AWS Cognito User Pool

By Rex Resurreccion Apr 04, 2020
AWS Cognito User Pool

This tutorial is intended for Developers who are new to AWS Cognito. This will be a quick tutorial about AWS Cognito user pool and how to Create a User Pool.

As described in AWS website, Cognito is a simple and secure User Sign-Up, Sign-In, and Access Control authentication service offered by Amazon. This service allows Developers to integrate authentication without writing everything from scratch.

Cognito has many features like Multi-Factor Authentication, hosted UI, OAuth flows and Lambda triggers to mention some of it. And it also has integration with other federated identity providers such as Google, Facebook, Amazon account and others. Checkout their full documentation.

Let’s start learning by doing it, now we will setup our AWS Cognito User pool!

Login to AWS Management Console. If you don’t have an AWS account, you will need to Sign-Up and it’s free to just have an account.

In the Dashboard you will see many AWS services, so just search for “Cognito”.

AWS Console Dashboard Find the service Cognito

Then click on “Manage User Pools”. And on the top right corner click on “Create a user pool”.

Amazon Cognito Manage User Pools

Now you can give your User pool a name, and let’s go over the “Step Through Settings”. Take note, after creating the User pool, you can always go back and make changes, except for Sign-In and Default attributes option in Attributes section.

AWS Cognito User Pool Name and Step Through Settings


Setup the sign-in options. You can choose to have users sign in using another attribute in their profile like email address, phone number, username or preferred username plus their password. Also you can make the username case-insensitive.

AWS Cognito User Pool Sign In options

Setup attribute options. This will be available in the user profile during Sign-Up. And you can also add custom attributes if needed in addition to the defaults that you have selected.

AWS Cognito User Pool Attribute options


Setup password and Sign-In policy. Apply password requirements, length and character combination, lifespan for a temporary password. And should you allow user to create their own account.

AWS Cognito User Pool Password and Sign In Policy

MFA and Verification

Setup Multi-Factor authentication (MFA), account verification and recovery. MFA is additional sign-in security, a user can confirm their account by receiving a code through email or phone and submit the code along with their password to complete the sign-in process. You can always turn this Off if not necessary for your use-case.

AWS Cognito User Pool Multi-Factor Authentication

And you can also enable how they can retrieve their account in the event of forgetting their login credentials.

AWS Cognito User Pool User Account recovery

In order to enable SMS messaging you will need to create an IAM role in your AWS account. If you don’t have one created yet, just submit the “Create Role” and it will be automatically setup for you.

AWS Cognito User Pool Provide an IAM Role

Message Customization

Setup Email Messages and Headers. While you can just simply use the default messages, it’s good to know that there’s a way to change the verification and invitation messages for Email and SMS. Moreover, you can change the email headers for FROM and REPLY-TO on this step.

AWS Cognito User Pool Email Messages and Headers Customization

App Clients

This is an important step in setting up your AWS Cognito User Pool. To allow your application (Front-End or Back-End) to access the User Pool, you need an App Client credentials. The App Client will be used to generate an Identity Token or Access Token, and then use this in exchange for User profile depending to your authentication flow.

For example, if you are building an authentication and sign-up platform for a Single Page Application (SAP), you can leave most of the default setup checked and you do not need to generate a Client Secret since this is only for Backend-End application (e.g. Python, NodeJS, Java).

AWS Cognito User Pool setup App Clients

The App Client can also have defined access to the attribute options that has been setup on the early steps.

AWS Cognito User Pool App Client attribute read and write permissions

If you are building a Service to Service authentication, assuming that the flow will be an OAuth2 Client credentials, then the App Client will be the account of the third party Service in your system, having an App client id and App client secret generated.

AWS Cognito User Pool App Client ID and Secret

In my next tutorials, I will show some example App Integration setup, and how you can use different OAuth flows to generate tokens and use this to access User profile in AWS Cognito User Pool.

Tags, Devices and Triggers

Setup Pool tags. Tags are useful if you have several User Pools. For instance, tags can be used to group Pools per Organization, aggregate billing reports based on tagged Pool and implement IAM role based on tags.

Setup remember device. If your application should remember the Device of the user when they Sign-In. Since they need to confirm that they actually Sign-In using their phone, laptop or other devices. Next time, they don’t have to confirm again if your application has remember their device’s identity.

AWS Cognito User Pool App Client Opt In to remember device

Setup Lambda triggers. One of the cool features of AWS Cognito is the ability to trigger a lambda function based on events. This is useful if you need to do complex integration in your application. For example, a Pre Token Generation trigger, allowing you to customize the claims in the identity token. Another example, a Post Authentication trigger, allowing you to add custom logic for analytics conversion. Checkout more Lambda Triggers

AWS Cognito User Pool App Lambda triggers


The final step is to review your Cognito User Pool setup and click on the “Create pool” button.

AWS Cognito User Pool App review setup
AWS Cognito User Pool App review setup and create pool

AWS Cognito is a powerful tool for developers. If you are building an application with User Sign-Up, Sign-In, and Access Control, then using this service from AWS will save you a lot of coding time. Moreover, it already supports many federated identities like Google, Facebook, Apple, Amazon, OpenID, and so on.

© 2020