This example shows how to use AWS SDKs to customize Amazon Cognito authentication behavior. You can configure your Amazon Cognito user pool to automatically invoke AWS Lambda functions at various points in the authentication process, such as before sign-up, during sign-in, and after authentication.
There are three workflows demonstrated by this example:
- Automatically confirm and verify the email of known users by using a pre sign-up trigger.
- [Not yet implemented] Automatically add known users at sign-in by using a migrate user trigger.
- [Not yet implemented] Write custom information to an Amazon DynamoDB table after users are authenticated by using a post authentication trigger.
These workflows are described in more detail in the main README for these examples.
A pre sign-up Lambda trigger is invoked when a user starts the sign-up process and lets your Lambda function take action before Amazon Cognito adds the user to the user pool.
A migrate user Lambda trigger is invoked when a user doesn't exist in the user pool at sign-in with a password. After the Lambda function returns successfully, Amazon Cognito creates the user in the user pool.
A post authentication Lambda trigger is invoked after signing in a user, so you can add custom logic after Amazon Cognito authenticates the user.
- Running this code might result in charges to your AWS account.
- Running the tests might result in charges to your AWS account.
- We recommend that you grant your code least privilege. At most, grant only the minimum permissions required to perform the task. For more information, see Grant least privilege.
- This code is not tested in every AWS Region. For more information, see AWS Regional Services.
For general prerequisites, see the README in the javascriptv3 folder.
This example deploys several resources by using an AWS CloudFormation stack. This stack deploys the following resources:
- An Amazon DynamoDB table named
doc-example-custom-usersthat has aUserEmailprimary key. This table functions as an external user store. - An Amazon Cognito user pool that requires an email, sends an email with verification code when a new user is added, does not require MFA, and allows account recovery with a verified email.
- An Amazon Cognito client application. This is required for client calls to sign-up and authentication users.
- An AWS Identity and Access Management (IAM) role that can be assumed by Lambda. This role grants permission to Lambda to read from and write to the DynamoDB table and write to CloudWatch Logs.
The AWS resources for this example are deployed by using the AWS Cloud Development Kit (AWS CDK).
To install the AWS CDK, follow the instructions in the Developer Guide.
Deploy resources at a command prompt from the cdk folder:
npm install
cdk deploy
Run ./index --help for instructions on running a scenario.
Delete resources deployed for this example by deleting the stack.
Delete the stack at a command prompt from the cdk folder:
cdk destroy
- Amazon Cognito Identity Provider Developer Guide
- Amazon Cognito Identity Provider API Reference
- SDK for JavaScript V3 Amazon Cognito Identity Provider reference
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0