Implementing protected Lambda function URLs in user-facing applications TL;DR: When Lambda is configured to return streamed responses from IAM-protected function URLs, we...

✍️ New blog post by Arpad Toth

Implementing protected Lambda function URLs in user-facing applications

#lambda #cognito #serverless

So, @awscloud.bsky.social #Cognito is the only IdP with a free tier that supports MFA. All of the other ones I've ever looked at see MFA as a premium offering. Which hugely sucks.

Turns out, Cognito has no self recovery mechanism. If you lose your authenticator, you're screwed.

Amazon Cognito FINALLY supports inbound federation Lambda triggers 🎉

You can now intercept SAML/OIDC responses BEFORE they hit your user pool.

Transform, truncate, or filter attributes programmatically. Zero IdP changes needed.

#AWS #Cognito
1/4

Complete Tutorial: Streaming Agents on AWS This is Part 2 of a two-part series. If you haven't read the architecture overview yet, start with...

🚀📝 Complete Tutorial: Streaming Agents on AWS

#streamingagents #AWSCDK #APIGateway #Cognito #serverless

Learn how to edit authenticated user information in a React app using Amazon Cognito Authentication. #auth #cognito #aws
youtu.be/1TYFeGmqkas

Building a Secure Login API with Cognito SSO Ditch static AWS keys — learn how to authenticate users with Cognito using IAM roles for your backend APIs, EC2 instances, or Lambda…

Explore how to enhance app security with Amazon Cognito SSO! Learn to build a secure login API efficiently. Boost user authentication while simplifying development. #AWS #Cognito

Another AWS footgun: Cognito custom attributes

Another AWS footgun: Cognito custom attributes #aws #cognito advancedweb.hu/shorts/anoth...

Amazon Cognito User Pools explained! 🚀 In this tutorial, you’ll learn how to set up and configure Cognito User Pools in AWS step by step. #AWS #Cognito
youtu.be/nMLuTGHYczE

📢 Sigo investigando #AWS #codecatalyst, dejo por aquí un post donde integro con un repositorio en #github y despliego un AWS #Cognito utilizando #terraform

olcortesb.hashnode.dev/integrando-c...

Original post on aws.amazon.com

Build a scalable containerized web application on AWS using the MERN stack with Amazon Q Developer – Part 1 In a traditional SDLC, a lot of time is spent in the different phases researching appro...

#Amazon #Cognito #Amazon #DocumentDB #Amazon #Elastic […]

[Original post on aws.amazon.com]

Amazon Cognito Observability Best Practices with Datadog Amazon Cognito is an user authentication and authorization service that lets you enable sign-up,...

✍️ New blog post by Indika_Wimalasuriya

Amazon Cognito Observability Best Practices with Datadog

#cognito #awsobservability #sre #datadog

Extract Invoice Data Automatically Using LangChain In this article, I’m sharing an app I built to automate invoice processing using image recognition...

✍️ New blog post by Mohamed Radwan

Extract Invoice Data Automatically Using LangChain

#ai #langchain #aws #cognito

How to apply AWS WAF CAPTCHA on you Cognito user pool Learn a workaround to protect your Cognito user pool by integrating AWS WAF Captcha in your own managed log-in/sign-up page

"How to apply AWS WAF CAPTCHA on you Cognito user pool" by Achraf Souk

#security #aws #cognito

OAuth2 Scope Authorization with Amazon Verified Permissions Learn to implement OAuth2 scope-based authorization using Amazon Verified Permissions and Cognito for fine-grained machine-to-machine API access control.

"OAuth2 Scope Authorization with Amazon Verified Permissions" by Owen Hawkins

#verified-permissions #amazon-verified-permissions #cognito #amazoncognito

🔐 API keys or client credentials?

We unpack OAuth 2.0, token security, and the future of AI agents in M2M auth with Cognito and API Gateway.

🎙️New AWS Developers Podcast out now! 🎧 (links in the thread)

#AWS #OAuth2 #Cognito

AWS Español — DEV Community Profile

🆕 Dejo por aquí un nuevo post sobre como desplegar #AWS #Cognito con #Terraform. En el blog de dev.to/aws-espanol
dev.to/aws-espanol/...

OpenID Connect Cognito group scope configuration (OIDC) Hi, We’ve enabled OpenID Connect (OIDC) logins in AGOL and can successfully authenticate users and create accounts with the scopes below: We want to enable AGOL group membership based upon OIDC groups but can’t get the scopes correct. This is what is being returned from Cognito for a test user:    ...

#cognito #Administration

📝 Como listar la concurrencia reservada y aprovisionada de nuestras Lambdas ⚡. Source:...

✍ 🆕 Nuevo Post: Como listar la concurrencia reservada y aprovisionada de nuestras Lambdas
"dev.to/aws-espanol"
#aws #cognito #lambda
dev.to/aws-espanol/...

