognito Identity pool with google.

Yeah you should be able to.