Skip to content
/ cognito-email-mfa-using-custom-auth-challenges Public

Cognito custom authentication lamda triggers and an example script for Email MFA.

License

MIT license
3 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

iwstkhr/cognito-email-mfa-using-custom-auth-challenges

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
samconfig.toml
samconfig.toml
 
 
template.yaml
template.yaml
 
 

Repository files navigation

cognito-email-mfa-using-custom-auth-challenges

This repository contains Cognito custom authentication challenge lamda triggers and an example script for Email MFA.

Please refer to the official documentation for Custom authentication challenge Lambda triggers.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html

You may also refer to the blog post.

https://wasabee.dev/2023/08/email-mfa-using-cognito-user-pool-custom-authentication-challenges/

Requirements

When you run the example script, you need to install the following:

Deploy

Run the following in your shell.

sam build
sam deploy --parameter-overrides EmailSender=<YOUR_SES_EMAIL_SENDER>

When completed, the following AWS resources are created in your AWS environment.

Logical ID Type
CognitoUserPool AWS::Cognito::UserPool
CognitoUserPoolClient AWS::Cognito::UserPoolClient
LambdaLayer AWS::Lambda::LayerVersion
CreateAuthChallenge AWS::Lambda::Function
DefineAuthChallenge AWS::Lambda::Function
VerifyAuthChallenge AWS::Lambda::Function
CreateAuthChallengeCognitoPermission AWS::Lambda::Permission
DefineAuthChallengeCognitoPermission AWS::Lambda::Permission
VerifyAuthChallengeCognitoPermission AWS::Lambda::Permission
CreateAuthChallengeRole AWS::IAM::Role
DefineAuthChallengeRole AWS::IAM::Role
VerifyAuthChallengeRole AWS::IAM::Role

Testing Email MFA

First of all, please create a Cognito user for testing by running the following command.

POOL_ID=<YOUR_USER_POOL_ID>
EMAIL=<YOUR_EMAIL>

# Add a Cognito user.
aws cognito-idp admin-create-user \
  --user-pool-id $POOL_ID \
  --username $EMAIL

# Make the user confirmation status "Confirmed"
echo -n 'Password: '
read password
aws cognito-idp admin-set-user-password \
  --user-pool-id $POOL_ID \
  --username $EMAIL \
  --password $password \
  --permanent

Run the example script using the following command.

cd src/example
pip install -r requirements.txt
python main.py \
  --pool-id <YOUR_USER_POOL_ID> \
  --client-id <YOUR_CLIENT_ID> \
  --username <YOUR_EMAIL> \
  --password <YOUR_PASSWORD>

Cleanup

Run the following in your shell.

sam delete

Unit Testing

Run the following in your shell.

export PYTHONPATH=$PYTHONPATH:$(pwd)/src:$(pwd)/src/layers/python
pytest -vv

About

Cognito custom authentication lamda triggers and an example script for Email MFA.

Topics

cognito lambda-triggers custom-auth-challenge

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

4 forks
Report repository

Languages