AWS Cognito Notes

General Notes

User Flows

User Sign-Up and Sign-In - Allow users to sign up and sign in using an email, phone number, or username (and password) for you application.

User Profile Date - Enable users to view and update their profile data - including custom attribute.

Forgot Password - Provide users the ability to change their password when they forget it with a one-time password challenge.

Token Based Authentication - Use JSON Web Tokens (JWTs pronounced “Jots”) based on OpenID Connect (OIDC) and OAuth 2.0 standards for user authentication in your backend.

Email or Phone Number Verification - Require users to verify their email address or phone number prior to activating their account with a one-time password challenge

SMS Multifactor Authentication - Require users to complete a second factor of authentication by inputting a security code received via SMS as part of the sign-in flow.

Admin Capability

Create and manage User Pools - Create, configure, and delete multiple user pools across AWS regions

Define Custom Attributes - Define custom attributes for your user profiles

Require Submission of Attribute Data - Select which attributes must be provided by the user prior to completion of the sign-up process

Set per-App Permissions - Set read and write permissions for each user attribute on a per-app basis

Set up Password Policies - Enforce password policies like minimum length and requirement of certain types of characters

Search Users - Search users based on a full match or a prefix match of their attributes through the console or Admin API

Manage Users - Conduct admin actions, such as reset user password, confirm user, enable MFA, delete user and global sign-out.

Amplify Cognito Configuration Questions

Having now tested out Amplify, I would not recommend it for any non-trivial application. It just puts the whole application creation system on rails, which is actually more confusing for me, as there are all sorts of things being provisioned and settings and records created that you aren’t privy to. So if you want to know what is actually happening it is better to do it all by hand. This takes longer in the beginning, but makes it much easier to troubleshoot later.

If you have already installed amplify and the amplify-cli then you use amplify add auth to create a new auth instance.

These are the questions that you will answer while going through the Amplify Cognito CLI configuration process. You’ll want to have your answers to these questions together ahead of time, and particularly any social providers that you would like to add, you will need to register the app ahead of time and get api and secret keys ahead of time. Social providers can be added later however.

⚠️ indicates that you will not be able to edit this selection later!

⭐ indicates my preferred choice (may differ for you)

📝 indicates related documentation link

Do you want to use the default authentication and security configuration?

  • Default configuration
  • Default configuration with Social Provider (Federation)
  • Manual configuration (If you select manual you will go through all the rest of these options)

Select the authentication/authorization services that you want to use:

  • User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for images or other content, Analytics, and more)
  • User Sign-Up & Sign-In only (Best used with a cloud API only) ⭐

Please provide a friendly name for your resource that will be used to label this category in the project: (AppAuth)

Please provide a name for your user pool: (AppUserPool)

⚠️ How do you want users to be able to sign in?

  • Username ⭐
  • Email
  • Phone Number
  • Email or Phone Number

Do you want to add User Pool Groups? (y/n⭐)

Do you want to add an admin queries API? (y/n⭐) 📝

Multifactor authentication (MFA) user login options: (OFF⭐/ON)

Email based user registration/forgot password:

  • Enabled (Requires per-user email entry at registration) ⭐
  • Disabled (Uses SMS/TOTP as an alternative)

Please specify an email verification subject: (YourApp Verification Code)

Please specify an email verification message: (Your verification code is {####})

Do you want to override the default password policy for this User Pool? (y/n⭐) 📝

⚠️What attributes are required for signing up? (Press <space> to select, <a> to toggle all, <i> to invert selection)

( ) Address (This attribute is not supported by Facebook, Google, Login With Amazon.)

( ) Birthdate (This attribute is not supported by Login With Amazon.)

(*) Email ⭐

( ) Family Name (This attribute is not supported by Login With Amazon.)

( ) Middle Name (This attribute is not supported by Google, Login With Amazon.)

( ) Gender (This attribute is not supported by Login With Amazon.)

( ) Locale (This attribute is not supported by Facebook, Google.)

(Move up and down to reveal more choices)

Specify the app’s refresh token expiration period (in days): 30

Do you want to specify the user attributes this app can read and write? (y/n⭐)

Do you want to enable any of the following capabilities? (Press <space> to select, <a> to toggle all, <i> to invert selection)

( ) Add Google reCaptcha Challenge

( ) Email Verification Link with Redirect

( ) Add User to Group

( ) Email Domain Filtering (blacklist)

( ) Email Domain Filtering (whitelist)

( ) Custom Auth Challenge Flow (basic scaffolding - not for production)

( ) Override ID Token Claims

Do you want to use an OAuth flow? (y⭐/n)

What domain name prefix do you want to use? authentication

If you are developing locally, you can use http://localhost as your domain for the time being until you have your domain and SSH certificates provisioned, at which point you can come back and change this URL to your domain . Note that the re-direct sign-in URI’s must contain a trailing forward-slash. 📝

Enter your redirect signin URI: (http://localhost:3000/login/) 📝

Do you want to add another redirect signin URI? No ⭐

Enter your redirect signout URI: (http://localhost:3000/logout/)

Do you want to add another redirect signout URI? No ⭐

Select the OAuth flows enabled for this project. 📝

  • Authorization code grant
  • Implicit grant ⭐

Select the OAuth scopes enabled for this project. () Phone () Email ⭐ () OpenID ⭐ () Profile ⭐ () aws.cognito.signin.user.admin ⭐

Select the social providers you want to configure for your user pool: () Facebook () Google () Login With Amazon

If you decide to configure your social providers at this point you’ll get the following

You’ve opted to allow users to authenticate via Facebook. If you haven’t already, you’ll need to go to and create an App ID.

Enter your Facebook App ID for your OAuth flow:

Do you want to configure Lambda Triggers for Cognito? (Y/n⭐) (These can be configured later if required)

Amplify Settings

App Integration

App Client Settings

and sign-out URL’s

Callback URL - They could have been much more clear about what this actually is in the settings. This is the re-direct URL, where you want Cognito to navigate to after authentication is complete.

Sign out URL - Where the user is re-directed after they sign out (not the url that is called to initiate a sign-out!)