Name:
interface
Value:
Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Page updated Apr 29, 2024

Switching authentication flows

AWSCognitoAuthPlugin allows you to switch between different auth flows while initiating signIn. You can configure the flow in the amplifyconfiguration.json file or pass the authFlowType as a runtime parameter to the signIn API call.

For client side authentication, there are four different flows that can be configured during runtime:

  1. USER_SRP_AUTH: The USER_SRP_AUTH flow uses the SRP protocol (Secure Remote Password) where the password never leaves the client and is unknown to the server. This is the recommended flow and is used by default.

  2. USER_PASSWORD_AUTH: The USER_PASSWORD_AUTH flow will send user credentials unencrypted to the back-end. If you want to migrate users to Cognito using the "Migration" trigger and avoid forcing users to reset their passwords, you will need to use this authentication type because the Lambda function invoked by the trigger needs to verify the supplied credentials.

  3. CUSTOM_AUTH_WITH_SRP: The CUSTOM_AUTH_WITH_SRP flow is used to start with SRP authentication and then switch to custom authentication. This is useful if you want to use SRP for the initial authentication and then use custom authentication for subsequent authentication attempts.

  4. CUSTOM_AUTH_WITHOUT_SRP: The CUSTOM_AUTH_WITHOUT_SRP flow is used to start authentication flow WITHOUT SRP and then use a series of challenge and response cycles that can be customized to meet different requirements.

Auth can be configured to use the different flows at runtime by calling signIn with AWSCognitoAuthSignInOptions's authFlowType as AuthFlowType.USER_PASSWORD_AUTH, AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP or AuthFlowType.CUSTOM_AUTH_WITH_SRP. If you do not specify the AuthFlowType in AWSCognitoAuthSignInOptions, the default flow (AuthFlowType.USER_SRP_AUTH) will be used.

Runtime configuration will take precedence and will override any auth flow type configuration present in amplifyconfiguration.json

For more information about authentication flows, please visit AWS Cognito developer documentation

USER_PASSWORD_AUTH flow

A use case for the USER_PASSWORD_AUTH authentication flow is migrating users into Amazon Cognito.

A user migration Lambda trigger helps migrate users from a legacy user management system into your user pool. If you choose the USER_PASSWORD_AUTH authentication flow, users don't have to reset their passwords during user migration. This flow sends your user's password to the service over an encrypted SSL connection during authentication.

When you have migrated all your users, switch flows to the more secure SRP flow. The SRP flow doesn't send any passwords over the network.

AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
.authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
.build();
Amplify.Auth.signIn(
"username",
"password",
options,
result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
error -> Log.e("AuthQuickstart", error.toString())
);
val options = AWSCognitoAuthSignInOptions.builder()
.authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
.build()
Amplify.Auth.signIn(
"username",
"password",
options,
{ result ->
if (result.isSignedIn) {
Log.i("AuthQuickstart", "Sign in succeeded")
} else {
Log.i("AuthQuickstart", "Sign in not complete")
}
},
{ Log.e("AuthQuickstart", "Failed to sign in", it) }
)
val options = AWSCognitoAuthSignInOptions.builder()
.authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
.build()
try {
val result = Amplify.Auth.signIn("username", "password", options)
if (result.isSignedIn) {
Log.i("AuthQuickstart", "Sign in succeeded")
} else {
Log.e("AuthQuickstart", "Sign in not complete")
}
} catch (error: AuthException) {
Log.e("AuthQuickstart", "Sign in failed", error)
}
AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
.authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
.build();
RxAmplify.Auth.signIn("username", "password", options)
.subscribe(
result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
error -> Log.e("AuthQuickstart", error.toString())
);

Setup auth backend

In order to use the authentication flow USER_PASSWORD_AUTH, your Cognito app client has to be configured to allow it. In the AWS Console, this is done by ticking the checkbox at General settings > App clients > Show Details (for the affected client) > Enable username-password (non-SRP) flow. If you're using the AWS CLI or CloudFormation, update your app client by adding USER_PASSWORD_AUTH to the list of "Explicit Auth Flows".

Migrate users with Amazon Cognito

Amazon Cognito provides a trigger to migrate users from your existing user directory seamlessly into Cognito. You achieve this by configuring your User Pool's "Migration" trigger which invokes a Lambda function whenever a user that does not already exist in the user pool authenticates, or resets their password.

In short, the Lambda function will validate the user credentials against your existing user directory and return a response object containing the user attributes and status on success. An error message will be returned if an error occurs. There's documentation here on how to set up this migration flow and more detailed instructions here on how the lambda should handle request and response objects.

CUSTOM_AUTH flow

Amazon Cognito User Pools supports customizing the authentication flow to enable custom challenge types, in addition to a password in order to verify the identity of users. The custom authentication flow is a series of challenge and response cycles that can be customized to meet different requirements. These challenge types may include CAPTCHAs or dynamic challenge questions.

To define your challenges for custom authentication flow, you need to implement three Lambda triggers for Amazon Cognito.

The flow is initiated by calling signIn with AWSCognitoAuthSignInOptions configured with AuthFlowType.CUSTOM_AUTH_WITH_SRP OR AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP.

Follow the instructions in Custom Auth Sign In to learn about how to integrate custom authentication flow in your application with the Auth APIs.

For more information about working with Lambda Triggers for custom authentication challenges, please visit Amazon Cognito Developer Documentation.