‹ 首页

cognito

@itsmostafa · 收录于 1 周前 · 上游提交 2 个月前

AWS Cognito user authentication and authorization service. Use when setting up user pools, configuring identity pools, implementing OAuth flows, managing user attributes, or integrating with social identity providers.

适合你,如果需要在 AWS 上管理用户身份认证和授权。

/ 下载安装
cognito.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add itsmostafa/aws-agent-skills/cognito
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- itsmostafa/aws-agent-skills/cognito
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify itsmostafa/aws-agent-skills/cognito
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
1136GitHub stars
~1.6K最小装载
~1.6K含声明引用
~3.2K文本包总量
镜像托管

怎么用

商店整理自技能原文 · 版本 4ab904a · 表述以原文为准
它做什么

Claude 可以帮你管理 AWS Cognito 用户池和身份池,包括创建用户、配置登录、处理令牌、设置 MFA 等认证授权操作。

什么时候触发

当你需要为 Web 或移动应用添加用户注册、登录、社交账号集成或 AWS 资源访问授权时触发。

装好后可以这样说
Claude 会生成创建用户池的 CLI 命令。
技能原文 SKILL.md作者撰写 · MIT · 4ab904a

AWS Cognito

Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.

Table of Contents
  • [Core Concepts](#core-concepts)
  • [Common Patterns](#common-patterns)
  • [CLI Reference](#cli-reference)
  • [Best Practices](#best-practices)
  • [Troubleshooting](#troubleshooting)
  • [References](#references)
Core Concepts
User Pools

User directory for sign-up and sign-in. Provides:

  • User registration and authentication
  • OAuth 2.0 / OpenID Connect tokens
  • MFA and password policies
  • Customizable UI and flows
Identity Pools (Federated Identities)

Provide temporary AWS credentials to access AWS services. Users can be:

  • Cognito User Pool users
  • Social identity (Google, Facebook, Apple)
  • SAML/OIDC enterprise identity
  • Anonymous guests
Tokens

| Token | Purpose | Lifetime | |-------|---------|----------| | ID Token | User identity claims | 1 hour | | Access Token | API authorization | 1 hour | | Refresh Token | Get new ID/Access tokens | 30 days (configurable) |

Common Patterns
Create User Pool

AWS CLI:

aws cognito-idp create-user-pool \
  --pool-name my-app-users \
  --policies '{
    "PasswordPolicy": {
      "MinimumLength": 12,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireNumbers": true,
      "RequireSymbols": true
    }
  }' \
  --auto-verified-attributes email \
  --username-attributes email \
  --mfa-configuration OPTIONAL \
  --user-attribute-update-settings '{
    "AttributesRequireVerificationBeforeUpdate": ["email"]
  }'
Create App Client
aws cognito-idp create-user-pool-client \
  --user-pool-id us-east-1_abc123 \
  --client-name my-web-app \
  --generate-secret \
  --explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
  --supported-identity-providers COGNITO \
  --callback-urls https://myapp.com/callback \
  --logout-urls https://myapp.com/logout \
  --allowed-o-auth-flows code \
  --allowed-o-auth-scopes openid email profile \
  --allowed-o-auth-flows-user-pool-client \
  --access-token-validity 60 \
  --id-token-validity 60 \
  --refresh-token-validity 30 \
  --token-validity-units '{
    "AccessToken": "minutes",
    "IdToken": "minutes",
    "RefreshToken": "days"
  }'
Sign Up User
import boto3
import hmac
import hashlib
import base64

cognito = boto3.client('cognito-idp')

def get_secret_hash(username, client_id, client_secret):
    message = username + client_id
    dig = hmac.new(
        client_secret.encode('utf-8'),
        message.encode('utf-8'),
        digestmod=hashlib.sha256
    ).digest()
    return base64.b64encode(dig).decode()

response = cognito.sign_up(
    ClientId='client-id',
    SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
    Username='user@example.com',
    Password='SecurePassword123!',
    UserAttributes=[
        {'Name': 'email', 'Value': 'user@example.com'},
        {'Name': 'name', 'Value': 'John Doe'}
    ]
)
Confirm Sign Up
cognito.confirm_sign_up(
    ClientId='client-id',
    SecretHash=get_secret_hash('user@example.com', 'client-id', 'client-secret'),
    Username='user@example.com',
    ConfirmationCode='123456'
)
Authenticate User
response = cognito.initiate_auth(
    ClientId='client-id',
    AuthFlow='USER_SRP_AUTH',
    AuthParameters={
        'USERNAME': 'user@example.com',
        'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret'),
        'SRP_A': srp_a  # From SRP library
    }
)

