Questions tagged with Amazon Cognito

We have an existing userpool with standard Cognito users. At some point we enable a external SAML identity provider for a group of users. When the existing users go to login a new user is created by Cognito and linking the external identity provider. We want to keep using the same Cognito user so we update the external provider on the original Cognito user record. But since there is a matching one on this new Cognito user we still get the new user rather than the original. I have tried using the AdminDisableProviderForUser api call with both ProviderAttributeName=Cognito_Subject and ProviderAttributeName=Cognito. But they both indicate that the Account is not linked to anyone. Is the ProviderAttributeName different for the linking that Cognito automatically creates for users? I think I can just disable that new user to solve this but I would rather not introduce code that would allow disabling of users.

This is just a repost from stackowerflow. **Cognito team seems to be unwilling to fix this serious bug.** https://stackoverflow.com/questions/47815161/cognito-auth-flow-fails-with-already-found-an-entry-for-username-facebook-10155 The goal is to implement a social provider auth flow as described in User Pools App Integration and Federation. One important thing that I want to satisfy, is to merge user pool accounts that have the same email address. I am accomplishing that by calling adminLinkProviderForUser within the PreSignUp_ExternalProvider cognito lambda trigger. So with this, everything works. The new social provided user is being registered and linked with the already existing Cognito (user+pass) user. However, the authentication flow, from user's perspective doesn't complete. It fails at the last step where the callback uri (defined in cognito user pool) is being called: ``` error: invalid_request error_description: Already found an entry for username Facebook_10155611263152353 ``` But then, if the user retries the social auth flow, everything works, and would get session tokens that represent the original Cognito User Pool user (the one that already had that email). Note that I'm testing the auth flow on an empty User Pool, zero user accounts.

Hi, I am working on creating an Platform application which is mainly for employees of that organization. Internal in organization, they are using Microsoft AD for authentication purpose. So till now we decided to use AWS Cognito with federated identity. But they are using AWS SSO also. From some of blogs it seems like we can also utilize that AWS SSO for authentication purpose in our application. Is it the write understanding Please confirm, if so here are some more confusion : - 1. If we go on AWS SSO approach, do in that we need Cognito pool or not ?? 2. If we go on AWS SSO approach, do that aws sso return some JWT token that we can utilize on API Gateway layer for authenticating all APIs ?? Looking for quick response. If possible please share some relevant blogs/article ? Regards, Abhishek

I am trying to provide multitenancy checks in a VTL that runs as part of a custom subscription. I am using the `@function` and `@aws_subscribe` annotations; the `@function` references an amplify function I added using `amplify add function`, naming it `perfectQueuePortalReceiveOrder` . Here are excerpts from my `schema.graphql`: ``` type ReceiveOrderResponse { brandSlug: String! @aws_iam @aws_cognito_user_pools(cognito_groups: ["perfectCoAdmin", "tablet"]) storeNumber: String! @aws_iam @aws_cognito_user_pools(cognito_groups: ["perfectCoAdmin", "tablet"]) orderDetails: String! @aws_iam @aws_cognito_user_pools(cognito_groups: ["perfectCoAdmin", "tablet"]) } type Mutation { receiveOrder(brandSlug: String!, storeNumber: String!, orderDetails: String!): ReceiveOrderResponse @function(name: "perfectQueuePortalReceiveOrder-${env}") @aws_iam @aws_cognito_user_pools(cognito_groups: ["perfectCoAdmin"]) } type Subscription { onReceiveOrder(brandSlug: String!, storeNumber: String!): ReceiveOrderResponse @aws_subscribe(mutations: ["receiveOrder"]) @aws_cognito_user_pools(cognito_groups: ["perfectCoAdmin", "tablet"]) } ``` The issue is that it does not appear that any VTL templates are generated for the Subscription. After issuing `amplify api gql-compile`, I see in the `build/resolvers` directory that VTL resolvers were generated both for the mutation, `Mutation.receiveOrder.res.vtl` as well as the lambda request/response templates: `InvokePerfectQueuePortalReceiveOrderLambdaDataSource.req.vtl` `InvokePerfectQueuePortalReceiveOrderLambdaDataSource.res.vtl`. However, _no_ `Subscription.onReceiveOrder.*` VTL template gets generated at all. My goal is simply to override the VTL template _only for the subscription_, in order to compare custom cognito user attributes against the arguments provided to the subscription, and give an unauthorized error if the arguments do not match the identity claims. But no VTL templates seem to get generated for the subscription; only for the mutation. How can I compare the arguments to a custom Subscription that is `@aws_subscribe`d to a custom Mutation, itself using `@function`, against the cognito-based identity claims provided in the $ctx during VTL processing for _the initiation of the subscription_? What is particularly confusing is that everywhere else I have used the `@aws_cognito_user_pools` and `@aws_iam` tags, the results have appeared in the build/resolvers VTL templates. _But not for subscriptions_. Why not? Strangely, these annotations _do_ seem to be honored, however, I cannot find any VTL code that implements that honoring, as I can with Queries and Mutations. Help?

I have a client reported issue with cognito, which I cannot reproduce. (SAMLRequests generated by cognito include line feed characters \x0a - the example they posted was from 2 weeks ago ). I could not reproduce this, and figured it is possible this is something the cognito team may have fixed, and wanted to check the release notes to see if this is the case, but I can't find any. Do these exist?

We have many downstream client requests to prevent the reuse of passwords when a user changes their passwords in our applications. We are using Cognito User Pools to manage all users and store no credentials at all in our system databases. Is there any way to configure parameters on a user account to disallow them from using the same password that has previously been used? We don't want to make the push to Federated auth (to allow the clients to manage this on their side) because a lot of smaller customers don't necessarily have the means to set up an identity provider or an IT team to manage it or push to MFA for the same reason. Any help with this functionality or if there is a known open issue that we can track, that would be appreciated!

We are using aws-sdk to get temporary credential information from the Cognito ID pool in order to send requests from our front-end web application to the API Gateway that has been configured for authorization by the IAM authorizer. The credential information expiration time is 1 hour by default, is there any way to change the expiration time? ``` const client = new CognitoIdentityClient({ region: process.env.VUE_APP_AWS_REGION }); const getIdCommandInput = { AccountId: process.env.VUE_APP_AWS_ACCOUNT_ID, IdentityPoolId: process.env.VUE_APP_COGNITO_AUTH_IDENTITY_POOL_ID, Logins: {} }; const userPool = `cognito-idp.${process.env.VUE_APP_AWS_REGION}.amazonaws.com/${process.env.VUE_APP_COGNITO_AUTH_USER_POOL_ID}`; getIdCommandInput.Logins[userPool] = store.state.authenticateResult.idToken; const getIdCommand = new GetIdCommand(getIdCommandInput); const identityIdResponse = await client.send(getIdCommand); const getCredentialsForIdentityCommandInput = { IdentityId: identityIdResponse.IdentityId, Logins: {} }; getCredentialsForIdentityCommandInput.Logins[userPool] = store.state.authenticateResult.idToken; const getCredentialsForIdentityCommand = new GetCredentialsForIdentityCommand(getCredentialsForIdentityCommandInput); const credentialsResponse = await client.send(getCredentialsForIdentityCommand); ``` When the credential information is retrieved with the above code, the Expiration property contains the date and time one hour later. I tried the following, but there was no change in the 1-hour expiration. (1) Change the "maximum session time" of IAM roles set to "authenticated roles" in the Cognito identity pool to 2 hours. (2) Change the "Maximum session time" of IAM roles set to groups in the Cognito user pool to 2 hours.

