AWS Cognito Federated Identities, User Registration and DynamoDB

I wonder if anyone can help. I'm trying to plan the AWS services that I'll need, and how they hang together, for a web application I'm planning.

Specifically I'm thinking about the user registration and login process using Cognito and DynamoDB.

Users will need to be registered and logged in in order to perform some actions. I'm thinking serverless, so these actions will be Lambda functions fronted by API Gateway. As with many websites, I'd like to use Facebook as the user authentication model. I'm thinking I need:

  • To create a Facebook application
  • To configure Cognito Federated Identities with the Facebook app id
  • To have a DynamoDB table to contain user information
  • To provide a facility to allow a user to register using their Facebook identity
    • On registration, create a record in the DynamoDB user info table with user's name, email etc as taken from their Facebook profile
  • To provide a facility for registered users to login with their Facebook identity
  • To somehow pass the user token (JWT token ?) on subsequent client requests to API Gateway endpoints

So far I've created the Facebook app and have an application ID. I've created the Cognito Federated Identity for the app and configured it with my Facebook app id. And I have set the Authorisation field for the Method Request for the API Gateway to "AWS_IAM"

Using the Facebook javascript SDK and the AWS javascript SDK, I've put together a very basic page that allows login via Facebook, then creates a new AWS.CognitoIdentityCredentials object with the facebook authResponse accessToken. Lastly it calls AWS.config.credentials.get to get the Cognito credentials. But this isn't really the steps above - it just proves that a user can login with their Facebook id and I can pass it to Cognito.

My specific questions therefore are:

  1. What I'm trying to work out is how to do registration. Once the user has logged in via Facebook, how can I create a user record in DynamoDB?
  2. And likewise, when a user goes to login (rather than register), once the user has logged in via Facebook, how can I ensure they have a user record in DynamoDB? (because if they dont have a record, then presumably they've not registered)
  3. Lastly, how can I pass the user id / token from the client to an API Gateway endpoint?

I'm not looking for code samples etc - just pointers as to whether I'm thinking along the right lines or barking up the wrong tree. A high level of how the various components need to hang together would be great, as would any links or references to similar ideas of concepts.