I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:

I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.

Here is my current understanding (please correct me where I'm wrong).

1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):

cognitoUser.authenticateUser(authenticationDetails, {
..
})

where onSuccess

• I store identity, access and refresh tokens, so, user doesn't have to enter his credentials every time
• Because users will be accessing AWS servicess (e.g. S3) I exchange idToken to AWS credentials
• Store AWS creds in LocalStore for further use, when access resources

2) For the facebook sign-in I use Federated Identity

• get a facebook access token
• with fb token get a cognito identity
• exchange a cognito identity to AWS creds and store those in LocalStore

Questions:

Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?

Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)

Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?

Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?

Q5. How should I restrict access to resources other than AWS for facebook signed-in users?

Q6. Any working example for this?

Thanks!

1. I'm human and may have missed something, but that sounds pretty good to me.

2. You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.

3. If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.

4. I don't know that this is supported out of the box, like it is with user pools. You might have to do this using your hypothetical user database described above.
5. You can also link your user pool to Cognito as a provider, much like you do for Facebook. That's how you exchange an id token for credentials.
6. No official example from the service, though I can't speak for others.