Hi, I am having issues getting my spring security OAuth Client test project to logout a user from Cognito. Background Information: I have a Java Spring test project set up to get familiar with Authentication using OAuth / OIDC with Cognito. It is based on this tutorial: https://spring.io/guides/tutorials/spring-boot-oauth2/ I have a Cognito User Pool set up with appropriate API Client settings for "Authorization code grant" flow. This works very well except I wanted to logout from Cognito as well as Spring session, as I want to be able to login as another user. So I then added a LogoutSuccessHandler to my spring config to cause a redirect to the Cognito logout end point. It was done as shown here: https://rieckpil.de/oidc-logout-with-aws-cognito-and-spring-security/ Apparently this has worked for some people. The problem: It largely works. My Spring session is invalidated, and logout returns a redirect to the browser to Cognito Logout endpoint along with what I believe to be the correct parameters. However the browser (same for Firefox and Chrome) then makes a preflight Cors call to the Cognito logout end point and this will result in a 404 as "OPTIONS" is not supported on the end point. Example: 1. Request to my application to logout: URL GET to http://localhost:8080/logout With session cookie etc 2. My test service response Redirect to: Location: https://cortexo.auth.eu-west-2.amazoncognito.com/logout?client_id=<ClientId>&logout_uri=http://localhost:8080 Relevant response headers (yes they are very stupidly open for testing): Access-Control-Allow-Headers: Content-type,responseType Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 If I manually browse to this redirected URL (copy and paste into browser bar) then Cognito will logout and redirect back to my project as expected. However the browser when following the redirect, first attempts to do a Cors preflight check to the URL by calling with an OPTIONS call. This results in a browser reported error: "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource." I believe the reason for this is that if you do an OPTIONS call to the Logout end point it will result in a 404 (not found) error and the end point documentation confirms that only GET is supported. The questions are: 1. I'm curious as to why the tutorial for Spring OAuth logout has worked for some others 2. Is this approach the right one? Am I missing something? 3. Any suggestions on how I can I work around this (still using Spring Security OAuth Client, as Spring Security is what we are using in our real projects)? Thanks

How can I give Granular access to different users of a single s3 bucket? For the use case, let's assume that multiple users use a common S3 bucket to store files. Users can access & download files from the bucket. But how can I ensure that a user is not able to access another user's files? Also if the user base increases to a million how can I dynamically allow users to store & download files with full privacy(each file created is associated with a particular user only)?

I have developed a containerized web server in ECS behind a Cognito authenticated Application Load Balancer. I am in the final stages of development and working on implementing a log off button. The documentation below states to log off a user, the application should modify the authentication session cookies and set the expiry to -1. On the client side, I can see the session cookies, but they are marked as HTTPOnly and can not be modified. I do not see the cookies on the server side and based on the documentation, it does not sound like the cookies are sent to the server. How do I modify the cookies to log out a user or is there another way to log out a user? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

I have a Login With Amazon (LWA) button on a web page of mine, [Configurations](https://developer.amazon.com/loginwithamazon/console/site/lwa/overview.html) shows "Client ID:amzn1.application-oa2-client.87d..." [LWA SDK for Javascript](https://developer.amazon.com/docs/login-with-amazon/install-sdk-javascript.html) is configured as specified in the link. I can click the button and click to allow on the popup, and I am redirected back to the landing page with a URL `https://[my/site]?success=null&access_token=Atza...&token_type=bearer&expires_in=3600&scope=profile` So far so good. On that page, I import the AWS SDK, decode the access token URI component, and attempt to get credentials from the Amazon Cognito provider ``` // Initialize the Amazon Cognito credentials provider AWS.config.region = 'us-east-1'; // Region AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:09...REDACTED...30', Logins: {'www.amazon.com': accesstoken } }); AWS.config.credentials.get((e) => console.log(e,AWS.config.credentials)); ``` which simply returns `NotAuthorizedException: Token is not from a supported provider of this identity pool.` from what developer tools shows is a POST to `https://cognito-identity.us-east-1.amazonaws.com/` with payload `{"IdentityPoolId":"us-east-1:09...REDACTED...30","Logins":{"www.amazon.com":"Atza|Iw..."}}` The Cognito/federated identities identity pool dashboard at `https://us-east-1.console.aws.amazon.com/cognito/pool/edit/?region=us-east-1&id=us-east-1:09...REDACTED...30` shows under "Authentication providers" Amazon App ID `amzn1.application-oa2-client.87d...` and under "Authenticated role selection" is "Choose role with rules" where the only rule has claim "email" "Contains" "@redacted.my.domain" is then applied the authenticated role with a default "Role resolution" of DENY. Edit: I have also tried setting "Role resolution" to "Use default Authenticated role" and the same error persists. Edit 2: I have tried changing the Logins portion of the payload to `Logins: {'www.amazon.com': 'amzn1.application-oa2-client.87d...' }` which results in `NotAuthorizedException: Invalid login token.` I'm pretty sure that's wrong since using the app ID for the token wouldn't be specific to a user but I tried it anyway since some github code did. Most github code seems to use the access token. What is going wrong here? Why won't Cognito accept the Login With Amazon access token?

The `/login` endpoint could be used to produce a UI sign-in webpage with custom error messages. To do this you should simply add the `loginErrorMessage` variable in your GET request: ``` &loginErrorMessage=Account%20Blocked%0APlease%20send%20your%20Email%20and%20Password%20to%20xyz@abc.com%20to%20unblock%20your%20account. ``` (Note that this variable is not even reported in your official [documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/login-endpoint.html) ) Thisbehaviour could be exploited by an attacker to create URLs for phishing purposes. Is there a way to set a static message? Or to disable the login error message?

I am currently in the process of validating the migration of a set of users to a cognito user pool via the migration trigger, the essence of the lambda function for the trigger can be boiled down to: ``` def lambda_handler(event, context): response = requests.post(external_auth_api_url, json_with_user_and_pass) if response.status_code = 200: event["response"] = { "userAttributes": { "username": event["userName"], "email": event["userName"], "email_verified": "true" }, "finalUserStatus": "CONFIRMED", "messageAction": "SUPPRESS" } return event ``` This is doing an external rest call to the old system the user was signing in through as per the documentation and returning a success response. The issue I noticed is that if the lambda function time is too long, for example, the average execution time of this lambda for me right now via ngrok is about 5 seconds total, cognito is failing when I call initiateAuth with USERNAME_PASSWORD flow and returning the following: ``` botocore.errorfactory.UserNotFoundException: An error occurred (UserNotFoundException) when calling the InitiateAuth operation: Exception migrating user in app client xxxxxxxxxxxx ``` I managed to validate that this issue was occurring by simply returning a success response without doing an external REST call and essentially bringing the lambda function runtime down to milliseconds, in which case I got the tokens as expected and the user was successfully migrated. I also tested this by simply having a lambda function like: ``` def lambda_handler(event, context): time.sleep(5) event["response"] = { "userAttributes": { "username": event["userName"], "email": event["userName"], "email_verified": "true" }, "finalUserStatus": "CONFIRMED", "messageAction": "SUPPRESS" } return event ``` This fails with the same error response as above. If anyone can advise, I am not sure if there is a maximum time the migration trigger will wait that is not documented, I wouldn't expected the trigger to have such a thing if the migration trigger's intention is to do external REST calls which may or may not be slow. Thanks in advance!

I'm trying to connect to AWS Cognito from a .net Framework project. I can sign up succesfully but when I need to sign in, throws me an error: "User pool {userPool} client does not exist". This is my code: ``` private async Task<bool> CheckPasswordAsync(string userName, string password) { try { var authReq = new AdminInitiateAuthRequest { UserPoolId = ConfigurationManager.AppSettings["USERPOOL_ID"], ClientId = ConfigurationManager.AppSettings["CLIENT_ID"], AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH, }; authReq.AuthParameters.Add("USERNAME", userName); authReq.AuthParameters.Add("PASSWORD", password); AdminInitiateAuthResponse authResp = await _client.AdminInitiateAuthAsync(authReq); var auts = authResp; return true; } catch(Exception ex) { var exc = ex.Message; return false; } } ``` I don't know if I need to add more information to the method. The user pool exists and is the same that I have in appSettings. Any idea about what's wrong? Thanks in advance.

