Cognito User Pools is more than just a user directory. It's an ecosystem that tackles authentication edge cases and boosts development efficiency.
1. Cognito User Pools - beyond a simple user directory
Cognito User Pools is a fully managed, OpenID Connect-compatible identity provider. It serves as a user directory service that handles authentication and authorization for application users.
Importantly, Cognito User Pools doesn’t manage access to AWS resources like S3 or DynamoDB. It’s designed for the mobile and web applications we build. With a user pool integrated into an app, our users can sign up, log in, and change passwords effortlessly, requiring minimal work on our end.
Having a service like Cognito User Pools is a game-changer. Before using it, I built authentication workflows manually, and trust me, it was far from enjoyable. It’s much simpler to rely on a dedicated service that handles all the flows right out of the box.
2. Lesser-known features
Beyond the basics, Cognito User Pools offers some lesser-known features that enhance the experience for both users and administrators.
In this post, I’ll highlight four of them.
2.1. Modifying tokens
As mentioned, Cognito User Pools aligns with the OpenID Connect standard, issuing an ID token once a user successfully authenticates. It also provides access tokens, making it compliant with OAuth 2.0 standards.
Tokens are expected, but did you know you can intercept the authentication flow and add custom properties to them?
We can set up Cognito to trigger a Lambda function at various stages of the sign-up and sign-in processes. These functions can enrich both the ID token and the access token.
This opens up a world of customization options for controlling app access. For example, we can embed custom data in the ID token for the front-end client to use, enabling guards to restrict content. Alternatively, we can add custom scopes to the access token and implement fine-grained access control in an API Gateway API. All it takes is some Lambda function code, and Cognito triggers it at the right time.
2.2. Passkeys for login
Cognito also lets us integrate passwordless login into our applications!
One option is using passkeys. YubiKeys are a popular choice, but password managers and operating system key storage options work seamlessly with Cognito too.
Passwordless sign-in is getting more popular, and with Cognito, we can keep our apps ahead of the curve.
2.3. User existence error masking
How does your app respond when someone tries to log in with a nonexistent username?
One approach is to return a “User not found” error, but this tells the user they can keep guessing with different usernames.
By enabling the Prevent user existence errors feature in the App client settings, Cognito displays a vague error like “The username or password is incorrect” when someone tries to log in with a nonexistent username.
This feature extends to passwordless sign-in too. When I set up the email verification code option and entered a nonexistent username, Cognito displayed the standard, expected message on the next page:
So, what’s happening here? How does the “Prevent user existence errors” feature play out?
It’s all about the email address - it’s fake.
At first, I thought this was a bug and that Cognito might have sent a verification code to some random stranger’s email. But the truth is, when the user doesn’t exist, Cognito shows a simulated message with a dummy email address and never sends the validation code.
Big thanks to AWS technical support and the Cognito team for clearing this up! 🙌
2.4. Customizable login page
Cognito offers hosted authentication pages known as the hosted UI. Recently, they rolled out managed login, an updated version of the classic hosted UI.
This managed authentication page is a lifesaver. It means we don’t have to build login and sign-up forms from scratch on the front end.
But there’s more! We can customize the managed login page using a no-code visual editor called the branding designer, which lets us tweak every element of the login form.
We can adjust spacing and border-radius, and add custom logos or background images, among other options. If you prefer, you can still upload a custom CSS file with the classic hosted UI. Switching between the two is easy if needed.
3. Summary
This short post explored four lesser-known Cognito User Pools features: token modification, passkey-based passwordless authentication, user existence error masking, and customizable managed login pages.
These features have made my life easier when integrating Cognito into my applications. How about you?
Top comments (0)