Category Archives: Cognito

Cognito Hosted UI User Pool – Google not showing

Hi everyone,

I’m implementing Cognito User Pools for an app and currently adding social providers (Google, Facebook, etc).

The setup process seems pretty straight forward, however the social options did not appear on my hosted ui.

It turned out that I’d missed the last step in the documentation:
– Go to “App Client Settings” (left hand menu under App integration)
– Look for “Enabled Identity Providers” and check any that you want to show

I found this a little unintuitive as I’d expected it to show once it was enabled in the “Identity Providers” section. I probably just need to learn to read ALL of the docs!


The full documentation is available here:

And the bulk of the configuration is performed here:


Get User Id in Lambda node.js

Hi everyone,

A quick post on where to find the user id (sub) in a lambda requested that has been authenticated with a congito authorizer.

You’ll be able to find everything you need in the event object under requestContext > authorizer > claims:

exports.viewContextHandler = async (event, context, callback) => {

"requestContext": {
    "resourceId": "XXXXX",
    "authorizer": {
        "claims": {
            "at_hash": "XXXXX",
            "sub": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
            "aud": "XXXXX12341234512345XXXXX",
            "email_verified": "true",
            "token_use": "id",
            "auth_time": "1547371205",
            "iss": "",
            "cognito:username": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX",
            "exp": "Sun Jan 13 10:20:05 UTC 2019",
            "iat": "Sun Jan 13 09:20:05 UTC 2019",
            "email": "XXXXX@XXXXX.XXXXX"

Cognito Auth with AWS SAM

Hi everyone,

I’ve spent today implementing Cognito with AWS SAM and it took quite a while to work out what needed to be done – unfortunately there’s a lot of conflicting doco out there. Posting a sample template just in case it’s able to help anyone else out.

The first thing to do is to explicitly define you rest API. By default AWS SAM will generate one with a default logical id of ServerlessRestApi. You’ll need to override this:

  # See links for more info
  # Referencing cognito authorizer:
  # Logical id is auto generated:
  # Sample template.yml:
    Type: "AWS::Serverless::Api"
      StageName: Prod
      Auth: # We will eventually define other auth options here such as Usage Plans/Api Keys, AWS_IAM, and Resource Policies
        DefaultAuthorizer: MyCustomCognitoAuthorizer
            UserPoolArn: !GetAtt MyCustomCognitoUserPool.Arn # Can be a string, or array
            # Identity: # Optional
              # Header: ... # Optional; Default: Authorization
              # ValidationExpression: ...  # Optional; ensures the request header matches a pattern before checking in with the Authorizer endpoint; is there a default we can set for Cognito User Pools Auth?

You’ll also need to create a user pool and client:

# Creating a cognito user pool -
    Type: AWS::Cognito::UserPool
      UserPoolName: !Ref CognitoUserPoolName
      # LambdaConfig:
        # PreSignUp: !GetAtt PreSignupLambdaFunction.Arn
          MinimumLength: 8
        - email
        - AttributeDataType: String
          Name: email
          Required: false

    Type: AWS::Cognito::UserPoolClient
      UserPoolId: !Ref MyCustomCognitoUserPool
      ClientName: !Ref CognitoUserPoolClientName
      GenerateSecret: false

You then add the api id and the auth attribute to each of your function properties. If you’ve used the default authorizer property when defining the associated api you can override it by using authorizer: none.

    Type: AWS::Serverless::Function
      Handler: breed.getBreedHandler
      Policies: arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
      Runtime: nodejs8.10
          TABLE_CAT_BREED: !Ref CatBreedTable
          Type: Api
            Path: /breed/{breedId}
            Method: get
            RestApiId: !Ref MyCustomCustomApi
              Authorizer: NONE

Hopefully that’s able to help you out. If you run into any trouble I found the following link pretty useful:

Parsing Hash Args for Cognito Auth – Javascript

Hi everyone,

A quick post on a function for parsing hash args when using AWS Congito.


Just in case the fiddle ever disappears:

const parseHashArgs = aURL => {

  aURL = aURL || window.location.href;

  var vars = {};
  var hashes = aURL.slice(aURL.indexOf('#') + 1).split('&');

  for (var i = 0; i  1) {
      vars[hash[0]] = hash[1];
    } else {
      vars[hash[0]] = null;

  return vars;


Thanks to this link on Github: