By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Cognito Intermittent Error on Custom Lambda Trigger that redirects to login page solution at ConfirmSignUp.

1

This error has been extremely difficult to pin down as it seems to happen intermittently, however I can't have it happening in production as it completely ruins the user experience.

Essentially I have made this set up - since Cognito doesn't offer a way to redirect the user to the login page upon confirming sign up. Understandably this doesn't provide for the most user friendly experience and to this end I have had to implement this solution. https://stackoverflow.com/questions/47159568/how-to-redirect-after-confirm-amazon-cognito-using-confirmation-url#:~:text=I%20got%20this%20to%20work%20with%20the%20help%20of%20above%20answer%20from%20%40agent420%20and%20examining%20the%20github%20issue%20https%3A//github.com/aws%2Damplify/amplify%2Djs/issues/612

Which is essentially as follows:

  1. Change the user email verification method to code from link.
  2. Set up the 'Custom Message' lambda trigger that gets fired before a verification email is sent.
  3. This lambda trigger will send a custom email to the user after grabbing all the parameters from Cognito like codeParameter, userName, region, ClientId and email and send create a link to an api-gateway endpoint with these parameters.
  4. Finally we now have a custom lambda behind this api-gateway endpoint that our custom link will take the user to. This lambda will make an API call to Cognito to confirm the user's email, and then redirect the user to the login page of our application. This prevents the user being sent to the grey Cognito page that just displays a 'your account has been verified' message and ends the user flow there.

Unfortunately however this error shows up very randomly in <5% of cases sign ups. But I can't seem to figure out the root of the error in. order to eliminate it completely, please see image below.
Enter image description here

The result is that the user's email still ends up being confirmed and they can sign-in to Cognito but the re-direct fails and a status 500 'Internal Server Error' is displayed by the api-gateway as a result of the error in the logs above.

The Lambda is written in Golang and has the following General configuration settings: Memory: 128 MB Ephemeral storage: 512 MB Timeout: 30 sec SnapStart: None

Another detail worth mentioning is that there is also a post-confirmation lambda that we run as part of the user sign-up flow, that calls a third-party application to create a 'dummy user'.

I will be extremely grateful for any thoughts or recommendation - please let me know if you require any further information.

Thank you for taking the time to read.

1 Answer
1

The intermittent error you're experiencing with your custom Lambda trigger for Cognito sign-up confirmation is likely related to a race condition or timing issue in your implementation. Here are some potential causes and recommendations to address the problem:

  1. Lambda Execution Time: The error suggests that the Lambda function is sometimes timing out or failing to complete its execution within the allocated time. Consider increasing the Lambda function's timeout setting from 30 seconds to a higher value, such as 1 minute, to ensure it has enough time to complete all operations.

  2. Memory Allocation: The current memory allocation of 128 MB might be insufficient for some executions. Try increasing the memory to 256 MB or 512 MB, which can also improve CPU performance and potentially reduce execution time.

  3. Error Handling: Implement more robust error handling in your Lambda function. Catch and log specific errors to help identify the root cause of the intermittent failures.

  4. API Rate Limits: Ensure you're not hitting any API rate limits when making calls to Cognito or other services. Implement exponential backoff and retry logic for API calls.

  5. Concurrent Executions: If you have a high volume of sign-ups, you might be hitting Lambda concurrency limits. Check your account's Lambda concurrency settings and consider increasing them if necessary.

  6. Post-Confirmation Lambda Interference: The post-confirmation Lambda that creates a "dummy user" in a third-party application might be interfering with the confirmation process. Ensure this Lambda is not causing any delays or errors that could affect the redirect.

  7. API Gateway Configuration: Review your API Gateway settings, especially the integration timeout, to ensure it aligns with your Lambda function's timeout.

  8. Cognito Service Issues: Intermittent issues could be related to Cognito service availability. Implement proper error handling to gracefully manage potential Cognito service disruptions.

  9. Logging and Monitoring: Implement comprehensive logging in your Lambda function to capture more details about the execution flow, API calls, and any potential issues. Use AWS CloudWatch Logs Insights to analyze patterns in your logs.

  10. Consider Asynchronous Processing: If the confirmation and redirect process is time-consuming, consider implementing an asynchronous approach. You could use AWS Step Functions or a queue-based system to manage the workflow more reliably.

By addressing these potential issues and implementing more robust error handling and logging, you should be able to identify and resolve the root cause of the intermittent errors, improving the reliability of your custom confirmation process.
Sources
Custom message Lambda trigger - Amazon Cognito
Signing up and confirming user accounts - Amazon Cognito
Managed login and federation error responses - Amazon Cognito
Custom authentication challenge Lambda triggers - Amazon Cognito

profile picture
answered 11 days ago
profile picture
EXPERT
reviewed 11 days ago
    1. I already increased the lambda execution time for both lambdas, I can try increasing the memory also. I'm just unable to find any documentation or examples of such an intermittent error.

    2. I can implement this today and run more tests but unlikely that this is the cause In my opinion.

    3. The error that comes back from Cognito seems to be this 400 operation error - I'm not sure how to apply better error handling?

    4. API rate limits aren't hit, I have ran 200 tests today and the error hasn't shown up in any of these.

    5. The lambdas get executed one by one, so I don't think its a concurrency issue.

    6. I have also increasing the timeout on the post-confirmation lambda.

    7. API Gateway integration timeout is also set to the maximum time of 30 seconds.

    8. Already covered this

    9. I can try adding api gateway logs also if that helps.

    10. The redirect process happens instantly, I don't think this is the issue either.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions