I am trying to understand AWS Cognito settings in CloudFormation (in fact SAM).
I have used the following settings :
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Sub ${Project}-${Env}-CognitoUserPool
Policies:
PasswordPolicy:
MinimumLength: 8
UsernameAttributes:
- email
Schema:
- AttributeDataType: String
Name: email
Required: false
CognitoUserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: !Sub ${Project}-${Env}-CognitoUserPoolClient
GenerateSecret: false
UserPoolId: !Ref CognitoUserPool
ExplicitAuthFlows:
- ALLOW_USER_PASSWORD_AUTH
I understand this should allow users to use their email as their username. And indeed, I could create a user through the AWS Cognito console using an email as my username.
However, AWS Cognito still creates a UUID for the username as shown herebelow :
and I can't sign-in using my email as I receive an error :
{"__type":"UserNotFoundException","message":"User does not exist."}
If I use the UUID, then I have no error and log in. Any idea what I should change to make the email work as a Sign-in option ?
I did this some time ago using AliasAttributesinstead of UsernameAttributes, this allows to use regular usernames (or uuid in my case) and email.
AliasAttributes:
- 'email'
Related
I have this SAM template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
Metadata:
AWS::ServerlessRepo::Application:
Name: passwordless-sms-email-auth
Description: >
Passwordless SMS authentication backend using Amazon Cognito User Pools CUSTOM AUTH challenge flow w/ AWS Lambda triggers and Amazon SNS for sending SMS TOTP
SpdxLicenseId: MIT
LicenseUrl: LICENSE
Labels: ['passwordless', 'authentication', 'cognito', 'auth', 'sms', 'iOS', 'mobile', 'pinpoint', 'serverless', 'amplify']
SemanticVersion: 1.14.20
Globals:
Function:
Timeout: 3
Parameters:
UserPoolName:
Type: String
Description: The name you want the User Pool to be created with
Default: rafaelTest
Resources:
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: phone_number
AttributeDataType: String
Mutable: true
Required: false
- Name: email
AttributeDataType: String
Mutable: true
Required: false
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
UsernameAttributes:
- phone_number
- email
MfaConfiguration: "OFF"
LambdaConfig:
CreateAuthChallenge: !GetAtt CreateAuthChallenge.Arn
DefineAuthChallenge: !GetAtt DefineAuthChallenge.Arn
PreSignUp: !GetAtt PreSignUp.Arn
VerifyAuthChallengeResponse: !GetAtt VerifyAuthChallengeResponse.Arn
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: sms-auth-client
GenerateSecret: false
UserPoolId: !Ref UserPool
ExplicitAuthFlows:
- CUSTOM_AUTH_FLOW_ONLY
Outputs:
UserPoolId:
Description: ID of the User Pool
Value: !Ref UserPool
UserPoolClientId:
Description: ID of the User Pool Client
Value: !Ref UserPoolClient
When creating the userpool, I wanted users to be able to use either just their email or just their phone as their username.
This way it is done, I always need to send both email and phone number.
Does anyone know how I solve this?
I want users to be able to log in by putting one of the following information:
email + name
phone number + name
Anyone help me?
Users can login with their email or phone number, using this SAM template and use a random uuid as username when sign up.
UserPool:
Type: "AWS::Cognito::UserPool"
Properties:
UserPoolName: !Ref UserPoolName
Schema:
- Name: phone_number
AttributeDataType: String
Mutable: true
- Name: email
AttributeDataType: String
Mutable: true
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: false
RequireNumbers: false
RequireSymbols: false
RequireUppercase: false
AliasAttributes:
- email
- phone_number
MfaConfiguration: "OFF"
But now I need to know with alias users use on sign in, anyone know how?
i'm doing a passwordless flow with cognito and the event on create-auth-lambda triggers is always the same.
I configured Cognito user pool and client with Serverless framework as follows:
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
Properties:
MfaConfiguration: OFF
UserPoolName: user-pool
UsernameAttributes:
- email
AutoVerifiedAttributes:
- email
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_LINK
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: True
RequireNumbers: True
RequireSymbols: False
RequireUppercase: True
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: user-pool-client
GenerateSecret: False
UserPoolId:
Ref: CognitoUserPool
I am able to sign user up with aws-amplify in Next.js app, however, the user is not yet confirmed. I want to get confirmation email with the link to click on, so that the user is confirmed and can log in (so far I had to confirm the user in Cognito in AWS console). However, that does not happen with this configuration.
What am I doing wrong?
Your cloudformation template is automatically verifying the email attribute.
Try removing this block:
AutoVerifiedAttributes:
- email
I have a SAM template that was working fine until I added a trigger to my cognito user pool.
I searched about the error that is throwing me: Circular dependency between resources I can understand that the trigger is creating a reference to the user pool and then the circular dependency arises, but I can not find how to solve the problem. I only need to set the trigger of my cognito user pool to get custom messages/emails when a user is created.
