Is it it possible to find out if a user has authenticated in Cognito pool from a Node.js Lambda function?
User name (alias) is known
Thanks
Andy
If you are calling a lambda function that should only be executed by a user authenticated through Cognito, you should be looking into using API Gateway
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Related
When a User is accessing my API and they authenticate through Cognito is it possible to access the STATE of the OAUTH2 AUTH request somehow in one of the lambda triggers?
Unfortunately as per the documentation there is no way to access the state parameter in a Cognito trigger. You can however access it in your OAuth2 callback URL, it's passed as a query parameter.
In my project we have some federation providers are integrated(e.g., outlook). So whenever user logs in via a valid configured federation domain name then no issues, but whenever a user tries to login via federation with an unsupported(not integrated) domain name (e.g., XXX#gmail.com), cognito just redirects to the same login page without showing any error message saying Unsupported Domain.
To handle error we thought of triggering the pre-authentication lambda, but pre-authentication lambda is not triggered for federation login flow. It triggers only for login via Cognito User Identity Pool.
Question is that are there any alternatives where I trigger pre-authentication lambda for federation login flow in AWS Cognito to handle error message on unsupported federation user domain name attempt?
I was working on a project in which we have to add a user in DynamoDb whenever a new user signs up, we were providing Google, Azure, and (email, password) as options for sign-in/up. Let's get straight to the point. I solved this problem by attaching my lambda to POST_CONFIRMATION_TRIGGER of Cognito and mapping identity attributes then saving these values in my DynamoDb, it works perfectly but I had to spend 2 nights figuring this out.
if you want to know, how I achieve this then let me know.
tech stack: Aws amplify, appsync, cognito, dynamoDb, lambda
PS. POST_CONFIRMATION trigger works only the first time.
You can create similar lambda function like the one that is triggered for Pre Authentication check, and then call it via API Gateway before login via federation.
The pre-authentication trigger will trigger for federated login. However, according to its aws doc, pre-authentication trigger will not happen if the user does not exist within the user pool already.
Note
Triggers are dependant on the user existing in the user pool before trigger activation.
The user from your successful federated login does not exist in cognito yet, and it will be added to the cognito pool after the successful login.
Since cognito will add the federated user to its user pool, its a sign-up event. You should use the pre-sign-up trigger instead. Federated login will trigger your pre-sign-up lambda as expected.
I am new to Cognito, so I'm sure the answer to this will be very obvious to most readers.
I want to restrict access to my app so that certain Google accounts can access it.
I have configured Google as an external identity provider in Cognito, and the sign-in works insofar as anyone with a Google account can sign in with Cognito and access the app.
How would I go about having Cognito check the email address associated with the Google account of the person trying to sign in and only letting them access the app if their Google account is authorized, and denying them if they don't have permissions?
I think this is a quick answer, I am just at a loss when it comes what words to search in order to find help.
You can use a pre-sign up lambda. Pre sign up lambda is triggered just before AWS Cognito signs up a new user, so you can add custom verification methods in pre-sign up lambda and accept the registration if you verified the user and deny registration if the verification is failed.
You can read more about pre-sign up lambda here : Pre-sign up lambda
You could use the Cognito Lambda triggers to check the user attributes of the google user when signing in like email and then authenticate or fail authentication depending on the email of the user. You will have to mess around with which trigger to use but that could work.
I have a Node.js lambda API that's called by an authenticated user. The user is able to access the API passing a valid JWT token. Now I'd like to interact with Cognito User Pool to change the user's email, password and etc but I haven't figured out how to achieve this using just the JWT.
I've made several tests using amplify-js and amazon-cognito-identity-js
You can reset the user's password by calling an admin API call, not through the JWT token. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html This will prompt the user for a new password.
This API call is to set a password for that particular user https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html but I prefer the first option.
In order to change user attributes (such as email, birthday...), use https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
So all these are done using the Cognito Service inside the Lambda (not to be confused with the JWT tokens).
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.