In cognito user pool in eu-west-1. I'm trying to add a trigger for user migration. It doesn't trigger when I try to login as a none existent user. I've tested this by writing a simple python lambda: def handler(event, context): print(event) return event In the logs, I never see this run if the user does not exist. I then tried setting all the triggers to use this lambda I see (when logging in with an existing user): PreAuthentication_Authentication PostAuthentication_Authentication TokenGeneration_Authentication When logging in with a nonexistent user ie. migration candidate - I see no triggers fired. Is this a region specific issue? Is there something we need to enable for the triggers to fire? Do we need to enable specific permissions for triggers to be fired by non-authed users or failed logins?

amazon-web-servicesaws-lambdaamazon-cognito

Reputation: 520

Cognito User migration trigger not firing

In cognito user pool in eu-west-1. I'm trying to add a trigger for user migration. It doesn't trigger when I try to login as a none existent user. I've tested this by writing a simple python lambda:

def handler(event, context):
    print(event)
    return event

In the logs, I never see this run if the user does not exist. I then tried setting all the triggers to use this lambda I see (when logging in with an existing user):

PreAuthentication_Authentication
PostAuthentication_Authentication
TokenGeneration_Authentication

When logging in with a nonexistent user ie. migration candidate - I see no triggers fired.

Is this a region specific issue? Is there something we need to enable for the triggers to fire? Do we need to enable specific permissions for triggers to be fired by non-authed users or failed logins?

Upvotes: 9

Answers (3)

AceP

Reputation: 181

For people using AmplifyUI: (Authenticator) you need to override the login function call:

for example in Vuejs:

App.vue:

<template>
 <authenticator
    :services="services"
    initial-state="signIn"
 >
 </authenticator>
</template>
<script setup>
import { signIn, type SignInInput } from "aws-amplify/auth";

const services = {
    async handleSignIn(input: SignInInput) {
        const { username, options } = input;
        return signIn({
            ...input,
            options: {
                authFlowType: "USER_PASSWORD_AUTH",
            },
        });
    },
};
</script>

If amplify is used without authenticator check the docs: docs.amplify.aws

Your Userpool needs to allow USER_PASSWORD_AUTH

Upvotes: 0

NULL pointer

Reputation: 1377

If your user pool has both ALLOW_USER_PASSWORD_AUTH and ALLOW_USER_SRP_AUTH enabled, cognito will attempt authenitcation with the more secure SRP (Secure Remote Protocol) to avoid sending the password as plain text over the network.

I found that adding calling setAuthenticationFlowType('USER_PASSWORD_AUTH'); before I called authenticateUser(authDetails,...) overcame this preference for SRP, and the Migrate user Lambda fired when the authentication failed.

import { CognitoUser } from 'amazon-cognito-identity-js';
...
...
  const cognitoUser = new CognitoUser({
    Username: email,
    Pool: migrationDestUserPool,
  });
...
...
cognitoUser.setAuthenticationFlowType('USER_PASSWORD_AUTH');
cognitoUser.authenticateUser(authDetails, {...

Upvotes: 1

BlueberrySourRaspberry

Reputation: 963

To invoke the User Migration Trigger you must auth using USER_PASSWORD_AUTH

authenticationFlowType: 'USER_PASSWORD_AUTH'

An example doing this would be this configuration in Amplify at the bottom below

import Amplify from 'aws-amplify';

Amplify.configure({
    Auth: {

    // REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
    identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',

    // REQUIRED - Amazon Cognito Region
    region: 'XX-XXXX-X',

    // OPTIONAL - Amazon Cognito Federated Identity Pool Region 
    // Required only if it's different from Amazon Cognito Region
    identityPoolRegion: 'XX-XXXX-X',
    // OPTIONAL - Configuration for cookie storage
    // Note: if the secure flag is set to true, then the cookie transmission requires a secure protocol
    cookieStorage: {
    // REQUIRED - Cookie domain (only required if cookieStorage is provided)
        domain: '.yourdomain.com',
    // OPTIONAL - Cookie path
        path: '/',
    // OPTIONAL - Cookie expiration in days
        expires: 365,
    // OPTIONAL - Cookie secure flag
    // Either true or false, indicating if the cookie transmission requires a secure protocol (https).
        secure: true
    },

    // OPTIONAL - customized storage object
    storage: new MyStorage(),

    // OPTIONAL - Manually set the authentication flow type. Default is 'USER_SRP_AUTH'
    authenticationFlowType: 'USER_PASSWORD_AUTH'

    // OPTIONAL - Amazon Cognito User Pool ID
    userPoolId: 'XX-XXXX-X_abcd1234',

    // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
    userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',

    // OPTIONAL - Enforce user authentication prior to accessing AWS resources or not
    mandatorySignIn: false,

}
});

Upvotes: 18

Cognito User migration trigger not firing

Answers (3)

Related Questions