Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I issue an access token immediately after account confirmation in AWS Cognito without requiring the user to log in again?

0

I'm using AWS Cognito with a passwordless login setup like described here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-verify-auth-challenge-response.html

Before a user can sign in using the passwordless approach, they first have to sign up. When a user signs up, they also receive a confirmation code via email to verify their account using Cognito's built in verification functionality. After confirming their account, I want to issue an access token directly, rather than asking them to go through the login process again (which would involve another email to verify their login).

Since the users are on a mobile app, having them check their inbox twice—once for account confirmation and then again for login—creates a poor user experience. Is there a way to issue the access token immediately after the account confirmation step, or is a separate login required to obtain the token?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Cognito
Language
English
asked a year ago262 views
1 Answer
0

Hi there,

You should be able to achieve this using the post confirmation lambda trigger as discussed here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html

Then looking at available API, you can ask Lambda to generate the token for you using AdminInitiateAuth API as per this doc: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html

For the Auth Flow: The type of authentication. Use USER_PASSWORD_AUTH for this scenario. This will require parameters like USERNAME and PASSWORD. For the passwordless flow, you can generate a temporary value for the PASSWORD field, then authenticate the user with the username.

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • Rx
    a year ago

    Thanks AmerO for your fast response!

    I appreciate the suggestion of using the AdminInitiateAuth API along with the post-confirmation Lambda trigger. However, I'm having trouble understanding how to apply this approach within my current passwordless flow, specifically since I don't have a password to authenticate with (as the flow skips password entry entirely).

    Could you clarify how I could generate a temporary password or bypass the password requirement in this scenario? Maybe with a short (pseudo) code snippet? My users only receive a one-time code via email during sign-up and login, and the random password used by the mobile app client for sign-up is not stored anywhere after sending the sign-up request.

    Should I be generating some kind of temporary password behind the scenes in the Lambda, or is there a different flow you recommend for passwordless use cases?

    Any further guidance would be much appreciated!

    Thank you in advance!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content