DEV Community

Rajesh Kumar
Rajesh Kumar

Posted on

Aws Cognito email Passwordless

For my project, I was looking for passwordless implementation and I found few ways but most of the ways look a bit confusing for me and took time to resolve the problem. I went through few reference documents, videos and finally summarize the steps, how to set up quickly using serverless & terraform scripts.

Find the code's here :
https://github.com/rajeshkumarbehura/aws-cognito-passwordless

Description

Implementation for user signup and login by email-id using the passwordless concept in AWS Cognito.

Deployment steps

1. deploy the lambda using a serverless framework.
2. deploy AWS Cognito & ses email account using terraform.
3. verify your email id for ses account.
4. set up lambda for Cognito triggers.
5. test the passwordless using AWS Cognito CLI commands.
Enter fullscreen mode Exit fullscreen mode
Note: By default, this project was setup in "ap-southeast-1".
Set SES Email Id with your email id = <<SES_VERIFIED_EMAIL_ID>>
Make sure terraform's tf & serverless.yml files will be updated with the appropriate region and email id.
Enter fullscreen mode Exit fullscreen mode

Check out the code from my github project "aws-cognito-passwordless". The link is provided above.

Installation Requirement :

  1. Serveless must be installed. https://www.serverless.com/framework/docs/getting-started/
  2. Terraform must be installed. https://www.terraform.io/downloads.html
  3. aws cli commands must be installed. https://aws.amazon.com/cli/
  4. Setup aws default credential(aws_access_key_id,aws_secret_access_key) for local pc
  5. All the deployment will happen in AWS account default setting in pc.

1. Deploy lambda

Make sure my github project is cloned.

1. Go to email-passwordless-lambda project.
2. Go to the serverless.yml file and replace <<SES_VERIFIED_EMAIL_ID>> with your email id.
3. Run the command "sls deploy".
4. It will set up 5 lambdas for your aws account.
Enter fullscreen mode Exit fullscreen mode

2. Deploy Aws Cognito & ses email account

1. Go to cognito-setup project folder
2. Go to variables.tf update your aws region and replace <<SES_VERIFIED_EMAIL_ID>> with your email id same as for lambda.
3. Run command "terraform init"
4. Run command "terraform plan"
5. Run command "terraform apply"  
Enter fullscreen mode Exit fullscreen mode

3. Ses email account verification

1. After deployment, an email will be sent to your account <<SES_VERIFIED_EMAIL_ID>>. Go to your email account and verify the account. Note- without verification of email, email-passwordless will not work.
Enter fullscreen mode Exit fullscreen mode

4. Setup lambdas for Cognito triggers.

Now you login to AWS console and go to user pools in Cognito, select your own created user-pool and setup Triggers for user-pool as
image link.
https://github.com/rajeshkumarbehura/aws-cognito-passwordless/blob/main/images/cognito-lambda-triggers.png

5. Test passwordless email using aws cli command.

Go to your user pool's App Clients and get your App client Id as in the below image link
https://github.com/rajeshkumarbehura/aws-cognito-passwordless/blob/main/images/app-clients-detail.png

1. User sign-up

<<app-client-id>>
<<SES_VERIFIED_EMAIL_ID>>

Signup the user using cli command in your local system-   
aws cognito-idp sign-up --client-id <<app-client-id>>  --username <<SES_VERIFIED_EMAIL_ID>> -password 12345678

for exmaple - (it's only sample)
aws cognito-idp sign-up --client-id 4cgrq69gatdp03sa7k6  --username rajesh.xxx@gmail.com -password 12345678

Enter fullscreen mode Exit fullscreen mode

2. User sign-in & send token to your email

Sign-in the user using cli command in your local system- 

aws cognito-idp initiate-auth --client-id <<app-client-id>> --auth-flow CUSTOM_AUTH --auth-parameters USERNAME="<<SES_VERIFIED_EMAIL_ID>>",PASSWORD=""

For exmaple - (it's only sample)
aws cognito-idp initiate-auth --client-id 568fqvgq612k636hho        --auth-flow CUSTOM_AUTH --auth-parameters USERNAME="rajesh.xxxxx@gmail.com",PASSWORD=""

Enter fullscreen mode Exit fullscreen mode

Now here, your receive session value in your command line, and you will receive a token in your email account.

3. User token validation

<<SESSION_VALUE_FROM_SINGINE_COMMAND>> = get the value above command
<<TOKEN_FROM_EMAIL>> = get the token from email

Token validation using commandline in your system -

aws cognito-idp respond-to-auth-challenge --client-id <<app-client-id>> --challenge-name CUSTOM_CHALLENGE --challenge-responses ANSWER=<<TOKEN_FROM_EMAIL>>,USERNAME="<<SES_VERIFIED_EMAIL_ID>>"
--session "<<SESSION_VALUE_FROM_SINGINE_COMMAND>>"

for example - (it's only sample)
aws cognito-idp respond-to-auth-challenge --client-id 568fqvgq612k63 --challenge-name CUSTOM_CHALLENGE --challenge-responses ANSWER=780322,USERNAME="rajesh.XXXX@gmail.com"
--session "XXXXXXXXXXXXXXXXXXX....XXX"
Enter fullscreen mode Exit fullscreen mode

After the above command, you will recive jwt token and refresh token on your command line.

References

https://www.youtube.com/watch?v=grTaNCwPj58
https://github.com/aws-samples/amazon-cognito-passwordless-email-auth

Top comments (1)

Collapse
 
rajeshkumarbehura profile image
Rajesh Kumar

Passwordless user login by using email id & token.