cognito
npx machina-cli add skill itsmostafa/aws-agent-skills/cognito --openclawFiles (1)
SKILL.md
9.0 KB
AWS Cognito
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.
Table of Contents
Core Concepts
User Pools
User directory for sign-up and sign-in. Provides:
- User registration and authentication
- OAuth 2.0 / OpenID Connect tokens
- MFA and password policies
- Customizable UI and flows
Identity Pools (Federated Identities)
Provide temporary AWS credentials to access AWS services. Users can be:
- Cognito User Pool users
- Social identity (Google, Facebook, Apple)
- SAML/OIDC enterprise identity
- Anonymous guests
Tokens
| Token | Purpose | Lifetime |
|---|---|---|
| ID Token | User identity claims | 1 hour |
| Access Token | API authorization | 1 hour |
| Refresh Token | Get new ID/Access tokens | 30 days (configurable) |
Common Patterns
Create User Pool
AWS CLI:
aws cognito-idp create-user-pool \
--pool-name my-app-users \
--policies '{
"PasswordPolicy": {
"MinimumLength": 12,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true
}
}' \
--auto-verified-attributes email \
--username-attributes email \
--mfa-configuration OPTIONAL \
--user-attribute-update-settings '{
"AttributesRequireVerificationBeforeUpdate": ["email"]
}'
Create App Client
aws cognito-idp create-user-pool-client \
--user-pool-id us-east-1_abc123 \
--client-name my-web-app \
--generate-secret \
--explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
--supported-identity-providers COGNITO \
--callback-urls https://myapp.com/callback \
--logout-urls https://myapp.com/logout \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile \
--allowed-o-auth-flows-user-pool-client \
--access-token-validity 60 \
--id-token-validity 60 \
--refresh-token-validity 30 \
--token-validity-units '{
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
}'
Sign Up User
import boto3
import hmac
import hashlib
import base64
cognito = boto3.client('cognito-idp')
def get_secret_hash(username, client_id, client_secret):
message = username + client_id
dig = hmac.new(
client_secret.encode('utf-8'),
message.encode('utf-8'),
digestmod=hashlib.sha256
).digest()
return base64.b64encode(dig).decode()
response = cognito.sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
Username='user@example.com',
Password='SecurePassword123!',
UserAttributes=[
{'Name': 'email', 'Value': 'user@example.com'},
{'Name': 'name', 'Value': 'John Doe'}
]
)
Confirm Sign Up
cognito.confirm_sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
Username='user@example.com',
ConfirmationCode='123456'
)
Authenticate User
response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='USER_SRP_AUTH',
AuthParameters={
'USERNAME': 'user@example.com',
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret'),
'SRP_A': srp_a # From SRP library
}
)
# For simple password auth (not recommended for production)
response = cognito.admin_initiate_auth(
UserPoolId='us-east-1_abc123',
ClientId='client-id',
AuthFlow='ADMIN_USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'user@example.com',
'PASSWORD': 'password',
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
}
)
tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']
Refresh Tokens
response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
}
)
Create Identity Pool
aws cognito-identity create-identity-pool \
--identity-pool-name my-app-identities \
--allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName=cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123,\
ClientId=client-id,\
ServerSideTokenCheck=true
Get AWS Credentials
import boto3
cognito_identity = boto3.client('cognito-identity')
# Get identity ID
response = cognito_identity.get_id(
IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
identity_id = response['IdentityId']
# Get credentials
response = cognito_identity.get_credentials_for_identity(
IdentityId=identity_id,
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']
CLI Reference
User Pool
| Command | Description |
|---|---|
aws cognito-idp create-user-pool | Create user pool |
aws cognito-idp describe-user-pool | Get pool details |
aws cognito-idp update-user-pool | Update pool settings |
aws cognito-idp delete-user-pool | Delete pool |
aws cognito-idp list-user-pools | List pools |
Users
| Command | Description |
|---|---|
aws cognito-idp admin-create-user | Create user (admin) |
aws cognito-idp admin-delete-user | Delete user |
aws cognito-idp admin-get-user | Get user details |
