Questions tagged with Amazon Cognito
Content language: English
Sort by most recent
I have a RestApi declared with Cloudformation using AWS::Serverless::Api and created a default cognito authorizer there and declaring a UserPoolArn pointing to my UserPool1's.
Then, I created a custom resource, with RestApiId and a UserPool2ARN properties, so it could find (the APIG's authorizers) and add the second pool into the CognitoAuthorizer.
It seems to work, AWS Console API Gateway Authorizers page shows the CognitoAuthorizer with TWO different pools.
But the problem is when I "initiateAuth" different users from each pool to get an "idtoken", only the idtoken from the first-listed pool is going through. The idtoken from the other pool gets an unauthorized.
Hi,
I need to how ho to customize the email that Cognito sends when the user clicks on the "forgot password"
Thanks
This breaks Federation as they are expection the state parameter to be returned. the [Doc](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html) says to use logout_uri which signs my user out but doesn't return the state parameter. This is a problem as the dotnet OIDC Federation expectes this to be reuturned. I'm sure other libs do as well. I was told in another post to use redirect_uri but the probelm is this redriects to your hosted UI which is not what we are using for Auth so this is not an option. can someone fix this issue?
Hi
I followed the Node.js example explained [here](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) and I alway get the following exception on Cognito login.
`{"__type":"InvalidLambdaResponseException","message":"Unrecognizable lambda output"}`
The only time it works is, if I call callback immediately without altering the event response
```
exports.handler = (event, context, callback) => {
callback(null, event);
};
```
This example here (copy pasted from the guide) does not work and throws the mentioned exception "Unrecognizable lambda output". Even if I simplify it to this, it throws the same exception:
```
exports.handler = (event, context, callback) => {
event.response = {
"claimsOverrideDetails": {
"claimsToAddOrOverride": {
"attribute_key2": "attribute_value2",
"attribute_key": "attribute_value"
},
}
};
// Return to Amazon Cognito
callback(null, event);
};
```
I also tried to stringily the event, not calling the callback but instead return the event, etc. Always the same result.
An idea anyone?
```
Underlying error message: Could not cast incoming configuration to JSONValue, recoverySuggestion: Remove amplify plugins from your pubspec.yaml that you are not using in your app.,
```
What does this error suggest? My guess so far was the custom auth configs that I set up using amplify add auth > manual config, but nothing seems to solve this issue.
I'm currently building a Web application that stores data on DynamoDB.
I need to perform some GraphQL queries that need auth users on the Cognito user pool. My application login users with the IAM auth but when I query some information, every response is null.
I'm looking for a way to query information after login retrieving the Cognito user (already retrieved in my app) and passing it to the query function. Is this possible?
All the GraphQL works correctly in the AppSync view tested with Cognito user pool auth and VTL resolvers.
I would like to achieve the same result on the front end but it seems like I'm missing something
I'm using Cognito for User Management and I would like to build user journey where admin can edit user's email and then the user can verify the changes by clicking on an verification link received in email.
So far, I can only manage to send an email with a verification code, not a link, no matter if I have 'Verification type' 'Code' or 'Link' selected, a verification code is sent either way.
I am using my own domain, which has a an AWS managed certificate in US East (N.Virginia). I have also added the alias target in Route 53.
Can anyone spot what I am missing?
When I create my user pool, in Multi-factor authentication , MFA enforcement I can choose:
- Require MFA - Recommended
- Optional MFA
- No MFA
The **Require MFA** works fine in its way.
**Optional MFA** does not work at all, either during authentication or Update MFA configuration.
Could someone tell me if this is fixable or it is just impossible to use **Optional MFA** ?
To set the scenario, I have applications that uses AWS SDKs like Boto3 (Python) and aws-sdk (NodeJS) that are residing within a VPC with private subnets that strictly should have no internet access, while trying to sign up and auto confirm new users in the cognito user pool.
I notice that when these application attempt to call Cognito Identity Provider services using said SDKs, the SDK client would not receive any response.
Could someone please explain why this is the case, is it only happening for Cognito Identity Providers? And given that it is a requirement that the applications should still remain within the private subnet, is there possibly a way for these applications to make use of the SDKs?
In using cognito as service provider in sso implementation. If the username-domain is invalid, by default AWS Cognito will show a screen with a list of Corporate IDs. How to remove that default message from the UI.
Is there any plan we will have multi attributes filter for Cognito ListUsers API? If yes, how sooner we will get this functionality?
If I decided to share the user data from the Cognito user pool with pinpoint (email), will I have to gain GDPR consent from the user to do so?