Hoje participei do AWS User Group de Joinville na Conta Azul. A empresa que tive a oportunidade de trabalhar e que foi um divisor de águas na minha carreira. Foi falado sobre Cognito e Aurora RDS em casos de uso reais da Cinta Azul.

Em breve fotos do Meeting.

#aws #aug #awsusergroup #cognito

I got auth knocked out today on the IoT dashboard I made with AWS Cognito. It went surprisingly well.

#AWS #Cognito #IoT #GoLang

Cognito: Subsequent App Clients don't work Getting "Login pages unavailable. Please contact an administrator" in subsequent app clients

"Cognito: Subsequent App Clients don't work" by Sameera

#cognito

How to Use Refresh Token Rotation in AWS Cognito Finally, a long-awaited feature of AWS Cognito is here. Now, Cognito user pools support the rotation...

✍️ New blog post by Rishi

How to Use Refresh Token Rotation in AWS Cognito

#aws #oauth #cognito

How to Use Refresh Token Rotation in AWS Cognito Finally, a long-awaited feature of AWS Cognito is here. Now, Cognito user pools support the rotation of refresh tokens. In this post, we’ll understand what has changed and how to implement it in your projects. ## What is a Refresh Token? And What Was the Problem? After successful user authentication, the Cognito user pool returns an ID Token, an Access Token, and a refresh Token. Access Token and ID Token can be utilized to make secure API calls or extract user profile information and are generally short-lived. To avoid frequent user authentication, Refresh token can be used to retrieve a new ID and Access token. This process can be repeated until the refresh token is valid. Once the refresh token expires, the user needs to go through the login flow again. Now, there are two problems with this approach:- * Even if a user is active, they are logged out after the expiry of the refresh token. One way is to keep a longer refresh token lifetime. But the question comes how long? Also, keeping it too long is a potential security threat in case of a compromised refresh token. * The same refresh token can be reused multiple times. The new refresh token rotation feature solves these problems seamlessly. ## How AWS Cognito Refresh Token Rotation Works? After enabling refresh token rotation:- * Every time a new Access/ID Token is requested using a refresh token (ie. with _grant_type=refresh_token_), Cognito now returns a new refresh token as well. Now if a user is active, fresh tokens can be fetched for a long time without compromising security. It works like a sliding window. * A new refresh token is returned on every _/oauth2/token_ call and the old one becomes invalid (with optional grace time). So the problem of using the same refresh_token is also resolved. ## How To Enable Refresh Token Rotation? * Go to UserPool >> App Clients >> Edit App client information. * Under Authentication flows, uncheck "ALLOW_REFRESH_TOKEN_AUTH". Then scroll down to Advanced security configurations and check "Enable token revocation". That's it! Refresh token rotation is successfully enabled and can be used with OAuth2.0 workflow or Cognito SDK. For more details, check out the Cognito Refresh Token Developer Guide. ## Refresh Token Rotation With OAuth2.0 Workflow And SDK At the end of the authorization_code grant_type OAuth2.0 workflow, the code received can be used to get tokens. After the expiry of the Access Token, use the Refresh Token to get new tokens. curl -X POST \ https://<USERPOOL_DOMAIN_HERE>/oauth2/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=authorization_code&client_id=<CLIENT_ID_HERE>&code=<AUTHORIZATION_CODE_HERE>&redirect_uri=<REDIRECT_URI_HERE>' curl -X POST \ https://<USERPOOL_DOMAIN_HERE>/oauth2/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=refresh_token&client_id=<CLIENT_ID_HERE>&refresh_token=<REFRESH_TOKEN>' Similarly, for SDK, GetTokensFromRefreshTokenCommand can be used. import { CognitoIdentityProviderClient, GetTokensFromRefreshTokenCommand } from "@aws-sdk/client-cognito-identity-provider"; const config = { region: "ap-south-1" } const client = new CognitoIdentityProviderClient(config); const input = { // GetTokensFromRefreshTokenRequest RefreshToken: "STRING_VALUE", // required ClientId: "STRING_VALUE", // required ClientSecret: "STRING_VALUE", }; const command = new GetTokensFromRefreshTokenCommand(input); const response = await client.send(command); console.log(response); Thanks ☺️

Setting Up SSO Between AWS Cognito and Salesforce Learn how to implement Single Sign-On between AWS Cognito and Salesforce for a seamless user...

✍️ New blog post by Yoonsoo Park

Setting Up SSO Between AWS Cognito and Salesforce

#sso #cognito #salesforce #programming

アプリクライアントでクライアントシークレットを生成しない方法 AWS...

