Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Reacting to a user verifying their email in a Cognito User Pool

2

So quick question, is there a straight-forward programmatic way to trigger some code whenever a user verifies their new email address? I know the custom email sender lambda has a trigger source for the initial part (UpdateUserAttributes), but I'd want to hook into the verification part as well. From my research, the only way to do it is to enable management events in a CloudTrail trail and then add an EventBridge rule with a lambda target, which seems overkill since there's no way to filter for specific events, and I feel like all in all costs would end up being disproportionate.

For a bit more context, I'm trying to update the database email of a user whenever their identity provider one changes, which seems like a pretty normal use case which is why it seems surprising that there isn't an apparent solution for this.

Topics
ServerlessComputeApplication IntegrationSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS LambdaAmazon EventBridgeAmazon CognitoAWS CloudTrailAmazon Cognito User Pools
Language
English
asked 8 months ago67 views
1 Answer
0

Hey, @josphr. Excellent question.

If you are wanting to trigger some code when a user verifies their email address, there's a few different ways you could go to achieve this.

Cognito Events (quickest, but perhaps not feasible)

Post-Confirmation Trigger

  • This is triggered after a user confirms their account. I'm not familiar with your architecture, but you may be able to use this event to update the user's email in the database. Though this may be the quickest approach, I'm not confident the identity provider changing will trigger this. You'll know that better than me.

Post-Authentication Trigger

  • This is triggered after a user is authenticated, but before the tokens are given. A bit gross, but you could do a manual check here with the user's email address in the database and with what exists in the token. If they are different, update the database. I would prefer the post-confirmation trigger or EventBridge over this, though - just giving you another option to think about.

EventBridge Rule (most involved, but the most feasible)

  • If listening to the post-confirmation isn't a solution for you, this is my recommended solution. My team has many production workloads listening to EventBridge events and responding with Lambda Function invocations. And, you can filter EventBridge events to only those you care about. Otherwise, it would be pretty expensive to trigger a Lambda Function each time, and discard the events you don't care about. Let's let AWS do the work + filtering for us ;)
  • Information on filtering down those events can be found here.
  • Also, be warned: idempotency is a bigger need when using EventBridge to trigger Lambda Functions than one may think. Your Lambda may be invoked more than once when being paired with EventBridge. Thankfully, AWS provides idempotency tools to help with this. If you don't care if your Lambda could be invoked more than once, that's okay, but if you do, more info on that here. They offer support for idempotency in different runtimes.
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content