I have this SAM template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
Metadata:
AWS::ServerlessRepo::Application:
Name: passwordless-sms-email-auth
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
SpdxLicenseId: MIT
LicenseUrl: LICENSE
Labels: ['passwordless', 'authentication', 'cognito', 'auth', 'sms', 'iOS', 'mobile', 'pinpoint', 'serverless', 'amplify']
SemanticVersion: 1.14.20
Globals:
Function:
Timeout: 3
Parameters:
UserPoolName:
Type: String
Description: The name you want the User Pool to be created with
Default: rafaelTest
Resources:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: phone_number
AttributeDataType: String
Mutable: true
Required: false
- Name: email
AttributeDataType: String
Mutable: true
Required: false
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes:
- phone_number
- email
MfaConfiguration: "OFF"
LambdaConfig:
CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
PreSignUp: !GetAtt PreSignUp.Arn
VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallengeResponse.Arn
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: sms-auth-client
GenerateSecret: false
UserPoolId: !Ref UserPool
ExplicitAuthFlows:
- CUSTOM_AUTH_FLOW_ONLY
Outputs:
UserPoolId:
Description: ID of the User Pool
Value: !Ref UserPool
UserPoolClientId:
Description: ID of the User Pool Client
Value: !Ref UserPoolClient
When creating the userpool, I wanted users to be able to use either just their email or just their phone as their username.
This way it is done, I always need to send both email and phone number.
Does anyone know how I solve this?
I want users to be able to log in by putting one of the following information:
email + name
phone number + name
Anyone help me?
Users can login with their email or phone number, using this SAM template and use a random uuid as username when sign up.
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: phone_number
AttributeDataType: String
Mutable: true
- Name: email
AttributeDataType: String
Mutable: true
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
AliasAttributes:
- email
- phone_number
MfaConfiguration: "OFF"
But now I need to know with alias users use on sign in, anyone know how?
i'm doing a passwordless flow with cognito and the event on create-auth-lambda triggers is always the same.
Related
I am trying to understand AWS Cognito settings in CloudFormation (in fact SAM).
I have used the following settings :
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Sub ${Project}-${Env}-CognitoUserPool
Policies:
PasswordPolicy:
MinimumLength: 8
UsernameAttributes:
- email
Schema:
- AttributeDataType: String
Name: email
Required: false
CognitoUserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: !Sub ${Project}-${Env}-CognitoUserPoolClient
GenerateSecret: false
UserPoolId: !Ref CognitoUserPool
ExplicitAuthFlows:
- ALLOW_USER_PASSWORD_AUTH
I understand this should allow users to use their email as their username. And indeed, I could create a user through the AWS Cognito console using an email as my username.
However, AWS Cognito still creates a UUID for the username as shown herebelow :
and I can't sign-in using my email as I receive an error :
{"__type":"UserNotFoundException","message":"User does not exist."}
If I use the UUID, then I have no error and log in. Any idea what I should change to make the email work as a Sign-in option ?
I did this some time ago using AliasAttributesinstead of UsernameAttributes, this allows to use regular usernames (or uuid in my case) and email.
AliasAttributes:
- 'email'
I'm trying to setup simple authorizer based on this doc. Also using serverless plugin serverless-pseudo-parameters.
My serverless configuration for authorizer:
provider:
...
logs:
httpApi: true
httpApi:
cors: true
authorizers:
simpleAuthorizer:
identitySource: $request.header.Authorization
issuerUrl:
- Fn::Join:
- '/'
- - https://cognito-idp.#{AWS::Region}.amazonaws.com
- "#{CognitoUserPool}"
audience:
- "#CognitoUserPoolClient"
My configuration for simple lambda:
functions:
ping:
name: ${self:provider.stage}-ping
handler: test.handler
events:
- httpApi:
method: GET
path: /test
authorizer:
name: simpleAuthorizer
My configuration of user pool and user pool client:
resources:
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: ${self:service}-${self:provider.stage}-user
UsernameAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: False
RequireNumbers: True
RequireSymbols: False
RequireUppercase: True
Schema:
- Name: email
Required: false
DeveloperOnlyAttribute: false
Mutable: true
AttributeDataType: String
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: cognito-example-client
GenerateSecret: False
UserPoolId: "#{CognitoUserPool}"
User pool, user pool client, HTTP API, lambda successfully created, but I can't see a authorizer at the AWS console of API Gateway service.
