AWS Cognito User Pool

By Rex Resurreccion Apr 04, 2020
AWS Cognito User Pool

This tutorial is meant for developers who are new to AWS Cognito. This will be a quick topic about AWS Cognito and how to Create a User Pool.

As described in the AWS website, Cognito is a simple and secure user Sign-Up, Sign-In, and Access Control authentication service provided by Amazon. This service allows developers to integrate authentication in their application.

Cognito has many features like Multi-Factor Authentication, hosted UI, OAuth flows and Lambda trigger.

Create a User Pool

Log in to AWS Management Console. If you don’t have an AWS account, you will need to Sign-Up and it’s free to just have an account.

In the Dashboard you will see many AWS services, search for “Cognito”.

AWS Console Dashboard Find the service Cognito

Then click on “Manage User Pools”. And along the top right corner, click on “Create a user pool”.

Amazon Cognito Manage User Pools

Now you can give your User pool a name, and we will go over the “Step Through Settings”. Take note that after creating the User Pool, you can go back and create changes in the configuration except for the Sign-In and Default attribute options.

AWS Cognito User Pool Name and Step Through Settings


Setup the sign in options. You can select to have users sign in using another attribute in their profile like their email address, phone number, username or preferred username combined with their password.  As well, you can make the username case-insensitive.

AWS Cognito User Pool Sign In options

Setup attribute options. This will be the fields in the user profile during sign up. You can also add custom attributes in addition to the defaults that you have chosen.

AWS Cognito User Pool Attribute options


Setup password and Sign-In policy. Apply password requirements such as length, character combination and the lifespan for a temporary password. And for the sign up process if you want to allow a user to create their own account.

AWS Cognito User Pool Password and Sign In Policy

MFA and Verification

Setup Multi-Factor authentication (MFA), account verification and recovery. MFA is an additional security by having a user use the verification code sent to their email or phone to confirm a sign in to their account. The code must be submitted along with their password to complete the sign in process. You can also disable the feature if not needed.

AWS Cognito User Pool Multi-Factor Authentication

And you can also enable how they can recover their account in the event of forgetting their login credentials.

AWS Cognito User Pool User Account recovery

In order to enable SMS messaging, you will need to create an IAM role in your AWS account. If you don’t have one yet, just submit the “Create Role” and it will be automatically created for you.

AWS Cognito User Pool Provide an IAM Role

Message Customization

Setup Email Messages and Headers. On this step, you can change the verification and invitation messages for Email and SMS. Also, you can change the email headers for FROM and REPLY-TO in the email.

AWS Cognito User Pool Email Messages and Headers Customization

App Clients

This is an important step in setting up an AWS Cognito User Pool. To allow your application (Front-End or Back-End) to access the User Pool, you will need an App Client credential. The App Client will be used to get an Identity Token or Access Token, and then use this in exchange for user profile depending to your authentication flow.

For instance, if you are developing an authentication and sign up module for a Single Page Application (SAP), you can leave most of the default setup checked. And you do not need to generate a Client Secret since this is only for machine to machine authentication.

AWS Cognito User Pool setup App Clients

The App Client can also have defined access to the attribute options that has been setup on the early steps.

AWS Cognito User Pool App Client attribute read and write permissions

If you are trying to create a Machine to Machine authentication, assuming that the flow will be an OAuth 2.0 Client credential, then the App Client will be the account of the third party Service in your system, having an App client id and App client secret generated.

AWS Cognito User Pool App Client ID and Secret

If you are interested in how to use OAuth 2.0 flows in AWS Cognito, check out my topics about Implicit Flow, Authorization code and Client credentials.

Tags, Devices and Triggers

Setup Pool tags. Tags are useful if you have several AWS Cognito User Pool. Tags can be used to group User Pools per Organization, aggregate billing reports and implement IAM role.

Setup remember device. This is for remembering the device of the user when they sign in. The next time they sign in, they no longer have to confirm again if your application has remembered their device’s identity.

AWS Cognito User Pool App Client Opt In to remember device

Setup Lambda trigger. One of the useful features of AWS Cognito is the ability to trigger a lambda function based on events. This is applicable if you need to do complex integration in your application. For example, a pre token generation trigger, allowing you to customize the claims in the identity token. Another example, a post authentication trigger, allowing you to add custom logic for analytics conversion. Check out more about Lambda Trigger.

AWS Cognito User Pool App Lambda triggers


The final step is to review your Cognito User Pool. Once you have confirmed all the configuration, click on the “Create pool” button.

AWS Cognito User Pool App review setup
AWS Cognito User Pool App review setup and create pool

AWS Cognito is a powerful tool for developers. If you are developing an authentication module, then using this service from AWS will save you a lot of coding time.

Moreover, it already supports the integration on many federated identities like Google, Facebook, Apple, Amazon and OpenID. The user can use their existing accounts to sign up or sign in to your application.

© 2020