I was looking the documentation trying to figure out how to use Authorization code flow with custom UI and Cognito, but looks like this still not possible, am I right? I have tried somethings as wrap all the call in my api, but doesn't seem this would solve my problem. The main objective is because the HostedUI, doesn't fulfill the requirements that I have to use the Cognito server. Does anyone know how to do this?

I'm using the Cognito hosted login page to authenticate into my application. The response_type is code and I'm generating a login url that includes the following query parameters: client_id, redirect_uri, response_type, scope and state. Under a specific set of circumstances, when clicking Sign In on the log in page, it will 302 Redirect to `[my-app].[my-region].amazoncognito.com/error` (note there's no query string) with a 400 Response Code. Typically clicking Sign In will navigate to my callback page where the authentication is completed, but in this instance it never hits anything in my application, it redirects from Amazon to Amazon. This is the specific sequence in order to reproduce: - Navigate to the application and sign in, then sign out. You should be redirected to a screen with a button that says "Sign In as [email address]" (Not the screen with fields for username and password. This does not seem to occur when that screen is used to log in). - Before clicking the Sign in button, copy the URL, and navigate to the same URL in a new tab or window. - In that window, click the Sign In button. - Go back to the original window - Click the Sign In button - You will get a 302 Redirect to the `[my-app].[my-region].amazoncognito.com/error` page I've tried logging locally in my application, but like I said it never hits anything on my side. If there is logging on the AWS side, I don't know where to look. Please let me know if this is a known issue, if there is a solution, or if any more information is needed. Thanks in advance

Hi All, I am trying to build a solution for a customer and the requirement is to authenticate the user using their LoginService (Legacy SOAP Call) from Cognito. The flow looks like this UI-->Cognito-->SOAP Call-->Cognito--UI. Any suggestions on this implementation?

Upgraded AWS Elastic search to Amazon OpenSearch 1.2. After the upgrade not able to login dashboard. Configured AWS cognito for authentication. Before upgrade it worked, not sure why its failing after upgrade, given permissions by changing policies. Getting below error java.net.ConnectException: Connection refused (Connection refused). Please suggest for any solution.

I want to understand how the multi-tenant application are built ? Assume a product called "company.com" exist. The client want to use this company.com and create a sub domain i.e client1.company.com. In AWS how this can be achieved ? Does Route 53 provides any way to create the sub-domain using runtime APIs. After the creation of sub domain is successful, how to identify the client1 i.e tenant from url in AWS ? Does Route 53 provides some way to identify the tenant ? Also How does cognito works in multiple tenant application? For every tenant do we need to create cognito identity pool ? What is the recommendation for this ? Can some one explain this ?

I've developed several native Android and IOS apps as well as a Wordpress LMS that employ a Cognito authentication environment that's working very well authenticating tens of thousands of users with accounts in a single user pool. Now I have an external customer that wants to provide access to my organization's LMS courses to their users. Their users are authenticated in their portal, and they do not want their users to have to login to my environment or maintain credentials in my environment. They just want to provide a link to my courses in their portal and then allow their users to seamlessly access these courses. I know there's got to be a way to do that (to have my Cognito environment trust their environment to authenticate their users) using something like Cognito Federated Identities and SAML configuration (or some similar combination) but I'm getting lost understanding first the high-level design of such a solution and then of course the particular implementation. Thank you in advance for any guidance you may give!

I have a Cognito User Pool working with MFA enabled (optional), and I am currently working on setting up Device Tracking so that users can bypass MFA for trusted devices ("Allow users to bypass MFA for trusted devices" set to "Yes"). I am using the AWS SDK for **Ruby**, and can successfully step through the `admin_initiate_auth` and `admin_respond_to_auth_challenge` steps. When I run `confirm_device` I am getting an exception: ``` Invalid device credentials given, no credentials given ``` Searching on Google for the exception message, I've so far been unable to find any examples of error message for Cognito. The code I'm using: ```ruby class Cognito attr_reader :client, :user_pool_id, :app_client_id, :app_client_secret def initialize @client = Aws::CognitoIdentityProvider::Client.new( region: ENV['AWS_REGION'], access_key_id: ENV['AWS_ACCESS_KEY_ID'], secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'] ) @user_pool_id = ENV['AWS_USER_POOL_ID'] @app_client_id = ENV["AWS_APP_CLIENT_ID"] @app_client_secret = ENV["AWS_APP_CLIENT_SECRET_KEY"] end class << self def secret_hash(username) cognito = self.new Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', cognito.app_client_secret, username + cognito.app_client_id)) end def authenticate(username:, password:) cognito = self.new user_object = { USERNAME: username, PASSWORD: password, SECRET_HASH: Cognito.secret_hash(username), } auth_object = { user_pool_id: cognito.user_pool_id, client_id: cognito.app_client_id, auth_flow: "ADMIN_NO_SRP_AUTH", auth_parameters: user_object, } cognito.client.admin_initiate_auth(auth_object) end def admin_respond_to_auth_challenge(session:, mfa_code:, username:) cognito = self.new cognito.client.admin_respond_to_auth_challenge({ user_pool_id: cognito.user_pool_id, client_id: cognito.app_client_id, challenge_name: "SMS_MFA", # required, accepts SMS_MFA, SOFTWARE_TOKEN_MFA, SELECT_MFA_TYPE, MFA_SETUP, PASSWORD_VERIFIER, CUSTOM_CHALLENGE, DEVICE_SRP_AUTH, DEVICE_PASSWORD_VERIFIER, ADMIN_NO_SRP_AUTH, NEW_PASSWORD_REQUIRED challenge_responses: { "SMS_MFA_CODE" => mfa_code, "USERNAME" => username, "SECRET_HASH" => Cognito.secret_hash(username), }, session: session, context_data: { # TODO get these from request. ip_address: "127.0.0.1", # required server_name: "localhost", # required server_path: "https://127.0.0.1/", # required http_headers: [ # required { header_name: "StringType", header_value: "StringType", }, ], }, }) end def confirm_device(device_key:, access_token:, device_name: nil) cognito = self.new cognito.client.confirm_device({ device_key: device_key, access_token: access_token, device_name: device_name, }) end end end ``` And called with: ``` r = Cognito.authenticate(username: 'user.email@gmail.com', password: "Password1") challenge = Cognito.admin_respond_to_auth_challenge(session: r.session, mfa_code: "123456", username: 'user.email@gmail.com') confirm = Cognito.confirm_device(device_key: challenge.authentication_result.new_device_metadata.device_key, access_token: challenge.authentication_result.access_token, device_name: "John's Machine") ``` With the full error being: ``` /Users/myname/.rbenv/versions/3.1.2/lib/ruby/gems/3.1.0/gems/aws-sdk-core-3.126.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': Invalid device credentials given, no credentials given (Aws::CognitoIdentityProvider::Errors::InvalidParameterException) ``` I'm not sure what credentials I'm missing. Any help would be appreciated! Thank you.

Everything I have read shows sms is supported by SNS in us-west-1. I can’t seem to figure out how to add, or request, toll-free origination numbers for sns. We have a Cognito user pool in us-west-1 and would like to use its phone verification (ultimately through sns) but this is not sending the verification codes. The root cause looks to be a lack of an origination number in SNS (in us-west-1). I successfully have SNS toll-free origination numbers in us-east-1, but there also doesn’t seem to be a way to tell Cognito to use SNS in us-east-1 and migrating users to a new pool in east would be horrible. Side note: SNS is in production mode, not sandbox. Thanks I’m advance! I’ve spent wayyy too much time battling this.

