tessl install github:itsmostafa/aws-agent-skills --skill cognitogithub.com/itsmostafa/aws-agent-skills
AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers.
Review Score
81%
Validation Score
12/16
Implementation Score
65%
Activation Score
100%
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.
User directory for sign-up and sign-in. Provides:
Provide temporary AWS credentials to access AWS services. Users can be:
| Token | Purpose | Lifetime |
|---|---|---|
| ID Token | User identity claims | 1 hour |
| Access Token | API authorization | 1 hour |
| Refresh Token | Get new ID/Access tokens | 30 days (configurable) |
AWS CLI:
aws cognito-idp create-user-pool \
--pool-name my-app-users \
--policies '{
"PasswordPolicy": {
"MinimumLength": 12,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true
}
}' \
--auto-verified-attributes email \
--username-attributes email \
--mfa-configuration OPTIONAL \
--user-attribute-update-settings '{
"AttributesRequireVerificationBeforeUpdate": ["email"]
}'aws cognito-idp create-user-pool-client \
--user-pool-id us-east-1_abc123 \
--client-name my-web-app \
--generate-secret \
--explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
--supported-identity-providers COGNITO \
--callback-urls https://myapp.com/callback \
--logout-urls https://myapp.com/logout \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile \
--allowed-o-auth-flows-user-pool-client \
--access-token-validity 60 \
--id-token-validity 60 \
--refresh-token-validity 30 \
--token-validity-units '{
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
}'import boto3
import hmac
import hashlib
import base64
cognito = boto3.client('cognito-idp')
def get_secret_hash(username, client_id, client_secret):
message = username + client_id
dig = hmac.new(
client_secret.encode('utf-8'),
message.encode('utf-8'),
digestmod=hashlib.sha256
).digest()
return base64.b64encode(dig).decode()
response = cognito.sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
Username='user@example.com',
Password='SecurePassword123!',
UserAttributes=[
{'Name': 'email', 'Value': 'user@example.com'},
{'Name': 'name', 'Value': 'John Doe'}
]
)cognito.confirm_sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
Username='user@example.com',
ConfirmationCode='123456'
)response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='USER_SRP_AUTH',
AuthParameters={
'USERNAME': 'user@example.com',
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret'),
'SRP_A': srp_a # From SRP library
}
)
# For simple password auth (not recommended for production)
response = cognito.admin_initiate_auth(
UserPoolId='us-east-1_abc123',
ClientId='client-id',
AuthFlow='ADMIN_USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'user@example.com',
'PASSWORD': 'password',
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
}
)
tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
}
)aws cognito-identity create-identity-pool \
--identity-pool-name my-app-identities \
--allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName=cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123,\
ClientId=client-id,\
ServerSideTokenCheck=trueimport boto3
cognito_identity = boto3.client('cognito-identity')
# Get identity ID
response = cognito_identity.get_id(
IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
identity_id = response['IdentityId']
# Get credentials
response = cognito_identity.get_credentials_for_identity(
IdentityId=identity_id,
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']| Command | Description |
|---|---|
aws cognito-idp create-user-pool | Create user pool |
aws cognito-idp describe-user-pool | Get pool details |
aws cognito-idp update-user-pool | Update pool settings |
aws cognito-idp delete-user-pool | Delete pool |
aws cognito-idp list-user-pools | List pools |
| Command | Description |
|---|---|
aws cognito-idp admin-create-user | Create user (admin) |
aws cognito-idp admin-delete-user | Delete user |
aws cognito-idp admin-get-user | Get user details |
aws cognito-idp list-users | List users |
aws cognito-idp admin-set-user-password | Set password |
aws cognito-idp admin-disable-user | Disable user |
| Command | Description |
|---|---|
aws cognito-idp initiate-auth | Start authentication |
aws cognito-idp respond-to-auth-challenge | Respond to MFA |
aws cognito-idp admin-initiate-auth | Admin authentication |
Causes:
Debug:
aws cognito-idp admin-get-user \
--user-pool-id us-east-1_abc123 \
--username user@example.comCauses:
Validate JWT:
import jwt
import requests
# Get JWKS
jwks_url = f'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()
# Decode and verify (use python-jose or similar)
from jose import jwt
claims = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='client-id',
issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)Check:
# Check domain
aws cognito-idp describe-user-pool \
--user-pool-id us-east-1_abc123 \
--query 'UserPool.Domain'Symptom: TooManyRequestsException
Solutions: