Identity-as-a-Service (IDaaS) :  AWS Cognito and Okta

The security aspects, in particular, of identity management, is an important challenge when we develop web or mobile applications. It is difficult and can always be a risk to develop it ourselves. The good news is that there are several identity management providers — Identity-as-a-Service — that resolve these aspects for us. Most are based on two industry standards highly adopted by many digital companies — OAuth 2.0 and OpenID Connect.

Many services are part of broader cloud solutions like Amazon Web Services Cognito and Microsoft Azure Active Directory B2C. There are also solutions provided by companies that are dedicated only to these types of services, such as Auth0 and Okta. Likewise, Google and Facebook use these standards to offer access to their platforms and other applications.

Before looking at the examples and how to use them, compare one of each group. Although AWS Cognito and Okta offer the same basic services related to identity management, other aspects are very different offers. Prices and characteristics differ significantly.

Price

Let’s start with one of the most important variables, the cost of using each of these services.

Both AWS Cognito and Okta offer a free version of their service to evaluate and/or use in applications with a “reduced” amount of monthly active users.

And when we speak of a “reduced” amount, we are really talking about less than 50,000 monthly active users in the case of AWS Cognito and 7,000 monthly active users in the case of Okta.

Clearly, Amazon’s service is more economical if the key aspect is to manage a large number of active users. If you have 100,000 monthly active users, the AWS Cognito price is $ 0.00550 per user per month — $275 per month for the 50,000 extra users to the Free Tier.

In the case of Okta, the free version only allows 7,000 active monthly users. If more users are needed, you have to subscribe to the Developer version. Although this version offers more features such as email personalization and Multi-Factor Authentication, it is necessary to pay for all users, starting with $20 for 1,000 active users. This price increases in relation to the number of users up to $1000 per month per 50,000 monthly users.

Features

But not only the price is important. Each provider offers different features and functionalities that can influence which is the best option for each application.

In addition to the price, one of the biggest advantages of AWS Cognito is the native integration with other Amazon Web Services services such as the DynamoDB NoSQL database service. This integration allows for the use of federated web identities to control access to data stored in DynamoDB. Users can only access data that corresponds to them. Although this mechanism can be implemented using other identity providers such as Google, Facebook, or even Okta, it implies that the application has to use one of these services in addition to AWS Cognito Federated Identities.

Another benefit of AWS Cognito is the ability to extend the logic through triggers. When particular events occur related to user accounts, such as authentication or confirmation, AWS Cognito allows you to trigger the execution of an AWS Lambda function. This provides greater flexibility to the service. A very common example is the creation of a record in AWS DynamoDB after the user confirms the account. Although Lambda and DynamoDB are included in the free tier, these executions and data may generate associated costs but not directly related to AWS Cognito. Something similar happens with the use of Amazon Simple Notification Service (SNS) for sending notifications and SMS messages mainly for Multi-Factor Authentication.

By comparison, although Okta only offers the identity management service and is not a full-service platform, it is one of the leaders in Gartner’s Magic Quadrant for Access Management 2017. Its offer goes beyond what AWS offers with Cognito. Likewise, there are two aspects that stand out when comparing the free versions. Okta offers a dashboard with more details about the events such as the number of bad accesses as well as access to a more detailed log included as part of the service. And in the case that the application is multi-language, Okta allows you to customize the contents of the emails and SMS sent by the platform. Okta supports 25 different languages by default, including English, Portuguese, and Spanish. To achieve the same in AWS Cognito, it is necessary to use other AWS services that may generate additional costs.

Source: Okta Developer Site

Documentation

Clear documentation and examples for use of the service are very important, especially for integration into our applications. The AWS Cognito documentation is very extensive and is available in English, but also in Spanish. Obviously, it not only includes the documentation specific to the service but also includes documentation on how to integrate AWS Cognito with other Amazon Web Services.

As a reference, in StackOverflow, AWS Cognito has more than 2,000 tagged questions.

AWS Cognito on StackOverflow

Okta’s documentation is less extensive than the AWS Cognito but not less complete. For example, in addition to Okta’s own details, the documentation includes details and flows of both OAuth 2.0 and OpenID Connect. Something very interesting in the Okta documentation is the Authentication Quickstart Guides where they explain in an easy and simple way how to integrate Okta in the stack of an application, both in the client and in the server.

But the adoption of Okta is less significant than AWS Cognito. Again taking StackOverflow as a reference, in the case of Okta, the number of tagged questions is much smaller, around 700.

Okta on StackOverflow

Final Comments