Hello, I am new to AWS, and I am using Amplify to build my application (React + Node). I am trying to make a very simple storage interface for user documents, and I don't want these documents to be accessible by those who do not sign in through the Cognito user pool. However, I do want these documents to be accessible to all users who have signed in through my application. I followed all of the directions specified in [the official documentation page regarding setup](https://docs.amplify.aws/lib/storage/getting-started/q/platform/js/#storage-with-amplify), and didn't configure any special options. I then went into the web interface for my S3 bucket, found the newly created storage bucket, and added a folder called "templates" with a couple sub folders, and then some user document templates. The problems started to occur upon calling the `Storage.list(...)` function within my application. The promise would resolve successfully, but the list would be empty. I understand now that's because my application was attempting to index the S3 bucket through a `public` scope prefix. When I create a folder named public, and add the files in there, everything works nicely. I was under the opinion though that using this public folder would allow my privileged content to be indexed to users who were not credentialed (i.e. guests from outside my application who didn't pass through the Cognito login portal). Is that the case? There are no groups configured from within my Cognito user pool. Right now, calling Amplify storage API functions work, but only in the `public` scope. I had thought what I wanted to do was only allow such functionality within the `private` scope; but I'm beginning to think based on the docs pages regarding user access that what I would be fine using the `public` scope, as it doesn't allow access to internal files by guests, who would not be signed in. This hunch is furthered by information regarding `protected` and `private` scopes being user-specific. Should I delve deeper into the permissions associated with these bucket objects, and configure some sort of user group system and then configure ACLs based on the groups, or would using files within the public scope be fine for my use case? I just don't want users who aren't signed in through Cognito to be able to access files. Thank you for your time, and I hope this question finds you well.

I have an API with three different access modes: IAM, Cognito Users, and Cognito applications (using a secret). I am able to configure everything fine, for example, here's a field: ``` type SomeMutation @aws_iam @aws_cognito_user_pools { update(input: MutationInput!): Boolean! @aws_cognito_user_pools(cognito_groups: ["EDITORS"]) } ``` However, I'd also like to allow a specific server side application client to access this API. This is a client that has a client_id and client_secret, and can get a token using those values. If I don't limit based on groups, the calls from this client work fine, but as soon as I create a group restriction, the app client is no longer authorized. Ideally, I'd like to be able to configure the authorization as follows (by including an authorized client_id): ``` type SomeMutation @aws_iam @aws_cognito_user_pools { update(input: MutationInput!): Boolean! @aws_cognito_user_pools(cognito_groups: ["EDITORS"], cognito_clients: ["abcdefg"]) } ``` But I don't see any indication that this kind of control is possible. Will I have to write some custom authentication?

We are using a set of custom lambdas to implement OTP login to a Cognito instance. To send the text messages with the password (eg, sms), we are using the pinpoint api with a configured 10DLC campaign/phone number. We also have another phone number (and relevant campaign) setup for promotional messages. Since 13:30 today (30/05/2022), we cannot send the OTP messages to UK based phone number (most of our devs are UK based). The messages work as expected for US, RO and (!!!)PK number (we are deploying code atm to block PK). The SMS sent to UK numbers are logged as SPAM, see example: `{"event_type": "_SMS.FAILURE", "event_timestamp": 1653917224341, "arrival_timestamp": 1653917224468, "event_version": "3.1", "attributes": {"sender_request_id": "...", "origination_phone_number": "...", "destination_phone_number": "+44myphonenumber", "record_status": "SPAM", "iso_country_code": "GB", "number_of_message_parts": "1", "message_id": "...", "message_type": "Transactional"}, "metrics": {"price_in_millicents_usd": 3888}}` This is incredible frustrating since none of my devs can log in to the app (we are developing).

I try to log in to Cognito by doing this: `Amplify.Auth.signIn( "prueba", "prueba1234aB", result -> Log.i("AuthQuickstart", result.isSignInComplete() ? "Sign in succeeded" : "Sign in not complete"), error -> Log.e("AuthQuickstart", error.toString()) );` and get this error: **AuthException{message=Sign in failed, cause=com.amazonaws.services.cognitoidentityprovider.model.InvalidLambdaResponseException: Unrecognizable lambda output (Service: AmazonCognitoIdentityProvider; Status Code: 400; Error Code: InvalidLambdaResponseException; Request ID: \[...\]** My goal is to get the user credentials, so I can work with them when it comes to using other AWS services. I tried logging in from the web interface Amazon provides to test users and it did work, so it should not be the user fields' fault. What am I doing wrong exactly? Is it something about the code? Or maybe something about the pre-authentication triggered Lambda? If so, how should I deal with the response I'm returning from that Lambda? Thanks in advance!

Hi, I use amplify auth, Cognito authentication. For signup, I have confirmed SMS code and for signing I have MFA. I got 10 messages in the beginning and everything worked well. I later stopped receiving messages and I sent a request to increase the limit. Limit is increased and was implemented in Europe (Frankfurt) region. Also, account are moved out of the Amazon SNS sandbox. I use Europe (Frankfurt) region. but my Cognito auth still uses SNS sandbox. When I try to move to production redirect me to Ireland region and support center. How to connect my project, Cognito auth with Amazon SNS mode in production?

Hi, We are planning a migration to Cognito for our authentication infrastructure, just wanted to find out the best way to send localised notifications (forgot password, email verification etc.) to users in different countries. I know we can send custom lambda triggers, but I couldn't find a documentation related to localisation which I believe is an important topic, thanks in advance

I was looking at ways in which we can ingest data using Kinesis data streams without creating an IAM user & generating access & security tokens. Possible alternatives I have found include: 1. Let api gateway assume a role with correct permissions & use it to send data. I think this might be prohibitively expensive. Any insights? 2. Generate temporary credentials using STS & send it to end user. Drawback would be needing to replace credentials every now and then. 3. Maybe use anonymous users functionality in Cognito identity pool & allow access to Kinesis that way. Not sure if this is even viable. Any insight would be very valuable. Thanks in advance!

I am running Kibana via AWS OpenSearch Service with user management via Cognito. Is it possible to create a user that only has read only access to Kibana dashboards? And additionally, to only specific dashboards?

How do I customize/limit what a web user (customer - not administrator!) sees on my static S3 site? I have searched high and low for which approach to take. I've successfully limited access with CloudFront & Lambda but that approach only allows one user/password for all restricted content. I would like my customers to log on individually (lowest level) and have content filtered for each customer. I do not want my customers to see other customers or other customer's content. I have tried following "Signed cookie-based authentication with Amazon CloudFront and AWS Lambda@Edge: Part 1 & 2" but boy did that leave a gaping hole between the two documents (i.e. where do you point the login form???)! I think I am looking for: Individual customer sign on / password (cognito?) Filtering/limiting content (by prefix?) determined by cookie or token or ??? Please just point me in a direction?

I'm in a cognito user pool configuration, and I tried to change the MFA requirement on the pool to allow TOTP. It gave me this error: > [AccessDeniedException] Failed to update MFA configuration for us-east-1_FLnPt9UKE > requestId: 0660fb15-2cc4-4f63-9c8f-657b71b320d9 > time: Sat May 21 2022 16:16:18 GMT-0400 (Eastern Daylight Time) > code: AccessDeniedException > message: User: arn:aws:iam::384426254369:root is not authorized to perform: iam:PassRole on resource: > arn:aws:iam::745623467555:role/cognito_sms_role because no resource-based policy allows the iam:PassRole > action I'm confused because I am logged into the console as the root user, which should have permission to EVERYTHING. I do not, however, really have a role named "cognito_sms_role." Is that the problem? If so, how do I fix it?

