Amazon Cognito User Pools Setup
A user pool is a secured user directory that provides sign-in, and sign-up options for your web and mobile application users. Every user, whether they are signed in directly or using a third-party identity provider, has a profile directory that can be accessed with the use of an SDK. User pools are fully managed services that scale to support hundreds of millions of users.
In this tutorial, we will do the following:
- Create and setup user pools.
- Sign up and sign in a user using Cognito UI.
We assume that you have an AWS account. Follow the steps below to complete this tutorial:
- Go to the AWS Management Console, and sign in to your AWS account at https://aws.amazon.com/console.
- Once you're logged in, find the Services dropdown in the top-left corner, and then select "Cognito" under the Security, Identity, & Compliance section.
- In the Cognito dashboard page, make sure that Add user directories to your app is selected from the business case dropdown menu.
- Click the Create user pool button.
- Configure Authentication Providers:This configuration is about how you want your app users to sign in to your user pool, either with a username and password or by using a third-party identity provider:
- Cognito user pool option is selected by default and it allows users to login in using their email address, phone number, or user name. However, you can also select Federated identity providers if you want your users to login in using credentials from social identity providers like Google, Facebook, Apple, and Amazon; or using credentials from external directories through SAML or Open ID Connect.
- Select User name and Email for Cognito user pool sign-in options.
- If you have selected Federated identity providers, then you also need to choose Federated sign-in options. For example, in this scenario, I am selecting Google so that my users can sign in using their Google login:
- Click the Next button.
- Choose the Password policy mode (Cognito defaults or Custom). If you opt for Cognito defaults your users' passwords must be a minimum length of 8 characters, contain at least one number, one special character, one uppercase letter, one lowercase letter, and temporary passwords set by administrators expire in 7 day(s). However, you can customize this by selecting Custom.
- Choose Multi-factor authentication (Require MFA - Recommended or Optional MFA or No MFA).
- Choose MFA methods (Authenticator apps or SMS message). SMS messages are charged separately by Amazon SNS. Therefore, I would recommend opting for Authenticator apps to enable users to authenticate using a TOTP (Time-Based One-Time Password) from an authenticator app like Authy or Google Authenticator.
- If needed, enable Self-service account recovery using Email only to allow forgot-password operations in your user pool. In the hosted UI sign-in page, a Forgot your password? link is displayed. When this feature is not enabled, administrators reset passwords with the Cognito API. For example:
- Click the Next button.
- In the next step, you can enable Self-registration. When you enable this feature, a Sign up link is displayed on the sign-in page, allowing anyone on the internet to sign up and sign-in to your apps. Only enable self-registration in your user pool when you're ready to open your app for public sign-ups.
- Next, if you want to verify users after sign-up, you can enable Cognito to automatically send a verification message containing a code that users must enter to confirm their identity. To do this, enable the Allow Cognito to automatically send messages for verification and confirmation option.
- Select the user contact attribute to which Cognito will send a verification message, either via SMS or Email. Please note that when you use SMS, a recipient may be charged for receiving messages and data.
- Next, you can enable the option Keep original attribute value active when an update is pending. Here's what it does: When you change your email or phone number, your user needs to check and confirm the new one. With this option on, they can still get messages and log in using the old information until they've checked the new one. If you don't use this feature, they can't log in with that info until they confirm the new one.
- Choose Required attribues that must be provided when a new user is created. Cognito automatically assigns a standard set of attributes to all users, following the OpenID Connect (OIDC) standard. Please note that once a user pool is created, you cannot change the required attributes.
- Create Custom attributes as needed. Please note that once a user pool is created, you cannot change the names of custom attributes.