From itsmostafa-aws-agent-skills
Configures AWS Cognito user pools, identity pools, OAuth flows, and user attributes for authentication and authorization. Includes CLI and Python examples.
How this skill is triggered — by the user, by Claude, or both
Slash command
/itsmostafa-aws-agent-skills:cognitoThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.
Amazon Cognito provides authentication, authorization, and user management for web and mobile applications. Users can sign in directly or through federated identity providers.
User directory for sign-up and sign-in. Provides:
Provide temporary AWS credentials to access AWS services. Users can be:
| Token | Purpose | Lifetime |
|---|---|---|
| ID Token | User identity claims | 1 hour |
| Access Token | API authorization | 1 hour |
| Refresh Token | Get new ID/Access tokens | 30 days (configurable) |
AWS CLI:
aws cognito-idp create-user-pool \
--pool-name my-app-users \
--policies '{
"PasswordPolicy": {
"MinimumLength": 12,
"RequireUppercase": true,
"RequireLowercase": true,
"RequireNumbers": true,
"RequireSymbols": true
}
}' \
--auto-verified-attributes email \
--username-attributes email \
--mfa-configuration OPTIONAL \
--user-attribute-update-settings '{
"AttributesRequireVerificationBeforeUpdate": ["email"]
}'
aws cognito-idp create-user-pool-client \
--user-pool-id us-east-1_abc123 \
--client-name my-web-app \
--generate-secret \
--explicit-auth-flows ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
--supported-identity-providers COGNITO \
--callback-urls https://myapp.com/callback \
--logout-urls https://myapp.com/logout \
--allowed-o-auth-flows code \
--allowed-o-auth-scopes openid email profile \
--allowed-o-auth-flows-user-pool-client \
--access-token-validity 60 \
--id-token-validity 60 \
--refresh-token-validity 30 \
--token-validity-units '{
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
}'
import boto3
import hmac
import hashlib
import base64
cognito = boto3.client('cognito-idp')
def get_secret_hash(username, client_id, client_secret):
message = username + client_id
dig = hmac.new(
client_secret.encode('utf-8'),
message.encode('utf-8'),
digestmod=hashlib.sha256
).digest()
return base64.b64encode(dig).decode()
response = cognito.sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('[email protected]', 'client-id', 'client-secret'),
Username='[email protected]',
Password='SecurePassword123!',
UserAttributes=[
{'Name': 'email', 'Value': '[email protected]'},
{'Name': 'name', 'Value': 'John Doe'}
]
)
cognito.confirm_sign_up(
ClientId='client-id',
SecretHash=get_secret_hash('[email protected]', 'client-id', 'client-secret'),
Username='[email protected]',
ConfirmationCode='123456'
)
response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='USER_SRP_AUTH',
AuthParameters={
'USERNAME': '[email protected]',
'SECRET_HASH': get_secret_hash('[email protected]', 'client-id', 'client-secret'),
'SRP_A': srp_a # From SRP library
}
)
# For simple password auth (not recommended for production)
response = cognito.admin_initiate_auth(
UserPoolId='us-east-1_abc123',
ClientId='client-id',
AuthFlow='ADMIN_USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': '[email protected]',
'PASSWORD': 'password',
'SECRET_HASH': get_secret_hash('[email protected]', 'client-id', 'client-secret')
}
)
tokens = response['AuthenticationResult']
id_token = tokens['IdToken']
access_token = tokens['AccessToken']
refresh_token = tokens['RefreshToken']
response = cognito.initiate_auth(
ClientId='client-id',
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash('[email protected]', 'client-id', 'client-secret')
}
)
aws cognito-identity create-identity-pool \
--identity-pool-name my-app-identities \
--allow-unauthenticated-identities \
--cognito-identity-providers \
ProviderName=cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123,\
ClientId=client-id,\
ServerSideTokenCheck=true
import boto3
cognito_identity = boto3.client('cognito-identity')
# Get identity ID
response = cognito_identity.get_id(
IdentityPoolId='us-east-1:12345678-1234-1234-1234-123456789012',
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
identity_id = response['IdentityId']
# Get credentials
response = cognito_identity.get_credentials_for_identity(
IdentityId=identity_id,
Logins={
'cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123': id_token
}
)
credentials = response['Credentials']
# Use credentials['AccessKeyId'], credentials['SecretKey'], credentials['SessionToken']
| Command | Description |
|---|---|
aws cognito-idp create-user-pool | Create user pool |
aws cognito-idp describe-user-pool | Get pool details |
aws cognito-idp update-user-pool | Update pool settings |
aws cognito-idp delete-user-pool | Delete pool |
aws cognito-idp list-user-pools | List pools |
| Command | Description |
|---|---|
aws cognito-idp admin-create-user | Create user (admin) |
aws cognito-idp admin-delete-user | Delete user |
aws cognito-idp admin-get-user | Get user details |
aws cognito-idp list-users | List users |
aws cognito-idp admin-set-user-password | Set password |
aws cognito-idp admin-disable-user | Disable user |
| Command | Description |
|---|---|
aws cognito-idp initiate-auth | Start authentication |
aws cognito-idp respond-to-auth-challenge | Respond to MFA |
aws cognito-idp admin-initiate-auth | Admin authentication |
Causes:
Debug:
aws cognito-idp admin-get-user \
--user-pool-id us-east-1_abc123 \
--username [email protected]
Causes:
Validate JWT:
import jwt
import requests
# Get JWKS
jwks_url = f'https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123/.well-known/jwks.json'
jwks = requests.get(jwks_url).json()
# Decode and verify (use python-jose or similar)
from jose import jwt
claims = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='client-id',
issuer='https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123'
)
Check:
# Check domain
aws cognito-idp describe-user-pool \
--user-pool-id us-east-1_abc123 \
--query 'UserPool.Domain'
Symptom: TooManyRequestsException
Solutions:
npx claudepluginhub itsmostafa/aws-agent-skillsGets short-term auto-rotating AWS credentials for CLI/SDK access via `aws login`. Activates when AWS operations fail due to missing/expired credentials or on authentication requests.
Manage Auth0 tenant resources via CLI: create apps and APIs, manage users, roles, organizations, actions, log streams, custom domains, Universal Login, and call Management API directly.
Inspects, enables, disables, and configures CloudBase auth providers, login methods, publishable keys, and SMS/email sender setup before implementing client or backend auth flows.