I have a mobile application and wanted to use AWS Cognito pool for user management (sign up & sign in). I wanted to provide below 3 options for users to log in to my app
- username, password
- phone number with OTP login - on the sign in screen, the user enters his phone number, and Cognito should send OTP code, and on verification, it should allow to login
- Google connect login
during sign up, the user will set up username, password and adds verified phone number and optionally they can add their google connect to their profile.
How to setup Cognito pool for this scenario that user can choose any of the above 3 options to log in to the app?
I found a way to setup Cognito to allow multiple login options. setup Cognito like below 1. select use phone number as username 2. make it mandatory and verifiable. 3. this will make phone_number as alias for login.
use CUSTOM_CHALLENGE option to configure login with phone number with OTP.
basically, we need to configure 3 triggers in Cognito to send OTP to user registered number. 1. sign-in define auth challenge trigger -- define CUSTOM_CHALLENGE 2. sign-in create auth challenge trigger -- create logic to generate OTP and send SMS using SNS service 3. sign-in verify auth challenge trigger -- validate received OTP, generated OTP will be available in context so no need to save in any database.
Trigger#1 - define auth challenge
exports.handler = (event, context, callback) => {
if (event.request.session.length == 0){
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
} else if(event.request.session.length == 1
&& event.request.session[0].challengeName == 'CUSTOM_CHALLENGE'
&& event.request.session[0].challengeResult == true){
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
event.response.issueTokens = false;
event.response.failAuthentication = true;
}
// Return to Amazon Cognito
callback(null, event);
}
Trigger#2 - create auth challenge make sure this lambda have SNS role
var AWS = require("aws-sdk");
exports.handler = (event, context, callback) => {
if (event.request.session.length == 0 && event.request.challengeName == 'CUSTOM_CHALLENGE') {
//create the code
var answer = Math.random().toString(10).substr(2,6);
//send the code via Amazon SNS Global SMS
var sns = new AWS.SNS();
sns.publish({
Message: 'your verification code is '+answer,
PhoneNumber: event.request.userAttributes.phone_number
}, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
return;
}
console.log('SMS Sent'); // successful response
});
//set the return parameters **including the correct answer**
event.response.publicChallengeParameters = {};
event.response.privateChallengeParameters = {};
event.response.privateChallengeParameters.answer = answer;
event.response.challengeMetadata = 'PASSWORDLESS_CHALLENGE';
}
//Return to Amazon Cognito
callback(null, event);
}
Trigger#3 - verify auth challenge response
exports.handler = (event, context, callback) => {
if (event.request.privateChallengeParameters.answer == event.request.challengeAnswer) {
event.response.answerCorrect = true;
} else {
event.response.answerCorrect = false;
}
// Return to Amazon Cognito
callback(null, event);
}
来源:https://stackoverflow.com/questions/52114361/aws-cognito-pool-with-multiple-sign-in-options