I wrote a really simple post-auth lambda for cognito like this: ```go func HandleRequest(ctx context.Context, e events.CognitoEventUserPoolsPostAuthentication ) error { eventJson, _ := json.MarshalIndent(e, "", " ") eventString := strings.ReplaceAll(string(eventJson), "\n", "\r") log.Printf("EVENT: %s", eventString) return nil } func main() { lambda.Start(HandleRequest) } ``` It's only there - for now - to log activity. But when I actually attach it to the user pool as a post-authentication trigger it makes OAuth2 not work. The error message is "contact administrator." I'm thinking that I need to actually do something besides return error = nil. I'm not having much luck finding any examples of this in go, though. The javascript example ends with: ``` // Return to Amazon Cognito callback(null, event); ``` Is that what the expectation is in 'go' as well - that I return `(events.CognitoEventUserPoolsPostAuthentication, error)` and just send it back the original event?

I'm trying to use Lambdas to cater for some required processing in Cognito. I don't seem to be able to find examples of any POCOs to cater for the requests data sent by Cognito to the lambdas. Are there any NuGets with these classes in, or a suggestion of how to deal with this another way? Thanks

I have configured the Application Load Balancer to sit in front my application hosted in ECS. The load balancer has a rule to Authenticate using Cognito User Pool and then forward the request to a target group. I get the prompt to enter my Google credentials the login appears to be successful, with the url in the format https://{domain}/oauth2/authorize?client_id={id}&redirect_uri=https%3A%2F%2{domain}.%2Foauth2%2Fidpresponse&response_type=code&scope=openid&state={state here} The problem here is I get "414 Request-URI Too Large". I have no indication that this is from my application and this is a response from the load balancer. The length of the State in the url is 20,514 characters My question is this a bug or what am I doing wrong?

Suppose I have a Cognito Identity Pool. I want to grab info about the user itself rather than their Cognito Identity ID. Is there any way to read off the principal tags from the assumed Cognito Identity or the underlying IAM Role? Alternatively I could parse the "sub" attribute from the oidc provider (via the cognito identity's amr block) and work backwards with the identity provider to get more info... but this is resource intensive and I see no reason why I can't access the principal tags passed into the cognito identity...

hello. I'd like to get a secret key and access key ID as a cognito license. ``` cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function (result) { const idToken = result.getIdToken().getJwtToken(); AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:7fc9xxxx-xxxx-xxxx-xxxxx-xxxxx', Logins: { 'cognito-idp.ap-northeast-2.amazonaws.com/userPoolid': idToken, }, }) } ``` On the Cognito aws Identity Pool page, it is confirmed that the identity browser has become a credential. However, in getCredentials, "Could not load credentials from CognitoIdentityCredentials" is generated. ``` AWS.config.getCredentials(function (err) { if (err) return console.error(err.stack); else console.log('Access key:', AWS.config.credentials.accessKeyId); }) ``` If you look at the AWS.config.credentials console log, there are no values other than the parameters you put in. Problem not found. Is it right to get the secret key issued through Cognito Identity Credentials?

Hi, according to the [List Identities documentation](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_ListIdentities.html#API_ListIdentities_RequestSyntax), the field `HideDisabled` hints that we can disable identities within an identity pool but I couldn't find further information how to accomplish this. Is my understanding correct, can we disable an identity within an identity pool and if so what are the steps?

I use Cognito Sync "updateRecords" function in JavaScript SDK v3 (https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoSync.html#updateRecords-property) and set "Op" in "RecordPatches" to "remove", but specified record(s) not deleted and "SyncCount" increased by 1. I also get the same result with same operation in AWS CLI. What is the right way to delete a record key (not just record value) in dataset ?

Access an identity in cognito identity browser always redirect to cognito homepage. My account have AWSCognitoPowerUser role. Steps to reproduce: 1. go to Cognito service https://console.aws.amazon.com/cognito/home 2. select "Manage Identity Pools" 3. select an identity pool 4. select "identity browser" in the left side 5. select an identity id in the right side 6. EXPECTED: show records in this identity. ACTUAL: being redirected to Cognito service homepage (step 1) tested in multi web browsers and multi AWS account, this issue happens for months

Hi, the first call to the two methods below is very slow and after the same calls become fast. do you know why ? Method 1: var user = new CognitoUser(...) AuthFlowResponse resp = await user.StartWithCustomAuthAsync(new InitiateCustomAuthRequest()....) Method 2: RespondToAuthChalengeResponse verresponse = await provider.ResponseToAuthChallengeAsync(new RespondToAuthChalenge(){...}) thank you in advance best regards

As my understanding, there are two required steps. I think only 1) is ok. **Is this redundancy? ** 1) From AWS IoT core policies, grant access to cognito_identity_id ```shell aws iot attach-policy --policy-name 'myIoTPolicy' --target '<YOUR_COGNITO_IDENTITY_ID>' ``` 2) From Cognito side, attach AWSIoTDataAccess and AWSIoTConfigAccess to Cognito Authenticated Role

We are working for FHIR(Fast Healthcare Interoperability Resources). We have followed “FHIR works on AWS” and deployed the CloudFormation template given by AWS in our AWS environment.Following is the template that we have deployed https://docs.aws.amazon.com/solutions/latest/fhir-works-on-aws/aws-cloudformation-template.html Requirement : we want to maintain client specific/customized ids as primary key in the server. Problem : server not allowing us to override or mainain client specific (customized ) ids as primary key .Infact , in the runtime, it is generating its own ids and ignoring the id given by us.

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```

I am using the "adminCreateUser" function to create a user and get a temporary password over email. After submitting the password and generating a new password "Post confirmation" lambda should have triggered but it's not getting triggered. I have read this [StackOverflow](https://stackoverflow.com/questions/60232079/aws-cognito-postsignup-trigger-not-working) thread and it says in the case of "adminCreateUser" it will not trigger the lambda. Can you please guide the correct solution?

Hi, I was trying to write a React code for enabling TOTP based MFA for an user in cognito userpool. but i am not able to enable it. as i tried different code these is the error i am getting . **Reason: { message: "Code mismatch", code: "EnableSoftwareTokenMFAException", time: "2022-05-04T12:53:02.136Z",… } error: "EnableSoftwareTokenMFAException: Code mismatch" success: false ** i tried google authenticator and microsoft authenticator but still the same error message. sometimes code works but most of the time i am getting this error. how to resolve this ? what may be the reason for this error ? here's the link to my codebase i been refering : [https://github.com/AlexzanderFlores/Worn-Off-Keys-Cognito-Tutorials/blob/master/10-TOTP-MFA/lambda/get-qr-code/index.js]()

Suppose I have a generic OIDC provider that mints ID Tokens and I pass one to AWS (through an AWS OIDC Provider and connecting something like a Cognito Identity Pool) to receive STS credentials in return. When those credentials expire, I do it again and get new credentials. Suppose I'm dumb, have an insecure app, or have dumb users falling for phishing scams and leaking out their OIDC ID Token. Are there any measures in place/possible to implement that prevents someone else from getting STS credentials using that same token? (i.e. MTLS, DPoP)

I'm quite new at AWS and use mostly the console to build my project. I have placed a containerized Streamlit web app in an AWS EC2/ECS instance beyond an ALB (https listener with session timeout 3960 secs.) and let users access it through Cognito authentication with Authorization code grant. Everything works fine, users are allowed to the app. Now, I would like users to be authomatically logged out after 60 minutes and redirected to the signout URL. I've set the refresh token expiration at 60 min., the access token and ID token expiration at 5 min. However, the backend continues delivering data to logged in users even after 60 minutes, so my idea doesn't work. Then, I've implemented a Lambda function with admin_user_global_sign_out but it doesn't work either: users do still get data from the backend. I'm wondering what I shall do and looking for a solution that I can implement using the AWS console so that the procedure is clear to me. Thank you for any help.

