This article is part 2 of 2 for adding Login with Amazon (LWA) to an iOS Swift app and continues the authentication track for iOS developers where we covered Basic Auth, Facebook Login and Google Sign-In. In Part I of this part 2 series for adding Login with Amazon, we configured an Amazon developer project, cloned a starter iOS app, updated the app with our Amazon APIKey and modified the URL Scheme allowing your mobile users to authenticate using their Amazon credentials. I highly suggest checking out part 1 article to get set up for Login with Amazon and integrate with the LWA library before continuing.

In this article, we’ll build off the solution in part 1 by cloud enabling our iOS app using the Amplify CLI to integrate with Amazon Cognito to federate the Login with Amazon identity. We’ll be using an Amazon Cognito Identity Pool (federated identity) to assign each of your LWA authenticated users a unique Id and grant those users with temporary AWS credentials (access key & secret) to call your backend AWS resources from your iOS app. We don’t need Amazon User Pools for this but it wouldn’t hurt by adding it to use later, if needed.

Every AWS request must be signed

As a developer using an AWS backend, all requests to access your AWS resources must be signed using AWS credentials. Cognito Identity Pool performs all the heavy lifting by managing the unique Id for the users and granting access to your resources so that you don’t have to embed your own developer AWS credentials inside the app.

Why do we use Amazon Cognito?

Security and fine-grained access at scale are why we are using Amazon Cognito Identity Pools (federated identities) with Login with Amazon to provide temporary AWS credentials for each one of your authenticated users. Identity Pools handles two types of users, unauthenticated and authenticated. Unauthenticated users are the users who have not authenticated with any basic auth (username & password), Login with Amazon, or any social login provider. Those users assume the IAM unauthenticated role. For the authenticated users (those who have authenticated with Login with Amazon or other OpenID providers), identity pools will also assign a unique Id and temporary AWS credentials but these users assume the authenticated IAM role. You, as the developer, decide what permission is granted for each of those two roles.

In my previous Google Sign-In, Facebook Login, and Login with Amazon integration articles, the user simply chose the Sign in with Google, Continue with Facebook, or Login with Amazon button and authenticated using their Google, Facebook, or Amazon credentials, respectively, all while staying within your app flow. Login with Amazon is the same interaction from the user perspective. And once the user is authenticated, you, as a developer, receive a bit of information back in the form of a token and we’ll use that token and pass it over to Amazon Cognito for verification.