It's a set of AWS Lambda functions that, once deployed using the provided SAM template, act as an Amazon Cognito proxy.
Note: In most cases you should consider using the SDKs directly on the client side, without using a proxy, especially if your business use-case allows it
- One-at-a-time user migration, described here
- Serves as a guide on how to use the Cognito Admin Java SDK
- A QuickStart for anyone trying out Cognito without the need to significantly modify the UI
- Cognito provides SDKs that lets you integrate Cognito on the UI, and that is the recommended way for interacting with this service, but if you are limited in how much you can modify your UI at this time, you can utilize this Cognito proxy
You need to already have or create a new Cognito User Pool. For migration purposes, you might want to disable the email/phone verification, otherwise every newly-created user will receive an email with a confirmation code.
SAM is used to deploy the project. The AWS Lambda functions use environment variables for easier deployments. These are the 3 parameters that you will need to pass in:
Property | Description |
---|---|
RegionParameter | region where the Lambda functions will be deployed to |
CognitoUserPoolIdParameter | Cognito User Pool Id |
CognitoAppClientIdParameter | Cognito App Client Id |
CognitoAutoconfirmUserParameter | Set to 'true' to auto-confirm newly signed-up users and auto-verify their emails |
# Build the code
./gradlew jar
# Package it
aws cloudformation package --template-file sam.yaml --s3-bucket YOUR_BUCKET_NAME --output-template-file /tmp/UpdatedSAMTemplate.yaml
# Deploy it
aws cloudformation deploy --template-file /tmp/UpdatedSAMTemplate.yaml --stack-name auth-stack \
--parameter-overrides \
RegionParameter=REGION \
CognitoUserPoolIdParameter=REGION_xxxxxxxxx \
CognitoAppClientIdParameter=xxxxxxxxxxxxxxxxxxxxx \
CognitoAutoconfirmUserParameter=true \
--capabilities CAPABILITY_IAM
export SAMPLE_EMAIL=myemail@email.com
export SAMPLE_PASSWORD=myPassword**^1
export REGION=us-east-1
export API_GATEWAY_ID=your-api-gateway-url
# Signup
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/signup' --header "username: $SAMPLE_EMAIL" --header "password: $SAMPLE_PASSWORD"
# SignIn
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/admin/signin' --header "username: $SAMPLE_EMAIL" --header "password: $SAMPLE_PASSWORD"
# Refresh Tokens
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/admin/refresh' --header "refreshToken: JWT_REFRESH_TOKEN"
# Check if the token is valid
curl -XGET 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/token/valid' --header "idToken: JWT_ID_TOKEN"
# Reset Password
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/password/reset' --header "username: $SAMPLE_EMAIL"
# Create a new password
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/password/confirm' --header "username: $SAMPLE_EMAIL" --header "password: $SAMPLE_PASSWORD" --header "confirmationCode: CONFIRMATION_CODE"
# Update User Attribute
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/admin/user/attribute' --header "idToken: JWT_ID_TOKEN" --header "attributeName: name" --header "attributeValue: Vladimir Budilov"
# Delete User
curl -XDELETE 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/admin/user' --header "idToken: JWT_ID_TOKEN"
The following endpoints are only valid when MFA verification is turned on. Not valid for a seamless migration experience for customers, but still good to showcase this functionality
# Resend Confirmation Code
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/resendcode' --header "username: $SAMPLE_EMAIL"
# Confirm SignUp
curl -XPOST 'https://$API_GATEWAY_ID.execute-api.$REGION.amazonaws.com/Prod/confirmsignup' --header "username: $SAMPLE_EMAIL" --header "confirmationCode: CONFIRMATION_CODE"