When changing the default message and adding new lines from console, all the text appears in a single line. Tried adding /n and <br> tags with no luck. Building a Lambda trigger seems overkill. Any options?

It is possible to replace the texts presented on the AWS Cognito hosted UI login screen? I am involved in a project, where we need the strings in Spanish.

How is AWS GameKit integrating Facebook login, does it use inbuilt browser for opening an Amazon Cognito link or using Facebook's C++ SDK? How does this work on Android?

I need I have two cognito pools One is for uber rider One is for uber driver now when I query from my rider side I need rider authentication from his pool on rides table and when I need to query from drivers side I need driver credentials for authentication from his pool to get data from rides table. like this one https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/ but with code gen amplify it self generate the VTL. but my problem is to write it by myself as I am not using amplify.

I'm trying to implement an custom challenge using Amplify -> Cognito, the issue is that when I call: ```Auth.signIn({... , validationData: {foo: 'bar'}, {foo: 'bar'}})```, the `validationData` or `clientMetadata` are present in Define Auth Challenge or Create Auth Challenge triggers as described in the documentation https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html It's extremely important to be able to send context to Define and Create Auth Challenge from the client so we could define what challenge was chosen on the client-side, e.g Email, or Sms, or even sending the users language so during sending the challenge the language could be defined to send messages through SNS, and it seems people are managing that in a hacky way by answering a "dummy" challenge just be able to send context to the lambda, [here's](https://github.com/aws-amplify/amplify-js/issues/6731) the discussion in Amplify repo. I'd like to know if someone else went through this issue and figured out another solution and if Cognito team has plan to fix it? Thanks.

I am implementing a custom email sending Lambda for Cognito. When attempting to decrypt the "code" I am receiving the "Aws::KMS::Errors::InvalidCiphertextException" exception. I have a symmetric KMS key assigned to the Lambda via the Cognito User Pool, and can successfully trigger the Lambda. I have attempted to use both "Base64.decode64" and Base64.strict_decode64" before passing the ciphertext to the decode method. The CloudTrail logs are showing that Cognito is using the KMS GenerateKeyPair method, and providing an encryption context: ``` { "userpool-id": "my-user-pool", "aws-crypto-public-key": "AULXovx/...==" } ``` I have therefore attempted to pass this "encryption_context" to the decrypt method, however the "aws-crypto-public-key" is unique to each request. The KMS documentation explains (as best I can understand) that public keys are not applicable for symmetric keys. Questions: - Have I correctly understood the requirements to decode the ciphertext input? - If so, how can I retrieve the public-key value for the given ciphertext input? --- Language: Ruby SDK Version: 3

I am developing a react native mobile app. I want my user to login in one device with once account. If a user tries to login to another mobile device with same account, he should be logout from the first mobile device. but official docs of AWS cognito provide two options either logout or global logout. In global logout it logs user out from device 1 and 2 both. what is expected If a user logs in second mobile device it should automatically be logout from the other one.

Question: Can i use Id token, access token, refresh token in User pool to identity pool? i making code login to Developer authenticated identities but official document, i read Using Token on Amazon User pool no have Token in Amazon Identity pool if login Developer authenticated identities and expire access token, then Automatically provide access Token without making the user restart it?

Problem: I created cognito user pools for staging and production under the same root AWS account. I need to move them to separate accounts for security purposes. I know that AWS doesn't have great support for transferring resources between accounts, but I think a case can be made for Cognito user pools. I would happily create a new pool in the new account and write a script to create the user accounts in the new pool using the emails from the old pool, but there are two problems 1. AWS doesn't allow exporting password hashes 2. AWS doesn't export 2FA tokens So there's no way for existing users to log in to the new pool. If you google for people who faced this problem, they come up with hacky solutions like signing in users to the old pool, then triggering a signup on the new pool, and forcing a password reset. Obviously this solution is not acceptable since I don't want to force my users to reset their passwords + users with 2FA enabled now have to re-enable it! Another problem: this "solution" depends on the user to come back to your site and log in. I don't want to have to wait months/years for this transition to happen. I want to be able to move my pools freely. Please AWS give us a solution.

We are using Cognito as an IdP. Therefore, users are managed in user pools. For login, we are not using the Hosted UI but instead have build our own custom UI because of customisation requirements. For doing the actual login, we are using the Cognito IdP Actions like AdminInitiateAuth, etc. We need to integrate this setup with Keycloak. Keycloak is initiating an OAuth2 Flow in which we are showing our login form, perform the login and provide the tokens. The problem is that Keycloak is sending an "nonce" token when calling the AUTHORIZATION endpoint and expects this "nonce" token to be present in the "id_token" which it receives after successful authentication. With the Cognito Hosted UI this works like expected. However, when using the Cognito IdP API we have not found any way to provide this information as a parameter to have the "nonce" token included in the "id_token". Are we missing something? What's the right way to do this? Any help is highly appreciated. Thanks in advance

For a user pool under device tracking I have it set to user opt-in and allow users to bypass MFA for trusted devices set to yes. However I'm never presented with the option to remember my browser when I'm prompted to login. Also I notice that the cookies issued have no expiration and are per session. I want the option to remember browsers and cookies to remain persistent, what am I missing?

We are trying to setup AWS Polly to use inside a Unity project. Currently we are getting this error: "Invalid identity pool configuration. Check assigned IAM roles for this pool" We have added Polly permissions to the IAM (find screenshots below): https://ibb.co/ThL6mcc https://ibb.co/kqcSTP3 And set up an identity, with unauthorised access, pointing to the IAM containing Polly permissions (find screenshot below). https://ibb.co/TthT7xs Before we linked Identity to the IAM, the error we were getting was pointing towards a lack of permissions for Polly, so it appears that code on the Unity side is working as expected. What are the steps we need to take in order to set up the identity pool configuration to work with unauthorised access? The project we are working on is a site based VR experience, and we are managing all of the machines ourselves, so we have no need for user authentication.

I would like to customize invitation email body with emoji but i got an error : ``` Member must satisfy regular expression pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]* ``` I was able to solve this for email header using base64 encoding following this documentationhttps://docs.aws.amazon.com/ses/latest/dg/send-email-raw.html#send-email-mime-encoding-headers, but how am i supposed to do with the body? Thank you in advance. Clément

I’ve set up a identity pool and configured a google IdP to be able to federate logging using google credentials. One of the goals of the software I’m building is to integrate with google apis to perform integrated functions on behalf of the user with google services. However, everything I’ve read and all my testing has lead me to believe that after google redirects back to cognito, it’s takes the google token and authors its own and the federated token is discarded and not retrievable. Ideally, I’d like to store the federated google token inside a claim of the cognito token itself. Is there something I am missing, perhaps another path I’ve overlooked, or do need to look at another product because cognito doesn’t support my use-case

Hi guys, I've working with Amazon Cognito and I've a doubt, for example: if I've working with a server side applications (Authorization Code Grant Flow) and a user logged in the app, then Cognito send him an id token and access token. With these tokens the app can access to some resources, but here is my question: I know that we should verify the tokens in the server side received from a user application (id token and access token), but my question is if the user application (for example in the front-end) should verify also the tokens returned from Cognito ? or only it is mandatory or recommended to check the tokens in the server side application ? One mounth ago I 've asked a question about the same topic, and a user answered me saying that it's highly recommended checking the tokens sended by the front-end app in any request to server side application. And I understand the answer, but now is on the contrary my doubt. Thanks in advance !! Greetings.

