Amazon Cognito is an identity platform for web and mobile applications where users can authenticate and authorize themselves and can access the app and aws services.
AWS Cognito user pools is used only for authentication. Users can sign up/sign in and access the application.
Today we will setup User pool in cognito step by step.
Prerequisite:
AWS Account with admin access.
Open the cognito service and select User pools. Now. click on Create user pool
Step:1 You will find total 6 steps, lets see each step one by one.
- We have two options in Providers, we will go with default one i.e. Cognito user pool
- In sign-in options, we can select any option depending upon our requirement. We have selected User name and Email.
- In User name requirement, If users can select any User name as per their choice, tick option 1, otherwise choose case sensitive option 2.
Click on Next.
Step:2 Here, you can go with default option or set your customize password policy.
Based on our requirement we can choose with or without MFA
- With MFA (recommended) : Phone number is mandatory is you are selecting SMS message option, else can choose Authenticator apps.
- Without MFA: We are going with without MFA in this blog and click on Next.
Step:3 Now we will configure Sign up functionality.
- Enable self registration: we are giving permission to users for signup. Security recommendation, do not give this permission to users, instead create their account and give them to lower privileged users.
Post registration, users need to verify their email/phone numbers. Here, I am selecting cognito manage service to verify those users via email.
Note: If I will select Send SMS messages, then I will be needing users phone numbers too and they needs to be verified.
Note: In Verifying attribute changes, other options are greyed as initially(step 1) i have selected only username and emails.
Click on Next
Step:4 This option is for verification of email/phone number attributes via OTP received in email, here we two options:
- SES : Simple Email Service (Covered in next blog)
- Using Cognito service: It has limitations, we can send only 50 emails in a day. Currently going with cognito managed email.
Click on Next.
Step:5 Give any name to your User pool and tick the box for Use the Cognito Hosted UI to use cognito hosted login screen via OAuth 2.0
Now, you can select if would like go with cognito managed domain or custom one, we awill select Cognito domain,
- Select Public Client for this demo, and provide a name
- Client Secret is a server side parameter that we use to authorize APIs
- We are using google.com in callback URL as it is a demo, you will use your application’s callback URL.
Below are the user attributes that you can control based on your applications. Click on Next
Step:6 Review the configurations and Click on Create user pool.
Our User Pool is ready to be used.
Misconfiguration:
- We gave permission to users for registering themselves. Let’s try to register an user with email
aws cognito-idp sign-up --client-id 1hq6mc5upi1e3f1j3tpe03mdbm --username user101 --password P@ssw0rd1 --user-attributes Name="email",Value="wivob32276@bacaki.com" Name="name",Value="user101" --region us-east-1
{
"UserConfirmed": false,
"CodeDeliveryDetails": {
"Destination": "w***@b***",
"DeliveryMedium": "EMAIL",
"AttributeName": "email"
},
"UserSub": "14480448-b001-7077-1e8c-d2f219bca42b"
}You will receive an OTP on above mentioned email,
aws cognito-idp --region us-east-1 confirm-sign-up --client-id 1hq6mc5upi1e3f1j3tpe03mdbm --username=user101 --confirmation-code 250126Our user is registered,
Now a malicious user can also access the application.
Recommendation:
- Do not give self registration permission to users rather than create their account as an admin.
References:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