# For simple password auth (not recommended for production)
response = cognito.admin_initiate_auth(
    UserPoolId='us-east-1_abc123',
    ClientId='client-id',
    AuthFlow='ADMIN_USER_PASSWORD_AUTH',
    AuthParameters={
        'USERNAME': 'user@example.com',
        'PASSWORD': 'password',
        'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
    }
)

tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']
Refresh Tokens
response = cognito.initiate_auth(
    ClientId='client-id',
    AuthFlow='REFRESH_TOKEN_AUTH',
    AuthParameters={
        'REFRESH_TOKEN': refresh_token,
        'SECRET_HASH': get_secret_hash('user@example.com', 'client-id', 'client-secret')
    }
)
Create Identity Pool
aws cognito-identity create-identity-pool \
  --identity-pool-name my-app-identities \
  --allow-unauthenticated-identities \
  --cognito-identity-providers \
    ProviderName=cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123,\
ClientId=client-id,\
ServerSideTokenCheck=true
Get AWS Credentials
import boto3

cognito_identity = boto3.client('cognito-identity')

# Get identity ID
response = cognito_identity.get_id(
    IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
    }
)
identity_id = response['IdentityId']

# Get credentials
response = cognito_identity.get_credentials_for_identity(
    IdentityId=identity_id,
    Logins={
        'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
    }
)

credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']
CLI Reference
User Pool

| Command | Description | |---------|-------------| | aws cognito-idp create-user-pool | Create user pool | | aws cognito-idp describe-user-pool | Get pool details | | aws cognito-idp update-user-pool | Update pool settings | | aws cognito-idp delete-user-pool | Delete pool | | aws cognito-idp list-user-pools | List pools |

Users

| Command | Description | |---------|-------------| | aws cognito-idp admin-create-user | Create user (admin) | | aws cognito-idp admin-delete-user | Delete user | | aws cognito-idp admin-get-user | Get user details | | aws cognito-idp list-users | List users | | aws cognito-idp admin-set-user-password | Set password | | aws cognito-idp admin-disable-user | Disable user |

Authentication

| Command | Description | |---------|-------------| | aws cognito-idp initiate-auth | Start authentication | | aws cognito-idp respond-to-auth-challenge | Respond to MFA | | aws cognito-idp admin-initiate-auth | Admin authentication |

Best Practices
Security
  • Enable MFA for all users (at least optional)
  • Use strong password policies
  • Enable advanced security features (adaptive auth)
  • Verify email/phone before allowing sign-in
  • Use short token lifetimes for sensitive apps
  • Never expose client secrets in frontend code
User Experience
  • Use hosted UI for quick implementation
  • Customize UI with CSS
  • Implement proper error handling
  • Provide clear password requirements
Architecture
  • Use identity pools for AWS resource access
  • Use access tokens for API Gateway
  • Store refresh tokens securely
  • Implement token refresh before expiry
Troubleshooting
User Cannot Sign In

Causes:

  • User not confirmed
  • Password incorrect
  • User disabled
  • Account locked (too many attempts)

Debug:

aws cognito-idp admin-get-user \
  --user-pool-id us-east-1_abc123 \
  --username user@example.com
Token Validation Failed

Causes:

  • Token expired
  • Wrong user pool/client ID
  • Token signature invalid

Validate JWT:

import jwt
import requests

# Get JWKS
jwks_url = f'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()

# Decode and verify (use python-jose or similar)
from jose import jwt

claims = jwt.decode(
    token,
    jwks,
    algorithms=['RS256'],
    audience='client-id',
    issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)
Hosted UI Not Working

Check:

  • Callback URLs configured correctly
  • Domain configured for user pool
  • OAuth settings enabled
# Check domain
aws cognito-idp describe-user-pool \
  --user-pool-id us-east-1_abc123 \
  --query 'UserPool.Domain'
Rate Limiting

Symptom: TooManyRequestsException

Solutions:

  • Implement exponential backoff
  • Request quota increase
  • Cache tokens appropriately
References
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。