Within the last year, there have been security breaches of user management systems of companies such as Dropbox, Dailymotion, Twitter and Yahoo. Many custom user management systems have vulnerabilities that simply haven’t been corrected. One of the requirements of any user management system is that it needs to be continually evaluated for the security of the system as a whole.
One additional item needs to be called out here: security. This clearly goes far beyond just a username and password. While user management might at first seem like a log-in system, the functionality must go far beyond that in order for the system to be truly flexible enough to handle most use cases.
synchronization of user attributes for online and offline states.offline storage of user attributes for mobile devices.secure storage of access token(s) on mobile devices.API access to endpoints based on permissions.required configuration and optional attributes per user.user attributes (first name, last name, etc.).user lifecycle triggers (welcome email, goodbye email, etc.).If we want a flexible user management system that would work for most web and mobile app use cases, it would need to have the following functionality: If you have a mobile or web app, what exactly do you need in terms of user management? While user log-in is probably the first thing you would think of, we cannot stop there. In addition, after this is in place, there will be a follow-up article that takes this quite a bit deeper. By the end, we’ll have a limited demo application, but one that handles the core of user management. Then, we will integrate this user pool with an iOS application and allow a user to log in and fetch the attributes associated with their user account. In this article, we will spend a majority of our time walking through the process of configuring a user pool for our needs. As Amazon states, “With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and sync across devices.”Ĭognito custom user pool diagram ( View large version) In addition to this functionality, it also allows for storage of user data offline, and it provides synchronization of this data. Cognito is a tool for enabling users to sign up for and sign into web and mobile applications that you create. One service that provides this functionality is Amazon Web Services’ (AWS’) Cognito. Services like Auth0 have entire solutions based on user and identity management that developers can integrate with. This is enough of a concern that an entire category of user management, authentication and authorization services have sprung up to meet this need. Much of the approach can be based on a boilerplate, but there are always a few key items that need to be customized for a particular client. Over the years, I have built at least three user management systems from scratch. As a developer, I often run up against one hurdle that can slow down the initial build of a mobile hypothesis: user management. There is a desire to decrease the time from idea to test. Developers and organizations alike are looking for a way to have more agility with mobile solutions.