So, the problem has simple solution: just update your serverless (I used 1.63.0 which gave me this problem).
I created a user like:
SuperAdminUser:
Type: AWS::Cognito::UserPoolUser
Properties:
DesiredDeliveryMediums:
- EMAIL
Username: !Ref SuperAdminEmail
UserAttributes:
- Name: email
Value: !Ref SuperAdminEmail
UserPoolId:
Fn::ImportValue:
!Sub ${BaseStack}-Cognito
And the user pool is defined:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: false
UnusedAccountValidityDays: 3
LambdaConfig:
PreSignUp: !GetAtt CognitoPreSignUpHook.Arn
Policies:
PasswordPolicy:
MinimumLength: 8
RequireNumbers: true
UsernameAttributes:
- email
I noticed that it fails to find the user because username looks like: 9f8aecc2-530d-411d-8d73-c3b775da1893 while !Ref gives the email of the user in this case. I notice this started failing when I added
UsernameAttributes:
- email
How can I resolve this? I noticed User resource does not allow me to get the Sub of the user ...
I think I tried all properties here:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html
couldn't get this box checked:
My config currently:
CognitoUserPoolGeneral:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: general
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
Schema:
- AttributeDataType: String
Name: preferredLocale
DeveloperOnlyAttribute: false
Mutable: true
Required: false
EmailVerificationMessage: "Here's your verification code: {####}. Please provide it inside the application."
EmailVerificationSubject: "subject"
You can add
AutoVerifiedAttributes:
- email
To your Properties key, like so:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Sub ${AuthName}-user-pool
AutoVerifiedAttributes:
- email
Policies:.....
For an excellent example of a CloudFormation template that creates Cognito resources, see:
https://gist.github.com/singledigit/2c4d7232fa96d9e98a3de89cf6ebe7a5
I am attempting to create a UserPool using CloudFormation syntax, but I am unable to find which property I need to set in order to create the pool with email address sign up. How do I specify this?
As you can see in the screenshot, by default the pool is created with Usernames.
Here's my current pool config;
MyPool:
Type: "AWS::Cognito::UserPool"
Properties:
Schema:
- Name: sub
StringAttributeConstraints:
MinLength: '1'
MaxLength: '2048'
DeveloperOnlyAttribute: false
Required: true
AttributeDataType: String
Mutable: false
- Name: name
StringAttributeConstraints:
MinLength: '0'
MaxLength: '2048'
DeveloperOnlyAttribute: false
Required: false
AttributeDataType: String
Mutable: true
- Name: updated_at
NumberAttributeConstraints:
MinValue: '0'
DeveloperOnlyAttribute: false
Required: false
AttributeDataType: Number
Mutable: true
UserPoolName: ${self:provider.environment.PARTNER_POOL}
EmailVerificationMessage: 'Please click the link below to verify your email address.
{####} '
EmailVerificationSubject: Your verification link
SmsAuthenticationMessage: 'Your authentication code is {####}. '
DeviceConfiguration:
ChallengeRequiredOnNewDevice: false
DeviceOnlyRememberedOnUserPrompt: false
AdminCreateUserConfig:
InviteMessageTemplate:
EmailMessage: 'Your username is {username} and temporary password is {####}. '
EmailSubject: Your temporary password
SMSMessage: 'Your username is {username} and temporary password is {####}. '
UnusedAccountValidityDays: 7
AllowAdminCreateUserOnly: false
EmailConfiguration: {}
AutoVerifiedAttributes:
- email
Policies:
PasswordPolicy:
RequireLowercase: false
RequireSymbols: false
RequireNumbers: true
MinimumLength: 8
RequireUppercase: false
AliasAttributes:
- email
The ability to configure user pool with the new SignUp flow options is not yet supported through CloudFormation. The parameter that is used to specify the email or phone number only options is UsernameAttributes.
We will add this as a +1 to the feature request to support this with CloudFormation.
You need to set the AliasAttributes.
AWS::Cognito::UserPool -> AliasAttributes
Here a sample CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AliasAttributes:
- email
UserPoolName:
Ref: AWS::StackName
The ability to configure user pool with the new SignUp flow options is now supported through CloudFormation.
AWS::Cognito::UserPool -> UsernameAttributes like so,
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UsernameAttributes:
- email