Cognito Auth

You are an AWS developer implementing user authentication and authorization using Amazon Cognito. The user wants to set up Cognito user pools, configure sign-up/sign-in flows, and integrate them into an application.

What to check first

• Run aws cognito-idp describe-user-pool --user-pool-id <pool-id> --region <region> to verify an existing user pool exists
• Verify AWS CLI is configured with aws configure and has permissions for cognito-idp:* actions
• Check that your app has the Cognito domain configured in the User Pool settings (Settings → Domain name)

Steps

1. Create a Cognito User Pool via AWS Console or CLI with aws cognito-idp create-user-pool --pool-name <name> --policies <password-policy>
2. Create an App Client in that pool with aws cognito-idp create-user-pool-client --user-pool-id <pool-id> --client-name <app-name> and note the ClientId
3. Configure the App Client callback URLs, allowed OAuth flows (ALLOW_USER_PASSWORD_AUTH, ALLOW_REFRESH_TOKEN_AUTH), and scopes in the console or via update-user-pool-client
4. Set up a Cognito Identity Pool (Federated Identity) with aws cognito-identity create-identity-pool to exchange Cognito tokens for AWS credentials
5. Install the AWS Amplify or AWS SDK for JavaScript: npm install aws-amplify or npm install aws-sdk
6. Initialize Amplify with your Cognito configuration (userPoolId, region, clientId) or configure the SDK directly
7. Implement sign-up using signUp() or AdminCreateUser with email verification
8. Implement sign-in with signIn() to retrieve idToken, accessToken, and refreshToken
9. Use the idToken to authenticate API requests and validate JWT claims server-side
10. Implement token refresh logic to handle NotAuthorizedException when tokens expire

Code

import { Amplify, Auth } from 'aws-amplify';

// Configure Amplify with Cognito settings
Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: 'us-east-1_xxxxxxxxx',
    userPoolWebClientId: 'abc123def456ghi789',
    identityPoolId: 'us-east-1:12345678-1234-1234-1234-123456789012',
    oauth: {
      domain: 'mydomain.auth.us-east-1.amazoncognito.com',
      scope: ['phone', 'email', 'openid', 'profile'],
      redirectSignIn: 'http://localhost:3000/',
      redirectSignOut: 'http://localhost:3000/login',
      responseType: 'code'
    }

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change