Cognito Custom Auth resulting in Hosted UI New Password Screen

Regarding your effort to create an implementation of a "Magic Link" experience for new users in AWS Cognito, here are some insights based on the information I've found as it relates to your requirements:

1. Transitioning from a custom auth flow to the hosted UI "set new password" view is not directly supported. The hosted UI supports a FORCE_CHANGE_PASSWORD auth flow state where users must change their password upon successful login through the hosted UI. Users created by an admin start in this state, and this flow can be triggered for new users https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#:~:text=Force%20Change%20Password%20The%20user,Disabled

2. The hosted UI does not support custom authentication flows or CORS policies, which means that it does not directly support transitioning from a custom auth flow to a hosted UI flow. Therefore, completing a custom auth flow with a JWT token and then redirecting to the hosted UI new password flow may not be feasible through the hosted UI's current capabilities. https://github.com/awsdocs/amazon-cognito-developer-guide/blob/main/doc_source/cognito-user-pools-app-integration.md#:~:text=,prevent%20users%20from%20passing

3. Custom authentication flows in Cognito are possible and can be orchestrated using AWS Lambda triggers. These custom flows allow you to create a challenge/response-based model, which can include generating and verifying magic links. However, you cannot use advanced security features with custom authentication flows https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

4. An app can initiate a custom authentication flow by calling InitiateAuth with CUSTOM_AUTH as the AuthFlow. Three Lambda triggers (DefineAuthChallenge, CreateAuthChallenge, and VerifyAuthChallengeResponse) control the challenges and verify the responses. The DefineAuthChallenge trigger acts as a state machine controlling the user’s path through the challenges.

5. It is worth noting that the Amazon Cognito hosted sign-in webpage cannot activate custom authentication challenge Lambda triggers. This suggests that for a custom "Magic Link" implementation, you might need to rely on a fully custom solution rather than integrating with the hosted UI for the new password setup.

To achieve the desired functionality, you could consider the following alternative mechanisms:

• Utilize Cognito triggers to create a custom authentication flow, where the magic link sent to the user could authenticate them and trigger a password change as a challenge.
• Present a custom change password screen as part of your application flow after the user is authenticated through the custom auth flow.
• Use the SDK to change the user’s password and create a session after they have set their new password through your custom interface.

Each of these solutions would require custom development and could not leverage the hosted UI's built-in password reset flow due to the limitations mentioned above. You would need to manage the user's first-time login experience and password reset functionality within your application's front-end and back-end logic, using Cognito's APIs to interact with the user pool.