aws cognito-idp list-users | List users |
aws cognito-idp admin-set-user-password | Set password |
aws cognito-idp admin-disable-user | Disable user |
Authentication
| Command | Description |
|---|---|
aws cognito-idp initiate-auth | Start authentication |
aws cognito-idp respond-to-auth-challenge | Respond to MFA |
aws cognito-idp admin-initiate-auth | Admin authentication |
Best Practices
Security
- Enable MFA for all users (at least optional)
- Use strong password policies
- Enable advanced security features (adaptive auth)
- Verify email/phone before allowing sign-in
- Use short token lifetimes for sensitive apps
- Never expose client secrets in frontend code
User Experience
- Use hosted UI for quick implementation
- Customize UI with CSS
- Implement proper error handling
- Provide clear password requirements
Architecture
- Use identity pools for AWS resource access
- Use access tokens for API Gateway
- Store refresh tokens securely
- Implement token refresh before expiry
Troubleshooting
User Cannot Sign In
Causes:
- User not confirmed
- Password incorrect
- User disabled
- Account locked (too many attempts)
Debug:
aws cognito-idp admin-get-user \
--user-pool-id us-east-1_abc123 \
--username user@example.com
Token Validation Failed
Causes:
- Token expired
- Wrong user pool/client ID
- Token signature invalid
Validate JWT:
import jwt
import requests
# Get JWKS
jwks_url = f'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()
# Decode and verify (use python-jose or similar)
from jose import jwt
claims = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='client-id',
issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)
Hosted UI Not Working
Check:
- Callback URLs configured correctly
- Domain configured for user pool
- OAuth settings enabled
# Check domain
aws cognito-idp describe-user-pool \
--user-pool-id us-east-1_abc123 \
--query 'UserPool.Domain'
Rate Limiting
Symptom: TooManyRequestsException
Solutions:
- Implement exponential backoff
- Request quota increase
- Cache tokens appropriately
References
Source
git clone https://github.com/itsmostafa/aws-agent-skills/blob/main/skills/cognito/SKILL.mdView on GitHub Overview
AWS Cognito provides authentication, authorization, and user management for web and mobile apps. It supports direct sign-in as well as federated identities from Google, Facebook, Apple, SAML/OIDC, and other providers, using User Pools and Identity Pools to manage users and credentials.
How This Skill Works
Cognito uses User Pools to handle sign-up, sign-in, MFA, and token issuance (ID, Access, Refresh). Identity Pools provide temporary AWS credentials to access AWS services for both authenticated users and guests, bridging external identities to AWS resources. OAuth 2.0 / OpenID Connect flows and social providers are supported via app clients and identity providers.
When to Use It
- You need a managed sign-up and sign-in flow for your app
- You want users to sign in via social or enterprise providers (Google, Facebook, SAML/OIDC, etc.)
- You require temporary AWS credentials to access AWS services on behalf of users
- You need MFA, password policies, and user attribute management
- You are building OAuth 2.0 / OIDC based APIs with token-based authentication
Quick Start
- Step 1: Create a User Pool with required attributes (email) and MFA options
- Step 2: Create a User Pool Client configured for OAuth flows and redirect URLs
- Step 3: Use the AWS SDK/CLI (e.g., boto3) to sign up, confirm, and sign in to obtain tokens
Best Practices
- Define a strong password policy and enable MFA to protect accounts
- Configure token lifetimes carefully (short-lived ID/Access tokens; sensible Refresh token period)
- Keep client secrets secure and use secret hashing where required (e.g., for custom flows)
- Set explicit callback/logout URLs and choose appropriate supported identity providers
- Prefer OAuth 2.0 / OpenID Connect compliant flows and verify user attributes during updates
Example Use Cases
- Create a Cognito User Pool to manage user registration, sign-in, and MFA
- Create a User Pool Client with OAuth flows and scopes (openid, email, profile) and redirect URLs
- Sign up a user with an email attribute and confirm via a verification code
- Authenticate a user and obtain ID/Access tokens to authorize API calls
- Attach social identity providers (Google, Facebook) to a federated identity setup for sign-in
Frequently Asked Questions
Add this skill to your agents
