User Management
Fundamental features of the decent.ec stack are a community portal and an energy management system – both of which require user management.
Under the hood, the controlled assets communicate with blockchain–based machine identifiers and optionally the Community members can also use similar DIDs. This is not enabled by default because of the relative inconvenience of web3 tools today. As an administrator, however, we insist that you endure this learning curve, install the web3 plugin, connect to the blockchain and use a decentralised credential to access the administration site. For more detail read the article "Machine Identifiers" [here].
Entering Stage 2(Online Recruitment)the administrator needs to generate user accounts in a user directory. For that we offer two different types of cloud based user authentication and management systems, both of them secure, scalable and cost–efficient:
- Keycloak is an open-source identity and access management solution developed and maintained by RedHat Linux. It offers customizable authentication, authorization, and SSO capabilities of so called 'realms'.
- Amazon Cognito is a managed Amazon Web Service that is the market leader in providing secure user authentication, authorization, and management of 'user pools'.
Regardless which option is selected, the administrator can easily export or migrate the realm/user pool into a self–hosted environment if it is deemed necessary. The advantages and key benefits of both solutions are provided in a feature matrix at the end of this article.
Features overview
1. Scalability and Flexibility
- Scalable Architecture: Both RedHat Keycloak and Amazon Cognito are built to scale, handling thousands or even millions of users without performance degradation. This is crucial for an online community where the user base may grow rapidly.
- Flexible User Management: You can manage users centrally with features like registration, account recovery, and profile updates, providing a seamless experience for both administrators and users.
2. Secure Authentication and Authorization
- Built-in Security Features: Keycloak and Cognito include features like multi-factor authentication (MFA), encryption at rest and in transit, and compliance with industry standards (e.g., HIPAA, GDPR). This ensures that sensitive user information remains secure.
- OAuth and OpenID Connect Support: Both Keycloak and Cognito supports secure authentication standards like OAuth 2.0, OpenID Connect, and SAML, making it easy to integrate with third-party identity providers and social logins (e.g., Google, Facebook, and Apple).
3. Customizable User Experience
- Custom Sign-Up and Sign-In Flows: You can customize the authentication flow and the UI for sign-up, sign-in, and password recovery processes to align with your community’s branding.
- Lambda Triggers for Automation: Cognito allows you to use AWS Lambda functions to customize and automate workflows, such as sending custom welcome emails or implementing user validation and verification logic.
4. Integration with other online Services
- Identity Federation: Both Keycloak and Cognito can integrate with other identity providers (e.g., corporate directories via SAML, or social logins like Facebook or Twitter/X) for a unified login experience, allowing users to sign up using accounts they already have.
- Seamless Integration with Other AWS Services: Cognito integrates with AWS services like API Gateway, Lambda, and Amazon RDS, which helps in building a complete, serverless architecture for the recruitment platform.
5. Cost-Effective Solution
- Free Tier: For smaller communities or during the initial stages of recruitment, Amazon Cognito provides a generous free tier that includes up to 50,000 monthly active users for the first 12 months.
- Pay-as-You-Go Pricing: Amazon Cognito also offers a pay-as-you-go model, making it a cost-effective solution for both small and large-scale recruitment platforms. You only pay for active users, keeping costs manageable as your community grows.
6. Compliance and Data Residency
- Compliance with Industry Standards: Both Keycloak and Cognito complies with several regulatory frameworks, including GDPR, SOC 2, and HIPAA, which is important for ensuring that personal and sensitive information is handled responsibly.
- Data Residency Controls: When deploying Keycloak on AWS or using the Cognito service, you can choose the region where your user data is stored, which is important for communities needing compliance with data residency requirements.
7. Analytics and User Behavior Tracking
- Integration with Amazon Pinpoint: You can integrate Cognito with Amazon Pinpoint for tracking user behavior, sending targeted notifications, and analyzing user engagement. This is valuable for optimizing the recruitment and engagement strategies of the community.
- Event Logging: Cognito provides built-in logging for user activity, which can be used for monitoring security, tracking user activity trends, and identifying issues in the authentication process.
Feature matrix
| Aspect | Amazon Cognito User Pool | Keycloak Realm |
|---|---|---|
| Scalability and Flexibility | "Highly scalable with flexible user management features, handling millions of users." | "Scalable, but may require more complex setup and management for large user bases." |
| Secure Authentication and Authorization | "Built-in MFA, encryption, and compliance with industry standards like GDPR and HIPAA." | "Offers MFA and encryption but may require additional configuration for compliance (e.g., GDPR)." |
| Customizable User Experience | Customizable sign-in and sign-up flows with Lambda triggers for further customization. | Highly customizable UI and authentication flows using themes and scripts. |
| Integration with AWS Services | "Seamless integration with AWS services like API Gateway, Lambda, and RDS." | "Can integrate with other services, but requires manual configuration; not natively integrated with AWS." |
| Identity Federation | "Supports OAuth, OpenID Connect, and SAML for identity federation and social logins." | "Supports identity federation with SAML, OAuth, and OpenID Connect; social login support available." |
| Cost-Effective Solution | "Pay-as-you-go model, only paying for active users." | "Open-source, free to use, but self-hosted deployment may incur infrastructure costs." |
| Free Tier | "Generous free tier with up to 50,000 monthly active users for the first 12 months." | No free tier; entirely open-source and free but depends on hosting costs for infrastructure. |
| Compliance with Industry Standards | "Complies with GDPR, HIPAA, and other regulatory frameworks." | "Requires manual setup for compliance, but supports GDPR and other frameworks if configured." |
| Data Residency Controls | "Data stored in chosen AWS regions, ensuring compliance with data residency requirements." | Depends on hosting environment; offers flexibility but requires configuration for compliance. |
| Analytics and User Behavior Tracking | Integration with Amazon Pinpoint for user behavior tracking and engagement analysis. | Integrates with analytics tools through plugins or custom setups; no built-in solution. |
| Event Logging | Built-in logging for user activity monitoring and security. | "Provides event logging, but requires setup and integration with external logging services." |
| OAuth and OpenID Connect Support | "Supports OAuth 2.0, OpenID Connect, and SAML standards." | "Supports OAuth 2.0, OpenID Connect, and SAML with flexible configuration options." |
| Integration with Third-Party Identity Providers | "Easily integrates with social identity providers like Google, Facebook, and Apple." | Integrates with social providers through configuration and plugins. |
| Custom Workflows and Automation | Supports Lambda triggers for custom workflows and automation. | Supports custom workflows using scripts and event listeners; more complex than Cognito. |