aws-cognito

Aws Cognito

AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers.

Details

Property	Value
Skill Directory	`.github/skills/aws-cognito/`
Phase	General
User Invocable	✅ Yes
Usage	`/aws-cognito Auth flow, token type, or feature to look up (e.g. 'user pool app client', 'OAuth authorization code flow', 'JWKS token validation', 'identity pool AWS credentials')`

Documentation

AWS Cognito

Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.

Core Concepts
Common Patterns
CLI Reference
Best Practices
Troubleshooting
References

Core Concepts

User Pools

User directory for sign-up and sign-in. Provides:

User registration and authentication
OAuth 2.0 / OpenID Connect tokens
MFA and password policies
Customizable UI and flows

Identity Pools (Federated Identities)

Provide temporary AWS credentials to access AWS services. Users can be:

Cognito User Pool users
Social identity (Google, Facebook, Apple)
SAML/OIDC enterprise identity
Anonymous guests

Tokens

Token	Purpose	Lifetime
ID Token	User identity claims	1 hour
Access Token	API authorization	1 hour
Refresh Token	Get new ID/Access tokens	30 days (configurable)

Common Patterns

Create User Pool

AWS CLI:

aws cognito-idp create-user-pool \
  --pool-name my-app-users \
  --policies '{
    "PasswordPolicy": {
      "MinimumLength": 12,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireNumbers": true,
      "RequireSymbols": true
    }
  }' \
  --auto-verified-attributes email \
  --username-attributes email \
  --mfa-configuration OPTIONAL

Create App Client

aws cognito-idp create-user-pool-client \
  --user-pool-id us-east-1_abc123 \
  --client-name my-web-app \
  --generate-secret \
  --explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
  --supported-identity-providers COGNITO \
  --callback-urls https://myapp.com/callback \
  --logout-urls https://myapp.com/logout \
  --allowed-o-auth-flows code \
  --allowed-o-auth-scopes openid email profile \
  --allowed-o-auth-flows-user-pool-client \
  --access-token-validity 60 \
  --id-token-validity 60 \
  --refresh-token-validity 30 \
  --token-validity-units '{"AccessToken":"minutes","IdToken":"minutes","RefreshToken":"days"}'

import boto3
import hmac
import hashlib
import base64

cognito = boto3.client('cognito-idp')

def get_secret_hash(username, client_id, client_secret):
    message = username + client_id
    dig = hmac.new(
        client_secret.encode('utf-8'),
        message.encode('utf-8'),
        digestmod=hashlib.sha256
    ).digest()
    return base64.b64encode(dig).decode()

response = cognito.sign_up(
    ClientId='client-id',
    SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
    Username='user@example.com',
    Password='SecurePassword123!',
    UserAttributes=[
        {'Name': 'email', 'Value': 'user@example.com'},
        {'Name': 'name', 'Value': 'John Doe'}
    ]
)

Authenticate User

response = cognito.initiate_auth(
    ClientId='client-id',
    AuthFlow='USER_SRP_AUTH',
    AuthParameters={
        'USERNAME': 'user@example.com',
        'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret'),
        'SRP_A': srp_a  # From SRP library
    }
)

tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']

Refresh Tokens

response = cognito.initiate_auth(
    ClientId='client-id',
    AuthFlow='REFRESH_TOKEN_AUTH',
    AuthParameters={
        'REFRESH_TOKEN': refresh_token,
        'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
    }
)

Get AWS Credentials via Identity Pool

import boto3

cognito_identity = boto3.client('cognito-identity')

# Get identity ID
response = cognito_identity.get_id(
    IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
    }
)
identity_id = response['IdentityId']

# Get credentials
response = cognito_identity.get_credentials_for_identity(
    IdentityId=identity_id,
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
    }
)

credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']

Validate JWT Token

import requests
from jose import jwt

# Get JWKS
jwks_url = 'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()

# Decode and verify
claims = jwt.decode(
    token,
    jwks,
    algorithms=['RS256'],
    audience='client-id',
    issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)

CLI Reference

User Pool

Command	Description
`aws cognito-idp create-user-pool`	Create user pool
`aws cognito-idp describe-user-pool`	Get pool details
`aws cognito-idp update-user-pool`	Update pool settings
`aws cognito-idp delete-user-pool`	Delete pool
`aws cognito-idp list-user-pools`	List pools

Users

Command	Description
`aws cognito-idp admin-create-user`	Create user (admin)
`aws cognito-idp admin-delete-user`	Delete user
`aws cognito-idp admin-get-user`	Get user details
`aws cognito-idp list-users`	List users
`aws cognito-idp admin-set-user-password`	Set password
`aws cognito-idp admin-disable-user`	Disable user

Authentication

Command	Description
`aws cognito-idp initiate-auth`	Start authentication
`aws cognito-idp respond-to-auth-challenge`	Respond to MFA
`aws cognito-idp admin-initiate-auth`	Admin authentication

Best Practices

Security

Enable MFA for all users (at least optional)
Use strong password policies
Enable advanced security features (adaptive auth)
Verify email/phone before allowing sign-in
Use short token lifetimes for sensitive apps
Never expose client secrets in frontend code

Architecture

Use identity pools for AWS resource access
Use access tokens for API Gateway
Store refresh tokens securely
Implement token refresh before expiry

Troubleshooting

Causes:

User not confirmed
Password incorrect
User disabled
Account locked (too many attempts)

Debug:

aws cognito-idp admin-get-user \
  --user-pool-id us-east-1_abc123 \
  --username user@example.com

Token Validation Failed

Causes:

Token expired
Wrong user pool/client ID
Token signature invalid

Rate Limiting

Symptom: TooManyRequestsException

Solutions:

Implement exponential backoff
Request quota increase
Cache tokens appropriately

title: "Aws Cognito" sidebar_label: "Aws Cognito" description: "AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers."​

Aws Cognito

Details​

Documentation​

AWS Cognito

Table of Contents​

Core Concepts​

User Pools​

Identity Pools (Federated Identities)​

Tokens​

Common Patterns​

Create User Pool​

Create App Client​

Sign Up User​

Authenticate User​

Refresh Tokens​

Get AWS Credentials via Identity Pool​

Validate JWT Token​

CLI Reference​

User Pool​

Users​

Authentication​

Best Practices​

Security​

Architecture​

Troubleshooting​

User Cannot Sign In​

Token Validation Failed​

Rate Limiting​

References​

title: "Aws Cognito" sidebar_label: "Aws Cognito" description: "AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers."