AWS Security Blog

How to set case sensitivity in the Amazon Cognito console

AWS recently updated how Amazon Cognito user pools are created so that new user pools are case insensitive by default. An Amazon Cognito user pool is a user directory that helps you manage end-user identities. With this new feature, the native user name, email alias, and preferred user name alias are marked as case insensitive when a new user pool is created. For example, user@example.com is now treated the same as User@example.com.

If you want to create a user pool that is case sensitive, you can change the default setting.

NOTE: This new feature does not change the behavior of existing user pools, which remain case sensitive. If you create the user pool using CreateUserPool API, you also need to set the value of CaseSensitive to False, otherwise the user pool will be case sensitive.

If you have case-sensitive user pools, you need to handle case sensitivity carefully in your applications. Case-sensitive user pools will require users to sign in using the exact capitalization case of their username or email address, your application and backend that references users using usernames or email addresses need to also be designed to treat them as case sensitive to prevent account takeover risks.

When you create a new user pool, enabling case insensitivity is selected by default, creating a user pool that is case insensitive (see Figure 1). To create a user pool that is case sensitive, clear the case-insensitive option. Please note: Case sensitivity can’t be changed after the user pool has been created.
 

Figure 1: The case-insensitive user pool is selected by default

Figure 1: The case-insensitive user pool is selected by default

How to migrate to a new user pool

Case-sensitive user pools can have conflicting identities, so there is no automated migration path to change user pools from case-sensitive to case-insensitive. Migration to a new user pool requires scenario-based logic to handle conflicts. To make an existing user pool case insensitive, you can create a new user pool that is case insensitive, and then use the Migrate User Lambda Trigger to migrate existing users to the new pool. The trigger will allow you to migrate users at the time of sign-in or during the “forgot-password” flow. It will also allow you to handle conflicts. For more details, see the documentation.

If you have feedback about this blog post, submit comments in the Comments section below. If you have questions about this blog post, start a new thread on the Amazon Cognito forums.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Mahmoud Matouk

Mahmoud is a Senior Solutions Architect with the Amazon Cognito team. He helps AWS customers build secure and innovative solutions for various identity and access management scenarios.