This is my SAM code:
AdminCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
AutoVerifiedAttributes:
- email
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_LINK
Policies:
PasswordPolicy:
MinimumLength: 8
UsernameAttributes:
- email
Schema:
- AttributeDataType: String
Name: email
Required: true
Mutable: true
- AttributeDataType: String
Name: id
# Required: false
Mutable: true
AdminCognitoChangePassword:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/config.customCognitoEvents
Role: !GetAtt lambdaRole.Arn
Events:
CognitoEvent:
Type: Cognito
Properties:
UserPool: !Ref AdminCognitoUserPool
Trigger: CustomMessage
The problem was in the globals function environment variables. I was calling AdminCognitoUserPool and thats why the circular dependency was rising.
When testing my TOKEN endpoint in PostMan, I'm getting the error HTTP 400 - "invalid_grant".
In PostMan, I've configured the Authorization header (w/Basic clientId:secret) and header Content_Type. In the url encoded form, I've set the grant_type = client_credentials. All of these settings are confirmed in the instructions here:
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
After manual inspection, my CloudFormation template deploys all the settings correctly.
If I go into Cognito settings, select App Clients from the navigation and then “Save app client changes” without making any changes, I no longer get the same error in PostMan and I can retrieve a valid access code from there on. It’s almost as is the changes aren’t ‘active’ in AWS unless I re-save in the AWS Console for whatever reason.
Is something not fully committed on the AWS backend side unless I manually hit save in the console?
**Again, this template, settings and PostMan test do work BUT only after I go into Cognito and make an edit, save, undo my edit and save again.
Here's my CF template
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Integration for webSvc1 and webSvc2
Parameters:
StageName:
...
Globals:
Function:
Timeout: 20
Api:
OpenApiVersion: 3.0.1
Resources:
UserPool:
Type: 'AWS::Cognito::UserPool'
Properties:
UserPoolName: !Sub ${CognitoUserPoolName}-${EnvironmentName}
UserPoolResourceServer:
Type: 'AWS::Cognito::UserPoolResourceServer'
DependsOn:
- UserPool
Properties:
Identifier: !Sub ${CognitoUserPoolName}-${EnvironmentName}
Name: api-resource-server
Scopes:
- ScopeName: "api.read"
ScopeDescription: "Read access"
UserPoolId: !Ref UserPool
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
DependsOn:
- UserPool
- UserPoolResourceServer
Properties:
UserPoolId: !Ref UserPool
Domain: !Sub id-${EnvironmentName}
# Creates a User Pool Client to be used by the identity pool
UserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
DependsOn:
- UserPool
- UserPoolResourceServer
Properties:
ClientName: !Sub ${CognitoUserPoolName}-client-${EnvironmentName}
GenerateSecret: true
UserPoolId: !Ref UserPool
SupportedIdentityProviders:
- COGNITO
AllowedOAuthFlows:
- client_credentials
AllowedOAuthScopes:
- !Sub ${CognitoUserPoolName}-${EnvironmentName}/api.read
I am attempting to create a UserPool using CloudFormation syntax, but I am unable to find which property I need to set in order to create the pool with email address sign up. How do I specify this?
As you can see in the screenshot, by default the pool is created with Usernames.
Here's my current pool config;
MyPool:
Type: "AWS::Cognito::UserPool"
Properties:
Schema:
- Name: sub
StringAttributeConstraints:
MinLength: '1'
MaxLength: '2048'
DeveloperOnlyAttribute: false
Required: true
AttributeDataType: String
Mutable: false
- Name: name
StringAttributeConstraints:
MinLength: '0'
MaxLength: '2048'
DeveloperOnlyAttribute: false
Required: false
AttributeDataType: String
Mutable: true
- Name: updated_at
NumberAttributeConstraints:
MinValue: '0'
DeveloperOnlyAttribute: false
Required: false
AttributeDataType: Number
Mutable: true
UserPoolName: ${self:provider.environment.PARTNER_POOL}
EmailVerificationMessage: 'Please click the link below to verify your email address.
{####} '
EmailVerificationSubject: Your verification link
SmsAuthenticationMessage: 'Your authentication code is {####}. '
DeviceConfiguration:
ChallengeRequiredOnNewDevice: false
DeviceOnlyRememberedOnUserPrompt: false
AdminCreateUserConfig:
InviteMessageTemplate:
EmailMessage: 'Your username is {username} and temporary password is {####}. '
EmailSubject: Your temporary password
SMSMessage: 'Your username is {username} and temporary password is {####}. '
UnusedAccountValidityDays: 7
AllowAdminCreateUserOnly: false
EmailConfiguration: {}
AutoVerifiedAttributes:
- email
Policies:
PasswordPolicy:
RequireLowercase: false
RequireSymbols: false
RequireNumbers: true
MinimumLength: 8
RequireUppercase: false
AliasAttributes:
- email
The ability to configure user pool with the new SignUp flow options is not yet supported through CloudFormation. The parameter that is used to specify the email or phone number only options is UsernameAttributes.
We will add this as a +1 to the feature request to support this with CloudFormation.
You need to set the AliasAttributes.
AWS::Cognito::UserPool -> AliasAttributes
Here a sample CloudFormation template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AliasAttributes:
- email
UserPoolName:
Ref: AWS::StackName
The ability to configure user pool with the new SignUp flow options is now supported through CloudFormation.
AWS::Cognito::UserPool -> UsernameAttributes like so,
UserPool:
Type: AWS::Cognito::UserPool
Properties:
UsernameAttributes:
- email