How do I automatically confirm users in Amazon Cognito?

6 minute read
5

I want to confirm users and then verify their email addresses and phone numbers automatically without using one-time-passwords (OTPs).

Short description

When a user sign ups with an Amazon Cognito user pool, they generally must have their email address or phone number verified. This is usually done by sending an OTP to a user's email address or phone number for verification. A user can also be automatically confirmed without OTP verification.

These are the high-level steps to automatically confirm a user without using an OTP with the user's email address or phone number:

  • Create an AWS Lambda function.
  • Create an Amazon Cognito user pool with a pre sign-up Lambda trigger.
  • Sign up the user in Amazon Cognito. Verify the user attributes by using the AWS Management Console or an AWS API.

Resolution

Follow these steps to automatically confirm a user and their attributes without OTP verification.

Create a Lambda function

1.    Use Amazon Cognito Events to create a Lambda function that handles the event that creates an Amazon Cognito user. The following Python code confirms the user and their attributes, such as the email address and phone number.

Example Python user confirmation code:

import json

def lambda_handler(event, context):

  # Confirm the user
  event['response']['autoConfirmUser'] = True

  # Set the email as verified if it is in the request
  if 'email' in event['request']['userAttributes']:
    event['response']['autoVerifyEmail'] = True

  # Set the phone number as verified if it is in the request
  if 'phone_number' in event['request']['userAttributes']:
    event['response']['autoVerifyPhone'] = True

  # Return to Amazon Cognito
  return event

2.    Set up a testing event in the Lambda function with data that's relevant to the pre sign-up Lambda trigger. The following example includes the test event for the sample Python code from step 1.

Example JSON test event:

{
  "request": {
    "userAttributes": {
      "email": "email@example.com",
      "phone_number": "5550100"
    }
  },
  "response": {}
}

Create an Amazon Cognito user pool

1.    Create a new Amazon Cognito user pool or select an existing user pool.

2.    In the selected user pool, add the pre sign-up Lambda trigger by selecting the Lambda function you created.

The pre sign-up Lambda trigger can be used to add custom logic and validate the new user. When a new user signs up with your app, Amazon Cognito passes that event information to the Lambda function. (The example Lambda function is in step 1 of the Create a Lambda function section.) The Lambda function returns the same event object to Amazon Cognito with any changes in the response. The following is the output response for the test event from step 2 of the Create a Lambda function section.

Example JSON test event response:

{
  "request": {
    "userAttributes": {
      "email": "email@example.com",
      "phone_number": "5550100"
    }
  },
  "response": {
    "autoConfirmUser": true,
    "autoVerifyEmail": true,
    "autoVerifyPhone": true
  }
}

Note: If a new user signs up with a preexisting phone number or email address alias, the alias moves to the new user. Then, the previous user's phone number or email address is marked as unverified. To prevent these changes, invoke the ListUsers API to list the attributes for all users from the user pool. Review the existing user attributes and compare them to the new user attributes to make sure that no unexpected changes take place.

5.    Verify that the pre sign-up Lambda trigger is configured in your user pool.

Sign up the Amazon Cognito user

Sign up as a new user by using the Amazon Cognito hosted UI or invoking the SignUp API.

Using the Amazon Cognito hosted UI

1.    In the Amazon Cognito hosted UI, sign up as a new user. Make sure to provide all required attributes. Then, after you sign up, you go to a callback URL without any verification.

2.    Verify your user attributes.

  • Account status: Enabled/CONFIRMED
  • email_verified: true
  • phone_number_verified: true

Using the AWS CLI

1.    In the AWS Command Line Interface (AWS CLI), create a user by invoking the SignUp API.

Important: In the example AWS CLI commands, replace all instances of example strings with your values. (For example, replace "example_client_id" with your client ID.)

Example sign-up command:

$ aws cognito-idp sign-up --client-id example_client_id --secret-hash example_secret_hash --username example_user_name --password example_password --user-attributes Name="email",Value="email@example.com" Name="phone_number",Value="5550100"

2.    Compute the secret hash using the app client ID, the client secret, and the user name of the user in the Amazon Cognito user pool.

3.    Install Python.

4.    Save the following example Python script as a .py file.

Important: Replace the following values before running the example script. For username, enter the user name of the user in the user pool. For AppClientId, enter your user pool's app client ID. Then, for AppClientSecret, enter your app client secret. For help, run following command: $ python3 secret_hash.py –help.

Example Python script:

import base64, hashlib, hmac, argparse

parser = argparse.ArgumentParser()
parser.add_argument("--username", required=True)
parser.add_argument("--appclientid", required=True)
parser.add_argument("--appclientsecret", required=True)
args = parser.parse_args()

message = bytes(args.username + args.appclientid, 'utf-8')
key = bytes(args.appclientsecret, 'utf-8')
secret_hash = base64.b64encode(hmac.new(key, message, digestmod=hashlib.sha256).digest()).decode()

print('SecretHash: {}'.format(secret_hash))

5.    Use the following command to obtain the computed secret hash from the Python script.

Example command:

$ python3 secret_hash.py --username example_user_name --appclientid example_app_client_id --appclientsecret example_app_client_secret

An automatically confirmed user example

1.    Generate a secret hash by running a Python script that uses the user name, app client ID, and client secret.

$ python3 secret_hash.py --username example_user_name --appclientid 11122223333 --appclientsecret je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

Output:

SecretHash: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

2.    Create an Amazon Cognito user by invoking the SignUp API.

$ aws cognito-idp sign-up --client-id 7morqrabcdEXAMPLE_ID --secret-hash wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY = --username example_user_name --password Password1@ --user-attributes Name='email',Value='email@example.com' Name='phone_number',Value='5550100'

Output:

{
  "UserConfirmed": true,
  "UserSub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}

3.    To verify the status of user attributes, invoke the AdminGetUser API.

$ aws cognito-idp admin-get-user --user-pool-id us-east-1_I 111122223333 --username example_user_name

Output:

{
  "Username": "example_user_name",
  "UserAttributes": [
    {
      "Name": "sub",
      "Value": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
    },
    {
      "Name": "email_verified",
      "Value": "true"
    },
    {
      "Name": "phone_number_verified",
      "Value": "true"
    },
    {
      "Name": "phone_number",
      "Value": "5550100"
    },
    {
      "Name": "email",
      "Value": "email@example.com"
    }
  ],
  "UserCreateDate": "2022-12-12T11:54:12.988000+00:00",
  "UserLastModifiedDate": "2022-12-12T11:54:12.988000+00:00",
  "Enabled": true,
  "UserStatus": "CONFIRMED"
}

The final output shows that the email address and phone number attributes are verified. The UserStatus is set to Confirmed without any external verification.


AWS OFFICIAL
AWS OFFICIALUpdated a year ago