I've set up a CUSTOM_AUTH flow within Cognito that generates and sends OTP via sms/text and email. Works quite well, very reliable. However, this has got me wondering how to approach abuse / spamming. Each time the InitiateAuth action on Cognito is triggered, an OTP is generated and sent via email or text. This could result in abusers spamming the system, causing a lot of message to be sent and driving up costs. Is there any way in which Cognito can be configured to prevent spamming of a CUSTOM_AUTH flow? Alternatively I suppose rate limiting could be achieved by using some kind of persistent storage like dynamoDB. A throttling mechanism could be introduced as part of the define-auth or create-auth Lambda.

I have cognito user pool with users. I need to implement forgot password logic with email also like with username. It's means that you can enter email or username and it will start forgot password procedure. Do you know any ways to do it?

I'm trying to configure the AWS S3 service to download the included files in a bucket using Unity for mobile. I downloaded the SDK package and I got it installed. From AWS console I set up a IAM policy and roles for unauth users I created a Cognito IdentityPool and got the relative id I set up the S3 bucket and its policy using the generator, including the **arn:aws:iam::{id}:role/{cognito unauth role}** and the resource **arn:aws:s3:::{bucket name}/***. In code I set credentials and region and create CognitoAWSCredentials (C# used) ```C# _credentials = new CognitoAWSCredentials(IdentityPoolId, _CognitoIdentityRegion); ``` then I create the client: ```C# _s3Client = new AmazonS3Client(_credentials, RegionEndpoint.EUCentral1); // the region is the same in _CognitoIdentityRegion ``` I then try to use the s3Client to get my files (in bucketname subfolders) ``` private void GetAWSObject(string S3BucketName, string folder, string sampleFileName, IAmazonS3 s3Client) { string message = string.Format("fetching {0} from bucket {1}", sampleFileName, S3BucketName); Debug.LogWarning(message); s3Client.GetObjectAsync(S3BucketName, folder + "/" + sampleFileName, (responseObj) => { var response = responseObj.Response; if (response.ResponseStream != null) { string path = Application.persistentDataPath + "/" + folder + "/" + sampleFileName; Debug.LogWarning("\nDownload path AWS: " + path); using (var fs = System.IO.File.Create(path)) { byte[] buffer = new byte[81920]; int count; while ((count = response.ResponseStream.Read(buffer, 0, buffer.Length)) != 0) fs.Write(buffer, 0, count); fs.Flush(); } } else { Debug.LogWarning("-----> response.ResponseStream is null"); } }); } ``` At this point I cannot debug into the Async method, I don't get any kind of error, I don't get any file downloaded and I even cannot check is connection to AWS S3 has worked in some part of the script. What am I doing wrong? Thanks for help a lot!

I'm using Cognito user pool created with Amplify. It requires e-mail sign-in and sign-up. Username parameter is automatically filled with sub value. I'm using this username value as a unique id for Dynamo DB user table. I've selected username value as a unique id since sub values were assigned by Cognito system, we could not provide them. It's also explained in Cognito docs: *"If your application doesn't require a user name, you don't need to ask users to provide one. Your app can create a unique username for users in the background. This can be useful if you want users to register and sign in with an email address and password."* [https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html]() While importing users to new Cognito pool (same configuration with Amplify), I was hoping to copy the username values to cognito:username attributes of newly created users. But it didn't work like that, import job failed with "Username should be an email". Even when I provide email for username attribute, it's set as a random UUID. I do not understand, how these users were created with usernames keeping sub (UUID) values, if it's not allowed? If they could be created with these values, why they can't be imported to a new user pool having exactly the same config, any idea?

Hello I'm trying to get user information by userid but it does not return all list of UserAttributes Trying to get using this method ``` const user = await this.cognito .adminGetUser({ ...this.defaultParams, Username: userId, }) .promise(); ``` ***Actual Response*** ``` { "Username": "XXXXXXXXXXXXXXXXXXXX", "UserAttributes": [ { "Name": "sub", "Value": "Any" }, { "Name": "email_verified", "Value": "true" }, { "Name": "email", "Value": "abc@gmail.com" } ] } ``` ***Expected Response*** ``` { "Username": "XXXXXXXXXXXXXXXXXXXX", "UserAttributes": [ { "Name": "sub", "Value": "Any" }, { "Name": "email_verified", "Value": "true" }, { "Name": "email", "Value": "abc@gmail.com" }, { "Name": "name", "Value": "first name" } , { "Name": "family_name", "Value": "last name" } ] } ``` **Could someone please let me know why AdminGetUser does not return name and family_name in the list of UserAttributes?**

I try to authenticate end-users of my application at ELB level by using Cognito provided feature. I first deployed all my resources in eu-west-1 and works perfectly. When trying to do the same in eu-west-1, CloudFormation sent me an error: ``` Resource handler returned message: "Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception" ``` Also see a trace in Cloud Trail (partial copy) ``` "eventTime": "2022-04-11T13:47:08Z", "eventSource": "elasticloadbalancing.amazonaws.com", "eventName": "CreateRule", "awsRegion": "eu-west-3", "sourceIPAddress": "cloudformation.amazonaws.com", "userAgent": "cloudformation.amazonaws.com", "errorCode": "ValidationException", "errorMessage": "Action type 'authenticate-cognito' must be one of 'redirect,fixed-response,forward,authenticate-oidc'" ``` I suspect that this feature is not yet available in eu-west-3, but can't find an official answer (which region supports this feature). Thanks for your help

Good day Cognito can enforce MFA across the whole pool, which enforces the MFA setup auth flow, even for users that hasn't set up TOTP yet. However, when making the pool MFA optional then setting TOTP MFA required on a user fails with the error: *User does not have delivery config set to turn on SOFTWARE_TOKEN_MFA* However, as mentioned, when enforcing MFA globally this is not an issue. How then can one force MFA auth flow when using TOTP only on a per-user basis? What we've discovered thus far, when explicitly calling associateSoftwareToken after a login (without MFA), one can set a user to REQUIRED with SOFTWARE_TOKEN_MFA, however the auth flow is still not enforced and there is no way with the API to discover whether the MFA is functional. We have the requirement to have per-user MFA requirements. We believe this is in fact a bug. Currently we are forced to either manually implement MFA in our app itself, or force MFA globally for all users.

I am hoping to use Cognito and User Pools to support a multitenant environment. So far it checks most of the boxes. It is my understanding that there is no current way to enrich the access token using Lamda triggers. I would really like to pass something to identify which user pool the user authenticated with in the access token to my APIs. Am I missing something or is there a workaround for this? One option that came to mind is to create a group in each to which all members of the pool are members off that is either the name or combination of the name and tenant id. Is this a reasonable approach or a horrible idea? Thanks.

I have `Cognito user pool` with one Allowed custom scopes for my app client i.e. ` admin-only`. I have two kinds of users `1. Users in Admin Group 2. Non-Admins users.` For my one of the AWS API Gateway Routes, I need to deny the access if user from non admin group is hitting the API Url, basically its allowed only for users which are part of Admin User group. I can achieve it through adding an `Authorization scope` on `API gateway` route with this custom scope and then adding a scope manually when I request an Authorization token in Hosted UI popup. But in my app, I don't want to add this scope manually, rather want to add this scope when the token is generated. I explored `Pre-Token Generation Trigger` but not able to see the way to override or add scope attribute in it. Also tried below code in Pre-Token Generation Trigger lambda. ``` exports.handler = async (event, context, callback) => { event.response = { "claimsOverrideDetails": { "claimsToSuppress": ["admin-only"] } }; callback(null, event); }; ``` Question is, is there a way to add/override custom scope in pre-token generation trigger ? If yes then how ? But if there is no way, then how to solve my use case ?

