Skip to main content AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers.
npx skills add itsmostafa/aws-agent-skills --skill cognito agent-skills agentic-ai aws claude-code claude-skills codex
AWS Cognito
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.
Table of Contents
Core Concepts
User Pools
User directory for sign-up and sign-in. Provides:
User registration and authentication
OAuth 2.0 / OpenID Connect tokens
MFA and password policies
Customizable UI and flows
Identity Pools (Federated Identities)
Provide temporary AWS credentials to access AWS services. Users can be:
Cognito User Pool users
Social identity (Google, Facebook, Apple)
SAML/OIDC enterprise identity
Anonymous guests
Tokens
ID Token User identity claims 1 hour Access Token API authorization 1 hour Refresh Token Get new ID/Access tokens 30 days (configurable)
Common Patterns
Create User Pool aws cognito-idp create-user-pool \
--pool-name my-app-users \
--policies '{
"PasswordPolicy": {
"MinimumLength": 12,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true
}
}' \
--auto-verified-attributes email \
--username-attributes email \
--mfa-configuration OPTIONAL \
--user-attribute-update-settings '{
"AttributesRequireVerificationBeforeUpdate": ["email"]
}'
Create App Client aws cognito-idp create-user-pool-client \
--user-pool-id us-east-1_abc123 \
--client-name my-web-app \
--generate-secret \
--explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
--supported-identity-providers COGNITO \
--callback-urls https://myapp.com/callback \
--logout-urls https://myapp.com/logout \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile \
--allowed-o-auth-flows-user-pool-client \
--access-token-validity 60 \
--id-token-validity 60 \
--refresh-token-validity 30 \
--token-validity-units '{
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
}'
Sign Up User import boto3
import hmac
import hashlib
import base64
cognito = boto3.client('cognito-idp')
def get_secret_hash(username, client_id, client_secret):
message = username + client_id
dig = hmac.new(
client_secret.encode('utf-8'),
message.encode('utf-8'),
digestmod=hashlib.sha256
).digest()
return base64.b64encode(dig).decode()
response = cognito.sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('[email protected] ', 'client-id', 'client-secret'),
Username='[email protected] ',
Password='SecurePassword123!',
UserAttributes=[
{'Name': 'email', 'Value': '[email protected] '},
{'Name': 'name', 'Value': 'John Doe'}
]
)
Confirm Sign Up cognito.confirm_sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('[email protected] ', 'client-id', 'client-secret'),
Username='[email protected] ',
ConfirmationCode='123456'
)
Authenticate User response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='USER_SRP_AUTH',
AuthParameters={
'USERNAME': '[email protected] ',
'SECRET_HASH': get_secret_hash('[email protected] ', 'client-id', 'client-secret'),
'SRP_A': srp_a # From SRP library
}
)
# For simple password auth (not recommended for production)
response = cognito.admin_initiate_auth(
UserPoolId='us-east-1_abc123',
ClientId='client-id',
AuthFlow='ADMIN_USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': '[email protected] ',
'PASSWORD': 'password',
'SECRET_HASH': get_secret_hash('[email protected] ', 'client-id', 'client-secret')
}
)
tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']
Refresh Tokens response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash('[email protected] ', 'client-id', 'client-secret')
}
)
Create Identity Pool aws cognito-identity create-identity-pool \
--identity-pool-name my-app-identities \
--allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName=cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123,\
ClientId=client-id,\
ServerSideTokenCheck=true
Get AWS Credentials import boto3
cognito_identity = boto3.client('cognito-identity')
# Get identity ID
response = cognito_identity.get_id(
IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
identity_id = response['IdentityId']
# Get credentials
response = cognito_identity.get_credentials_for_identity(
IdentityId=identity_id,
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']
CLI Reference
User Pool Command Description aws cognito-idp create-user-poolCreate user pool aws cognito-idp describe-user-poolGet pool details aws cognito-idp update-user-poolUpdate pool settings aws cognito-idp delete-user-poolDelete pool aws cognito-idp list-user-poolsList pools
Users Command Description aws cognito-idp admin-create-userCreate user (admin) aws cognito-idp admin-delete-userDelete user aws cognito-idp admin-get-userGet user details aws cognito-idp list-usersList users aws cognito-idp admin-set-user-passwordSet password aws cognito-idp admin-disable-userDisable user
Authentication Command Description aws cognito-idp initiate-authStart authentication aws cognito-idp respond-to-auth-challengeRespond to MFA aws cognito-idp admin-initiate-authAdmin authentication
Best Practices
Security
Enable MFA for all users (at least optional)
Use strong password policies
Enable advanced security features (adaptive auth)
Verify email/phone before allowing sign-in
Use short token lifetimes for sensitive apps
Never expose client secrets in frontend code
User Experience
Use hosted UI for quick implementation
Customize UI with CSS
Implement proper error handling
Provide clear password requirements
Architecture
Use identity pools for AWS resource access
Use access tokens for API Gateway
Store refresh tokens securely
Implement token refresh before expiry
Troubleshooting
User Cannot Sign In
User not confirmed
Password incorrect
User disabled
Account locked (too many attempts)
aws cognito-idp admin-get-user \
--user-pool-id us-east-1_abc123 \
--username [email protected]
Token Validation Failed
Token expired
Wrong user pool/client ID
Token signature invalid
import jwt
import requests
# Get JWKS
jwks_url = f'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()
# Decode and verify (use python-jose or similar)
from jose import jwt
claims = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='client-id',
issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)
Hosted UI Not Working
Callback URLs configured correctly
Domain configured for user pool
OAuth settings enabled
# Check domain
aws cognito-idp describe-user-pool \
--user-pool-id us-east-1_abc123 \
--query 'UserPool.Domain'
Rate Limiting Symptom: TooManyRequestsException
Implement exponential backoff
Request quota increase
Cache tokens appropriately
References Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).