Understanding Amazon Cognito Authentication

What is Amazon Cognito?
Amazon Cognito allows you to securely manage and sync app data across mobile devices. You can create unique identifiers to users using a variety of public login providers (Amazon. Facebook. Twitter. Digits. Google. Or your own user identification system). It can also support unauthenticated visitors, just like they might when they first use an app. Amazon Cognito allows you securely store and sync data to the cloud for these users, even if they haven’t logged in.
Amazon Cognito Authentication
To access AWS resources, you must have valid AWS credentials (Access Key & Secret Key) to authenticate. Security is always a concern when using AWS credentials. Amazon Cognito uses unique identifiers to identify end users across devices and platforms in order to eliminate the security issue with credentials. It also grants temporary, restricted-privilege credentials that allow you to access AWS resources.
There are basically three types of authentication.
Basic (Classic Flow)
Three steps are required to obtain credentials using cognito
GetId: This is the first call required to create a new Amazon Cognito identity.
GetOpenIdToken is an API call that is made after you have established identity ID. It returns an OpenID Connect token.
AssumeRoleWithWebIdentity: Once you have an OpenID Connect token, you can exchange token for AWS credentials via AssumeRoleWithWebIdentity API call in AWS SecurityToken Service(STS).

Basic Flow

Amazon Cognito provides two roles for your application: one for unauthenticated users, and one for authenticated users. This is explained at the end of this blog.
Enhanced (Simplified Flow)
The enhanced flow combines the GetOpenIdToken & AssumeRoleWithWebIdentity calls into a new single call GetCredentialsForIdentity. It reduces the call by 1. The result is:
GetId
GetCredentialsForIdentity

Enhanced(Simplified) Flow

The GetCredentialsForIdentity API is equivalent to calling GetOpenIdToken followed by AssumeRoleWithWebIdentity, it must be called only after you establish an identity ID.
In order for Amazon Cognito to call AssumeRoleWithWebIdentity on your behalf, your identity pool must have an association with IAM roles associated with it.
Developer Authentication Flow
Amazon Cognito offers developer authentication identities, in addition to public logins (Facebook.Google.Amazon.com and Twitter). You can use your existing authentication process to register and authenticate users using the developer authentication process. It involves authentication between the end user device and your back-end to authenticate and Amazon Cognito.
It introduces a new API called GetOpenIdTokenForDeveloperIdentity. This API can be called from your back-end with your AWS credentials. It receives the uniqueID for the cognito identity pool that you are connecting to, as well as one or more identifiers for the user. The API will return a unique Cognito ID as well as an OpenID Connect token for the end user.
If you don’t specify an expiration date by default, you can set it. It is valid for 15 minutes. You can set it up for maximum 24 hours.
Login via Developer ProviderValidate user’s login
GetOpenIdTokenForDeveloperIdentity

AssumeRoleWithWebIdentity

Developer Authentication Flow

IAM Roles for authenticated or unauthenticated usersAmazonCognito generates AWS credentials when users log in to your app. These credentials are associated to specific IAM roles which define some permissions to access AWS resources.
Amazon Cognito automatically creates a new role, with limited permissions. End users have access to Cognito sync and Mobile Analytics. You can