Questions tagged with Amazon Cognito
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Remember device to suppress MFA challenge using Cognito Hosted UI
We are currently using the Cognito Hosted UI for the authentication of our web application. For extra security we've set MFA enabled with a TOTP code. For convenience we'd like to ask our users if they want to remember their device (device tracking). However, it seems not possible to setup device tracking when users sign in using the Hosted UI. Is this true and how can we make the device tracking work, do we need to create a Custom UI?
How to collect OS level logs on from Mobile devices attempting access to Application behind Application Load Balancer
Need help identifying how to collect OS level data on mobile applications attempting to log into web server hosted on an EC2 windows machine. We are using Cognito as well as an ALB to route traffic. Would like to collect OS level information (Iphone SE, Samsung Galaxy etc.) Is there a way to configure this natively in AWS via Cloudwatch or Cloudtrail? Was not able to see from the documentation. Thank you
Amazon Cognito: how to change the Endpoint in AWS SDK .NET?
What IAM policies need my backend application written in Java to work with Cognito ?
Hi guys, I've a doubt about Cognito. Imagine I have a backend in Java (with Java AWS SDK) that uses the Authorization Code Grant flow. This backend need to comunicate with Cognito for exchange Authorization Code, obtains tokens, etc. But at this point I have a question/s, what kind of IAM policy my backend needs to comunicate with Cognito ?, is it needed an IAM user and a policy attached that allows my backend to interact with Cognito ? Can you give me some example or recommendation about this topic ? I think I'm a little confused. On the other hand, it's so simple as creating an IAM user with programatic access (this option appears when we are creating a new IAM user), hence my backend have access to all SDK functions and API's, CLI, etc. (Cognito included) ?, thanks in advance ! Best regards.
AWS Game Lift Server: Best Solution for Generating and Rotating API Keys for AWS Server Authentication?
We are currently setting up some authentication systems for our UE4 game servers so that we are sure they are the only devices/users that are capable of accessing our internal API / LAMDBA functions. With that in mind, there is a desire to not hard code any COGNITO user ID's or tokens into the actual server-code itself. Instead, we would like to pursue having these tokens be generated and cycled through on AWS's side, to keep it decoupled. We are undecided whether these tokens should be for the life of the Gamelift server or for a set period of time—whichever is most feasible. This way, if we need to adjust access to certain features down the road, it will not require an update to the deployed Unreal Engine server build. Does AWS API or LAMDBA have any features out of the box to check if an API request is coming from within AWS, ideally from one of the active Gamelift instances? While we may still need to create a COGNITO identity for the servers, or just check the local IP of the running Gamelift servers, the ideal flow would look like: 1) UE4 game server on AWS asks for a token on Startup. 2) LAMDBA Authorization script checks to make sure it is valid and coming from within AWS/Gamelift 3) Once Validated, LAMDBA function provides a token to enable server to use in backend LAMDBA functions. 4) Before Gamelift Server shutdown, revoke access or add to a "black-listed" token Database to prevent second use before token expiration.
Unconfirmed email in cognito userpool
I'm filtering email in pre-signup lambda function those emails are in cognito userpool can't be used again for sign up, but there is a situation if user leaves an email unconfirmed and latter user uses that mail for signup then pre-signup function will not allow. Tell me should I filter email in lambda or remove the lambda and allow duplicate entries?![Enter image description here](https://repost.aws/media/postImages/original/IMrVjzDIuxQImDzLVVQpbG-w)
Retrieve access token after logging in to ALB with Cognito
We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the `X-Amzn-Oidc-Data` header which is good. However for our `websocket` connection to the backend, we need to specify any relevant data in the `connectionParams` client-side. I see two possible solutions but I am not sure about the implementation: 1. After logging in with the hosted UI, the `AWSELBAuthSessionCookie` is set in the browser. If I could exchange that client-side for an `access_token`, I could just add the token to the `connectionParams`. However for the [token endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html), I would need the `client_id` and the `client_secret`, but I just have the cookie at that point. 2. Another approach might be to intercept the `onConnect` request via websockets in a reverse proxy behind the ALB and take the automatically added header `X-Amzn-Oidc-Data` and write it to the `connectionParams`. But I am somewhat out of my depth on `websocket` to know how to do that. Could anyone help me with option 1 or 2?
Application Load Balancer and Cognito cookie session time (SessionTimeout) can't be adjusted - logout problem
I am using Application Load Balancer with Cognito. I would like to control user session time by cookie session which is part of the ALB configuration. By default, the SessionTimeout field is set to 7 days. I have configured it with shorter time, but when Application Load Balancer session is open it keeps default value of 7 days. When I review ALB listener configuration, session time of cookie is visible as configured 3600 sec. Here is the part of the documentation where this is described. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html Configure user authentication "SessionCookieName": "my-cookie", "SessionTimeout": 3600, Do You have any idea what may be the problem ?
User Pool with own domain hosted UI is not loading
I added my own domain(auth.mydomain.com) to my cognito user pool with issued aws SSL certificate. In GoDaddy DNS Records I added an A record of my subdomain "auth" with EC2 instance public IPV4 adress. When I'm lunching my hosted UI (https://auth.mydomain.com/login?client_id=xxxxxxxxxxxxxxxxxxxxxxxx&response_type=code&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&redirect_uri=myapp://callback/) it is not loading with error: "This site can’t be reached auth.mydomain.com took too long to respond. Try: Checking the connection Checking the proxy and the firewall Running Windows Network Diagnostics ERR_CONNECTION_TIMED_OUT"
Cognito Custom authentication flow - getting user input mid-flow
I am creating a custom authentication flow using AWS Cognito to send a MFA code via email through the cognito triggers. I am using the authenticateUser() method to do so and my code snippet is as code below, following [this](https://repost.aws/questions/QUeCpOxtEVQmeAKk9MaGqlrA/cognito-custom-authentication-flow-initiate-auth-giving-error) example: ![Enter image description here](https://repost.aws/media/postImages/original/IM9UPlbhJXT7Wb3e6ps7Wyug) However, instead of a prompt asking the user for the OTP, is it possible to perform a setState operation when I get into the customChallenge callback that would render a UI component (textbox), get the MFA input from the user via a textbox, and then submit that info using sendCustomChallengeAnswer() without needing to exit the authenticateUser block? Thank you very much Edit: Someone with a similar problem here: https://stackoverflow.com/questions/72783068/aws-cognito-custom-challenge-frontend-implementation-inside-vuex
Cognito user pool OIDC federation: Add "acr_values" parameters in OIDC flow requests
Hi, I'm using Amazon Cognito, I want to federate my user pool with an external OIDC identity provider. The OIDC provider requires all OIDC flow requests must contain a parameter named "acr_values" in the request URL. Is there any way to custom OIDC requests in Cognito to achieve this? Thank you!