I have encountered a bug in the api gateway / cognito authorizer testing framework in the AWS api gateway console. By Default, cognito generates JWT tokens for use as client OAuth authentication workflow tokens. Two types of tokens are generated per user in a cognito user pool on login, the access_token and the id_token. Throughout the cognito documentation these terms are used interchangeably and without distinction, HOWEVER they have VERY different use cases. In the API Gateway console, the cognito authorizer TEST METHOD accepts an ID_TOKEN and provides a valid response, but fails using ACCESS_TOKEN. HOWEVER, if you access the api from HTTP / HTTPS, the cognito authorizer accepts an ACCESS_TOKEN and provides a valid response, but fails using ID_TOKEN. The documentation for api gateway cognito authorizer fails to make this distinction and I lost many hours of personal development time to this issue. If support staff can access this issue and provide feedback that would be greatly appreciated (both by me, and any other client using cognito).

when requesting ForgotPassword, using the Cognito's API I am getting this. No explanation, nothing. The same question was deleted from... everywhere! Any idea?

Greetings. I'm using AWS Cognito with Federeted Identities. I have a local users table which contains email address and user privileges to my application. I'm trying to have a functionality in the admin panel to signup a user to AWS Cognito user pool. I'm using AWS PHP SDK and here's my code: ``` $post = $this->request->post('entity'); $client = new CognitoIdentityProviderClient([ 'version' => 'latest', 'region' => 'eu-central-1', 'credentials' => [ 'key' => '[KEY]', 'secret' => '[SECRET]' ]]); try { $result = $client->signUp([ 'ClientId' => '[CLIENT_ID]', 'Username' => $post['username'], 'Password' => $post['password'], 'UserAttributes' => [ [ 'Name' => 'name', 'Value' => $post['username'] ], [ 'Name' => 'email', 'Value' => $user->email ]], ]); print_r($result); } catch (Exception $e) {} ``` This generates following error message: ```Error executing "SignUp" on "https://cognito-idp.eu-central-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-central-1.amazonaws.com` resulted in a `400 Bad Request` response: {"__type":"NotAuthorizedException","message":"Client 1qljhu6osuq9qhelblds40hhqe is configured for secret but secret was (truncated...)``` Please help.

can we customise the "SIGNIN" logo displayed on the top of the browser tab to application name for cognito login page UI

I wanted to change the colour of "Forgot your password?" link and possibly edit the link text as "Forgot password ?" . Is it possible in user pool UI customisation option or is there any other alternative ways to do it. Please let me know!

Hi guys, I am researching topics about Cognito. I know how works the Authorization Code Grant Flow with Cognito. But I'm interested on how works the PKCE extension, more specifically how can I develop this extension with a Java example, or it's integrated with the Cognito SDK for Java ?, I would also appreciate other examples in Javascript and/or Android/IOS examples about PKCE. Thanks in advance ! Greetings.

Hello there, I've Cognito configured to authorize my users. The sign in and sign up is working fine. Now I want my users to be able to create data via an AppSync API. I've configured to use Cognito User Pool. But somehow if I want to create data via a mutation I get the error that I'm not authorized. The schema is described like this: type Advert @model @auth(rules: [{ allow: owner }, { allow: public, operations: [read] }]) { ... } But somehow this is not working. I just get following error: errorType: "Unauthorized", message: "Not Authorized to access createAdvert on type Advert" However, if I try it via the AppSync Webconsole it is working. Must I configure something in the Amplify API Client? Best regards Alex

Can i use AWS Cognito to authenticate to AWS Appstream and setup entitlements? My goal is to have one "Golden Image" with all the software installed and authenticate the users to see only the apps they need in catalogue mode.... Thanks for any help in advance!

I want to make a website on S3+CloudFront+Lambda, where Lambdas check whether a user bought a game in Steam. For that, I need him to authorize through Steam. Steam supports OAuth 2.0 protocol, but not OpenID Connect. Is it possible to make users authenticate using Steam before my Lambda returns some result?

Hello, I am not clear if it's possible to implement a PKCE authentication flow by using cognito SDK @aws-sdk/client-cognito-identity-provider. I am currently authenticating the user by providing a form on my application and sending username and password to my node.js backed which is using the InitiateAuthCommand with the AuthFlow "USER_PASSWORD_AUTH". I can't find the documentation to implement a PKCE flow using aws sdk? Is that even possible? And if so, what action should I implement? Thank you

The warning was `you don't have sufficient permission for this operation. Please contact the administrator.` but it was rendered as `you don&apos;t have sufficient permission for this operation. Please contact the administrator.` I think the Quotation mark for that warning and it should be `&rsquo;` instead of `&apos`. I am in Mumbai server if it helps!

Hello 1. I was facing ES EBS space issue (Prod Env) since last few days. Further i have increased ES EBS volume 10 to 128 GB using "Configure cluster", keep all configration same as, only increased EBS size up, and submitted. now 24 hours has been gone, still i can see Domain Status "Processing" . Could please help me how to fix it? or why is it taking too much time. 2. I tried to reset the settings and now I have next message *UpdateDomainConfig: {"message":"Update has failed. Reason(s): The Cognito User Pool does not have the domain name set. Please set it and try again.The Cognito User Pool configured with this domain is unavailable. Please update the User Pool ID and try again. If the issue persists, please contact AWS Support."}* 3. I reset the ES security configuration and I still have the same message. so I do not have any Cognito configuration in my ES, but it still asks me about the domain name

Hi guys, I've working with Amazon Cognito and I've a doubt, for example: if I've working with a server side applications (Authorization Code Grant Flow) and a user logged in the app, then Cognito send him an id token and access token. With these tokens the app can access to some resources, but here is my question: Can we check the tokens in my server side app, that is, can we check if the token if correctly formed, signed an have the correct claims before the server side app answer the request ?, and have we to do all of this for each request ?, thanks in advance ! Greetings.

Hi, I would like to implement a functionality where I can update the Registration i.e. Sign up link of Cognito to any custom URL. Currently when we click on sign up, it takes the user to Registration page of Cognito but I want the user to redirect to some other URL. Is there any way to do that? If not, then other option is to add a Custom Text on Sign in page and say CLICK HERE and this text can be a hyperlink to redirect the user to custom URL. Is there any way to do this? Regards, Shraddha

Hi guys, I'm a new user in this forum, I've been working with Cognito last months. I've found some examples in Java, but I like to explore others. Can you give me some example that working with Cognito in Java ?, thanks in advance ! Greetings.

The Authentication section in https://docs.amplify.aws gives examples that end up creating a React app that hosts its own authentication form. Instead of doing that, I want to create an SPA using React that: - Authenticates against Cognito using OIDC - Authenticates using the Cognito hosted UI - Uses the Implicit grant type (preferably with PKCE) Is the above achievable with Amplify? If so, is there a guide or any other documentation?

I'm trying to make the Cognito SSO. I'm already implemented it with Apache Server and it works ! Now I'm trying to do it without Apache, but with Load Balancer which redirect me to the Cognito Authentification. The authentification works, but next I need to do the similar thing to > RequestHeader set CAS-User something Is it possible to do it with Load Balancer or maybe with Lambda Function or another method ?... This header is required by my application. I was searching for CloudFront and LambdaEdge solution, but still can not understand how to get OIDC_Claim from Cognito after a authentification and then set with it my header...

Official Cognito documentation says a lot about how to federate other OIDC providers in a user User Pool, but I cannot find proper documentation explaining how to use the User Pool as an OIDC provider by itself. This is for scenarios where Clients will authenticate against the Cognito User Pool with the OIDC protocol without involving any other Identity Providers. It seems to be compatible, for the following endpoint exists: `https://cognito-idp.<region>.amazonaws.com/<user pool id>/.well-known/openid-configuration` Where's the documentation for that? I can only find third-party articles about this, but no proper documentation from AWS.