✍️ New blog post by Yasuhiro Matsuda

アプリクライアントでクライアントシークレットを生成しない方法

#aws #cognito #japanese

4 Cognito User Pools features you might not know about Cognito User Pools is more than just a user directory. It's an ecosystem that tackles authentication edge cases and boosts development efficiency. ## 1. Cognito User Pools - beyond a simple user directory Cognito User Pools is a fully managed, OpenID Connect-compatible identity provider. It serves as a user directory service that handles authentication and authorization for **application users**. Importantly, Cognito User Pools doesn’t manage access to AWS resources like S3 or DynamoDB. It’s designed for the mobile and web applications we build. With a user pool integrated into an app, our users can sign up, log in, and change passwords effortlessly, requiring minimal work on our end. Having a service like Cognito User Pools is a game-changer. Before using it, I built authentication workflows manually, and trust me, it was far from enjoyable. It’s much simpler to rely on a dedicated service that handles all the flows right out of the box. ## 2. Lesser-known features Beyond the basics, Cognito User Pools offers some lesser-known features that enhance the experience for both users and administrators. In this post, I’ll highlight four of them. ### 2.1. Modifying tokens As mentioned, Cognito User Pools aligns with the OpenID Connect standard, issuing an **ID token** once a user successfully authenticates. It also provides **access tokens** , making it compliant with OAuth 2.0 standards. Tokens are expected, but did you know you can intercept the authentication flow and add custom properties to them? We can set up Cognito to trigger a Lambda function at various stages of the sign-up and sign-in processes. These functions can enrich both the ID token and the access token. This opens up a world of customization options for controlling app access. For example, we can embed custom data in the **ID token** for the front-end client to use, enabling guards to restrict content. Alternatively, we can add custom scopes to the **access token** and implement fine-grained access control in an API Gateway API. All it takes is some Lambda function code, and Cognito triggers it at the right time. ### 2.2. Passkeys for login Cognito also lets us integrate **passwordless** login into our applications! One option is using passkeys. YubiKeys are a popular choice, but password managers and operating system key storage options work seamlessly with Cognito too. Passwordless sign-in is getting more popular, and with Cognito, we can keep our apps ahead of the curve. ### 2.3. User existence error masking How does your app respond when someone tries to log in with a nonexistent username? One approach is to return a “User not found” error, but this tells the user they can keep guessing with different usernames. By enabling the Prevent user existence errors feature in the App client settings, Cognito displays a vague error like “The username or password is incorrect” when someone tries to log in with a nonexistent username. This feature extends to passwordless sign-in too. When I set up the email verification code option and entered a nonexistent username, Cognito displayed the standard, expected message on the next page: So, what’s happening here? How does the “Prevent user existence errors” feature play out? It’s all about the email address - it’s fake. At first, I thought this was a bug and that Cognito might have sent a verification code to some random stranger’s email. But the truth is, when the user doesn’t exist, Cognito shows a **simulated message** with a dummy email address and never sends the validation code. Big thanks to AWS technical support and the Cognito team for clearing this up! 🙌 ### 2.4. Customizable login page Cognito offers hosted authentication pages known as the hosted UI. Recently, they rolled out managed login, an updated version of the classic hosted UI. This managed authentication page is a lifesaver. It means we don’t have to build login and sign-up forms from scratch on the front end. But there’s more! We can **customize** the **managed login** page using a no-code visual editor called the **branding designer** , which lets us tweak every element of the login form. We can adjust spacing and border-radius, and add custom logos or background images, among other options. If you prefer, you can still upload a custom CSS file with the classic hosted UI. Switching between the two is easy if needed. ## 3. Summary This short post explored four lesser-known Cognito User Pools features: token modification, passkey-based passwordless authentication, user existence error masking, and customizable managed login pages. These features have made my life easier when integrating Cognito into my applications. How about you?

4 Cognito User Pools features you might not know about Cognito User Pools is more than just a user directory. It's an ecosystem that tackles authentication...

✍️ New blog post by Arpad Toth

4 Cognito User Pools features you might not know about

#aws #security #cognito

Securing API Gateway with AWS Cognito Authentication using OAuth 2.0 and Custom Domains Introduction In our previous post, we explored securing API Gateway using a Lambda...

✍️ New blog post by Chinmay Tonape

Securing API Gateway with AWS Cognito Authentication using OAuth 2.0 and Custom Domains

#awscommunity #terraform #cognito #oauth

ID Token vs Access Token: Authorization Decision Guidelines This article provides a mental model on how to decide on which token type to use for authorization.

"ID Token vs Access Token: Authorization Decision Guidelines" by Akram Al Sheikh

#cognito #amazoncognito #identity

Managing Linked Identities in Amazon Cognito A guide to managing authentication methods in Amazon Cognito when transitioning B2B SaaS users from native to federated authentication.

"Managing Linked Identities in Amazon Cognito" by Owen Hawkins

#cognito #authentication #saas #samlfederation