I have a mobile application and wanted to use AWS Cognito pool for user management (sign up & sign in). I wanted to provide below 3 options for users to log in to my app
during sign up, the user will set up username, password and adds verified phone number and optionally they can add their google connect to their profile.
How to setup Cognito pool for this scenario that user can choose any of the above 3 options to log in to the app?
Short description. User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control).
With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
Sign in to the Amazon Cognito console . In the navigation pane, choose User Pools, and choose the user pool you want to edit. Choose the App integration tab. To customize UI settings for all app clients, locate Hosted UI customization and select Edit.
Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory.
I found a way to setup Cognito to allow multiple login options. setup Cognito like below 1. select use phone number as username 2. make it mandatory and verifiable. 3. this will make phone_number as alias for login.
use CUSTOM_CHALLENGE option to configure login with phone number with OTP.
basically, we need to configure 3 triggers in Cognito to send OTP to user registered number. 1. sign-in define auth challenge trigger -- define CUSTOM_CHALLENGE 2. sign-in create auth challenge trigger -- create logic to generate OTP and send SMS using SNS service 3. sign-in verify auth challenge trigger -- validate received OTP, generated OTP will be available in context so no need to save in any database.
Trigger#1 - define auth challenge
exports.handler = (event, context, callback) => {
if (event.request.session.length == 0){
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
} else if(event.request.session.length == 1
&& event.request.session[0].challengeName == 'CUSTOM_CHALLENGE'
&& event.request.session[0].challengeResult == true){
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
event.response.issueTokens = false;
event.response.failAuthentication = true;
}
// Return to Amazon Cognito
callback(null, event);
}
Trigger#2 - create auth challenge make sure this lambda have SNS role
var AWS = require("aws-sdk");
exports.handler = (event, context, callback) => {
if (event.request.session.length == 0 && event.request.challengeName == 'CUSTOM_CHALLENGE') {
//create the code
var answer = Math.random().toString(10).substr(2,6);
//send the code via Amazon SNS Global SMS
var sns = new AWS.SNS();
sns.publish({
Message: 'your verification code is '+answer,
PhoneNumber: event.request.userAttributes.phone_number
}, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
return;
}
console.log('SMS Sent'); // successful response
});
//set the return parameters **including the correct answer**
event.response.publicChallengeParameters = {};
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = answer;
event.response.challengeMetadata = 'PASSWORDLESS_CHALLENGE';
}
//Return to Amazon Cognito
callback(null, event);
}
Trigger#3 - verify auth challenge response
exports.handler = (event, context, callback) => {
if (event.request.privateChallengeParameters.answer == event.request.challengeAnswer) {
event.response.answerCorrect = true;
} else {
event.response.answerCorrect = false;
}
// Return to Amazon Cognito
callback(null, event);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With