AWS cognito What's the difference between Access and Identity tokens?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
AWS Cognito is a powerful service provided by Amazon Web Services (AWS), designed to manage user authentication, authorization, and user management for web and mobile applications. One of its key functionalities is the issuing of JSON Web Tokens (JWTs), specifically Access Tokens and Identity Tokens, which play crucial roles in the authentication flow.
Understanding JWT in AWS Cognito
Before diving into Access Tokens and Identity Tokens, it's important to understand JWT. JWT is an open standard for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it's digitally signed.
Key Components of a JWT:
- Header: Contains metadata about the type of token and the signing algorithm used.
- Payload: Contains claims. These are statements about an entity (typically, the user) and additional data.
- Signature: Ensures that the token hasn't been altered. It's generated using the header, payload, and a secret.
Access Tokens vs. Identity Tokens
Access Tokens
The Access Token is primarily used for authorization. It grants clients access to specific resources on behalf of the user.
- Purpose: Used to access AWS services and APIs authorized by the user.
- Audience: Typically, a resource server.
- Claims:
- `aud`: Audience, usually the intended recipient of the token.
- `exp`: Expiration time indicating when the token is no longer valid.
- `scope`: Permissions or limits on the user's access.
- Other claims that are specific to AWS services.
- Expiration: Access Tokens typically have a shorter lifespan compared to Identity Tokens, often in the range of 1 hour.
- Usage: Passed as a bearer token in HTTP requests. In a header, it might look like: `Authorization: Bearer ``<access_token>```.
Identity Tokens
The Identity Token is used for authentication and provides information about the user.
- Purpose: Contains user identity information and is intended for the client application.
- Audience: Typically, the client application that uses the token to identify the user.
- Claims:
- `sub`: Subject, or user identifier unique to the Cognito user pool.
- `name`: Full name of the authenticated user.
- `email`: Email address of the user.
- `iat`: Issued At, indicating when the token was issued.
- Custom attributes as configured in the user pool.
- Expiration: Generally, has a longer lifespan than the Access Token, but can also vary based on configuration.
- Usage: Mainly used by client applications to obtain user information after authentication.
Example Usage in Authentication Flow
Imagine a user logging into a mobile application:
- User Authentication: The user logs in using their credentials.
- Token Issuance: AWS Cognito issues an Access Token, an Identity Token, and a Refresh Token.
- Access API Resources: When accessing API resources, the client includes the Access Token in requests to authenticate and gain access to those resources.
- Identify the User: The client uses the Identity Token to extract user information for personalization or other purposes.
Summary Table: Access Token vs. Identity Token
| Feature | Access Token | Identity Token |
| Purpose | Authorization | Authentication |
| Audience | Resource server (API) | Client application |
| Claims | aud, exp, scope, etc. | sub, name, email, iat, etc. |
| Expiration | Short (typically 1 hour) | Longer than Access Token |
| Usage | Access protected API resources | Retrieve user information |
Additional Considerations
- Security: Properly manage token expiration and refresh to enhance security. Use HTTPS to protect token transmission.
- Token Storage: Store tokens securely on the client side. Avoid local storage for sensitive data.
- Refresh Tokens: Use Refresh Tokens to obtain new Access and Identity Tokens without requiring user reauthentication frequently.
- Custom Claims: AWS Cognito allows customization of tokens with additional claims based on user pool settings.
Conclusion
AWS Cognito's Access Tokens and Identity Tokens serve different roles in the security and functionality of web and mobile applications. Understanding their purposes and differences is critical for developers aiming to implement robust authentication and authorization systems. By leveraging these tokens correctly, applications can maintain secure and efficient access controls while providing a seamless user experience.

