For my project, I was looking for passwordless implementation and I found few ways but most of the ways look a bit confusing for me and took time to resolve the problem. I went through few reference documents, videos and finally summarize the steps, how to set up quickly using serverless & terraform scripts.
Find the code's here :
https://github.com/rajeshkumarbehura/aws-cognito-passwordless
Description
Implementation for user signup and login by email-id using the passwordless concept in AWS Cognito.
Deployment steps
1. deploy the lambda using a serverless framework.
2. deploy AWS Cognito & ses email account using terraform.
3. verify your email id for ses account.
4. set up lambda for Cognito triggers.
5. test the passwordless using AWS Cognito CLI commands.
Note: By default, this project was setup in "ap-southeast-1".
Set SES Email Id with your email id = <<SES_VERIFIED_EMAIL_ID>>
Make sure terraform's tf & serverless.yml files will be updated with the appropriate region and email id.
Check out the code from my github project "aws-cognito-passwordless". The link is provided above.
Installation Requirement :
- Serveless must be installed. https://www.serverless.com/framework/docs/getting-started/
- Terraform must be installed. https://www.terraform.io/downloads.html
- aws cli commands must be installed. https://aws.amazon.com/cli/
- Setup aws default credential(aws_access_key_id,aws_secret_access_key) for local pc
- All the deployment will happen in AWS account default setting in pc.
1. Deploy lambda
Make sure my github project is cloned.
1. Go to email-passwordless-lambda project.
2. Go to the serverless.yml file and replace <<SES_VERIFIED_EMAIL_ID>> with your email id.
3. Run the command "sls deploy".
4. It will set up 5 lambdas for your aws account.
2. Deploy Aws Cognito & ses email account
1. Go to cognito-setup project folder
2. Go to variables.tf update your aws region and replace <<SES_VERIFIED_EMAIL_ID>> with your email id same as for lambda.
3. Run command "terraform init"
4. Run command "terraform plan"
5. Run command "terraform apply"
3. Ses email account verification
1. After deployment, an email will be sent to your account <<SES_VERIFIED_EMAIL_ID>>. Go to your email account and verify the account. Note- without verification of email, email-passwordless will not work.
4. Setup lambdas for Cognito triggers.
Now you login to AWS console and go to user pools in Cognito, select your own created user-pool and setup Triggers for user-pool as
image link.
https://github.com/rajeshkumarbehura/aws-cognito-passwordless/blob/main/images/cognito-lambda-triggers.png
5. Test passwordless email using aws cli command.
Go to your user pool's App Clients and get your App client Id as in the below image link
https://github.com/rajeshkumarbehura/aws-cognito-passwordless/blob/main/images/app-clients-detail.png
1. User sign-up
<<app-client-id>>
<<SES_VERIFIED_EMAIL_ID>>
Signup the user using cli command in your local system-
aws cognito-idp sign-up --client-id <<app-client-id>> --username <<SES_VERIFIED_EMAIL_ID>> -password 12345678
for exmaple - (it's only sample)
aws cognito-idp sign-up --client-id 4cgrq69gatdp03sa7k6 --username rajesh.xxx@gmail.com -password 12345678
2. User sign-in & send token to your email
Sign-in the user using cli command in your local system-
aws cognito-idp initiate-auth --client-id <<app-client-id>> --auth-flow CUSTOM_AUTH --auth-parameters USERNAME="<<SES_VERIFIED_EMAIL_ID>>",PASSWORD=""
For exmaple - (it's only sample)
aws cognito-idp initiate-auth --client-id 568fqvgq612k636hho --auth-flow CUSTOM_AUTH --auth-parameters USERNAME="rajesh.xxxxx@gmail.com",PASSWORD=""
Now here, your receive session value in your command line, and you will receive a token in your email account.
3. User token validation
<<SESSION_VALUE_FROM_SINGINE_COMMAND>> = get the value above command
<<TOKEN_FROM_EMAIL>> = get the token from email
Token validation using commandline in your system -
aws cognito-idp respond-to-auth-challenge --client-id <<app-client-id>> --challenge-name CUSTOM_CHALLENGE --challenge-responses ANSWER=<<TOKEN_FROM_EMAIL>>,USERNAME="<<SES_VERIFIED_EMAIL_ID>>"
--session "<<SESSION_VALUE_FROM_SINGINE_COMMAND>>"
for example - (it's only sample)
aws cognito-idp respond-to-auth-challenge --client-id 568fqvgq612k63 --challenge-name CUSTOM_CHALLENGE --challenge-responses ANSWER=780322,USERNAME="rajesh.XXXX@gmail.com"
--session "XXXXXXXXXXXXXXXXXXX....XXX"
After the above command, you will recive jwt token and refresh token on your command line.
References
https://www.youtube.com/watch?v=grTaNCwPj58
https://github.com/aws-samples/amazon-cognito-passwordless-email-auth
Top comments (1)
Passwordless user login by using email id & token.