Switching authentication flows
For client side authentication there are three different flows:
-
USER_SRP_AUTH: TheUSER_SRP_AUTHflow uses the SRP protocol (Secure Remote Password) where the password never leaves the client and is unknown to the server. This is the recommended flow and is used by default. -
USER_PASSWORD_AUTH: TheUSER_PASSWORD_AUTHflow will send user credentials to the backend without applying SRP encryption. If you want to migrate users to Cognito using the "Migration" trigger and avoid forcing users to reset their passwords, you will need to use this authentication type because the Lambda function invoked by the trigger needs to verify the supplied credentials. -
CUSTOM_WITH_SRP&CUSTOM_WITHOUT_SRP: Allows for a series of challenge and response cycles that can be customized to meet different requirements.
The Auth flow can be customized when calling signIn, for example:
await signIn({ username: "hello@mycompany.com", password: "hunter2", options: { authFlowType: 'USER_PASSWORD_AUTH' }})For more information about authentication flows, please visit AWS Cognito developer documentation
USER_PASSWORD_AUTH flow
A use case for the USER_PASSWORD_AUTH authentication flow is migrating users into Amazon Cognito
Set up auth backend
In order to use the authentication flow USER_PASSWORD_AUTH, your Cognito app client has to be configured to allow it. In the AWS Console, this is done by ticking the checkbox at General settings > App clients > Show Details (for the affected client) > Enable username-password (non-SRP) flow. If you're using the AWS CLI or CloudFormation, update your app client by adding USER_PASSWORD_AUTH to the list of "Explicit Auth Flows".
Migrate users with Amazon Cognito
Amazon Cognito provides a trigger to migrate users from your existing user directory seamlessly into Cognito. You achieve this by configuring your User Pool's "Migration" trigger which invokes a Lambda function whenever a user that does not already exist in the user pool authenticates, or resets their password.
In short, the Lambda function will validate the user credentials against your existing user directory and return a response object containing the user attributes and status on success. An error message will be returned if an error occurs. Visit Amazon Cognito user pools import guide for migration flow and more detailed instruction, and Amazon Cognito Lambda trigger guide on how to set up lambda to handle request and response objects.
CUSTOM_WITH_SRP & CUSTOM_WITHOUT_SRP flows
Amazon Cognito user pools supports customizing the authentication flow to enable custom challenge types,
in addition to a password in order to verify the identity of users. These challenge types may include CAPTCHAs
or dynamic challenge questions. The CUSTOM_WITH_SRP flow requires a password when calling signIn. Both of
these flows map to the CUSTOM_AUTH flow in Cognito.
To define your challenges for custom authentication flow, you need to implement three Lambda triggers for Amazon Cognito.
Custom authentication flow
To initiate a custom authentication flow in your app, call signIn without a password. A custom challenge needs to be answered using the confirmSignIn API:
import { signIn, confirmSignIn } from 'aws-amplify/auth';
const challengeResponse = 'the answer for the challenge';
const { nextStep } = await signIn({ username, options: { authFlowType: 'CUSTOM_WITHOUT_SRP', },});
if (nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE') { // to send the answer of the custom challenge await confirmSignIn({ challengeResponse });}CAPTCHA authentication
To create a CAPTCHA challenge with a Lambda Trigger, please visit AWS Amplify Google reCAPTCHA challenge example for detailed examples.