Questions tagged with Amazon Cognito User Pools

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Can't access userAttributes of listUsersRes.Users in AWS lambda function

I'm filtering out unconfirmed emails in lambda function. I jsut want to access email of every user in my listUsersRes.Users. I have tried for listUsersRes.Users[0].Username it is returning username perfectly. But when I'm trying listUsersRes.Users[0].Email or listUsersRes.Users[0].userAttributes.email or listUsersRes.Users[0].request.userAttributes.email it is returning null. I have aslo AttributesToGet: ["email"].But I don't know why it is not working for email. **My function:** ``` exports.handler = async (event, context, callback) => { const cognitoProvider = new aws.CognitoIdentityServiceProvider({apiVersion: "2016-04-18"}); if (event.triggerSource == "PreSignUp_SignUp" ||event.triggerSource == "PreSignUp_AdminCreateUser" || event.triggerSource=="PreSignUp_ExternalProvider") { try { const listUserParams={UserPoolId: event.userPoolId,AttributesToGet: ["email"],Filter: `cognito:user_status= \"${"UNCONFIRMED"}\"`, Limit: 10 }; const listUsersRes = await cognitoProvider.listUsers(listUserParams).promise(); if (listUsersRes.Users.length >= 0) { return callback(new Error(listUsersRes.Users[0].Username), event);//this line I'm modifying to get email attribute form listUsersRes.Users[0] } } catch (error) {return callback(new Error("catch error"), event);} } else { var error = "This provider is not supported"; callback(new Error(error), event); } }; ``` **my permission:** ``` "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "cognito-idp:AdminInitiateAuth", "cognito-idp:ListUsers", "cognito-idp:AdminUpdateUserAttributes", "cognito-idp:AdminGetUser" ], ```
1
answers
0
votes
54
views
asked 4 months ago

Force MFA only for restricted content

Hi, We are migrating our users to AWS Cognito user pools and trying to keep existing web/mobile UX. Users to be able to sign in and use our web/mobile app with their username and password. But whenever user tries to access a sensitive content, user should be verified with an SMS challenge. I think, best place to keep MFA verification result would be ID Token. A claim for the MFA verification result like `amr: mfa` etc.. I couldn't find any out of the box solution for this case. According to my research, MFA can only be enabled or disabled for a user. I would appreciate if you can share your ideas. Not sure how to accomplish but when user tries to access sensitive content, maybe: 1- Custom auth flow could be initiated. We have to avoid asking credentials again. If possible, I can use existing access/refresh token to initiate the flow without asking credentials again. This custom flow will work as OOB MFA authentication flow. But specific to this flow, pre token generation lambda trigger can build new ID token with MFA claim. 2- Prepare rest endpoints or lambda functions for sending the SMS code and verifying the code. If code is verified, use refresh token to get new tokens. `TokenGeneration_RefreshTokens` will trigger `Pre token generation Lambda trigger`. Lambda trigger should be able decide to include MFA claim in the ID token. 3- Like number 2 but instead of `Pre token generation Lambda trigger`, update the ID token somewhere else and add MFA claim if SMS code verification is success. 4- If Cognito has a functionality to prepare policies to force MFA for specific cases. Edit: 5- I found a `Cognito Step Up Authentication` sample [https://github.com/aws-samples/step-up-auth](https://github.com/aws-samples/step-up-auth) Thanks
1
answers
1
votes
72
views
Ioseph
asked 4 months ago

Signing in with social (Google, Facebook) throws error "Already found an entry for username"

Currently seeing this issue with the presignup trigger. Cognito allows you to create social accounts that are disconnected from a cognito native accounts (but with the same email), so to solve that we're automatically creating a cognito native account in the presignup trigger and linking it. However, when we do this, the first call to authenticate fails with "Already found an entry for username...". Attempting to login again previously worked as a super hacky workaround, but now even that seems to not be working. What's going on with this system? We've been using it in production for probably 3-4 years now, and almost have an entirely AWS stack. The difference between EC2 or RDS and Cognito is night and day. There's been almost 0 new features, and there's a massive backlog of issues being raised on forums and on AWSAmplify that are directly related to the Cognito backend. Can we get an actual response other than "it's on the roadmap"? There's questions about this dating back to 4 years ago, and somehow this isn't even mentioned in the documentation yet. By the way, here is a fantastic post on a bunch of other issues. Surprise surprise, this ones listed there too: https://www.reddit.com/r/aws/comments/m77p5g/aws_cognito_amplify_auth_bad_bugged_baffling/ For the record, we're actively looking to move away from Cognito, and we'll likely be taking several other parts of our stack along with it. The product has a lot of potential, but all the problems you need to work around can turn an hour long task into an all day debugging session. For anyone finding this post that is at the early stages of their Cognito journey I would highly recommend looking at something like Auth0 instead. Don't be fooled by the price, you get what you pay for with Cognito (which is basically nothing)
1
answers
0
votes
98
views
asked 4 months ago