This is a package that will allow you to use the aws Cognito technology, so for now we are going to allow the management of users, authentication and creation of groups by Roles.
The potential of this package is the ease of management of all these functionalities and only creating an object with 3 parameters.
pip install cognitopy
The cognito admin functions require that we have the aws, access key and secret access key credentials defined as system environment variables.
import os
os.environ["AWS_ACCESS_KEY_ID"] = 'XXXXXXXXXXXXXXXXXXXXXXXX'
os.environ["AWS_SECRET_ACCESS_KEY"] = 'XXXXXXXXXXXXXXXXXXXXXXXX'
To define the cognitopy object it is necessary to give it the userpool_id, the client_id and the client_secret information.
The secret_hash parameter is set to False by default and indicates that for requests it is necessary to provide the secret_hash.
from cognitopy import CognitoPy
COGNITO_USERPOOL_ID = 'XXX-XXX-XXXXXX'
COGNITO_APP_CLIENT_ID = 'XXXXXXXXXXXXXXXXXXXXXXXX'
COGNITO_APP_CLIENTE_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
cognitopy = CognitoPy(
userpool_id=COGNITO_USERPOOL_ID, client_id=COGNITO_APP_CLIENT_ID, client_secret=COGNITO_APP_CLIENTE_SECRET,
secret_hash=True
)
Now I will explain the different functions that we can use in this version, with an example.
All these examples are in the directory example.
It will allow us to use the cognitopy object in a context manager, so that we do not have to worry about closing the connection.
with CognitoPy(userpool_id=COGNITO_USERPOOL_ID, client_id=COGNITO_APP_CLIENT_ID,
client_secret=COGNITO_APP_CLIENTE_SECRET) as cognito:
cognito.register(username="XXXXX@mail.to", password="XXXXXXX8", user_attributes={})
It will register a user in our cognito service and send us a confirmation message.
id_user = cognito.register(username='XXXXX@mail.to', password='XXXXXXX8', user_attributes={})
print(id_user)
It is responsible for confirming the user from the number received by mail.
cognito.confirm_register(username='XXXXX@mail.to', confirmation_code='820850')
It allows us to receive a confirmation code again, when we have previously requested to change password or register.
cognito.resend_confirmation_code(username='XXXXX@mail.to')
It will return the access token and refresh token of a confirmed user.
tokens = cognito.login(username='XXXXX@mail.to', password='XXXXXXX')
print(tokens['access_token'], tokens['refresh_token'])
It will renew the user's access token.
access_token = cognito.renew_access_token(access_token='XXXXXXXXX', refresh_token='XXXXXXXXX')
print(access_token)
Check if the access token has expired.
is_expired = cognito.check_expired_token(access_token='XXXXXXXXX')
print(is_expired)
Allows us to change our password by sending us a confirmation code.
cognito.initiate_forgot_password(username='XXXXX@mail.to')
Change the password of a user from the confirmation code received.
cognito.confirm_forgot_password(username='XXXXX@mail.to', confirmation_code='YYYYY', password='XXXXXXX')
Delete the user from his access token.
cognito.delete_user(access_token='XXXXXXXXX')
Change the password from your access token.
cognito.change_password(access_token='XXXXXXXXX', previous_password='XXXXXXX', proposed_password="XXXXXXX")
We obtain basic user information from the user's access token.
data_user = cognito.get_info_user_by_token(access_token='XXXXXXXXX')
print(data_user['username'], data_user['groups'])
We remove a user from our service from the administrator credentials.
cognito.admin_delete_user(username='XXXXX@mail.to')
We create a group from our service from the administrator credentials. precedence: A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. role_arn: The role Amazon Resource Name (ARN) for the group.
cognito.admin_create_group(group_name='test_group', description='test group', precedence=1)
We remove a group from our service from the administrator credentials.
cognito.admin_delete_group(group_name='test_group')
We add a user to group from our service from the administrator credentials.
cognito.admin_add_user_to_group(username='XXXXX@mail.to', group_name='test_group')
We remove a user to group from our service from the administrator credentials.
cognito.admin_remove_user_from_group(username='XXXXX@mail.to', group_name='test_group')
We confirm a user register from the administrator credentials.
cognito.admin_confirm_register(username="XXXXX@mail.to")
We create a user from the administrator credentials.
message_action = MessageAction.SUPPRESS | MessageAction.RESEND
Set to RESEND to resend the invitation message to a user that already exists and reset the expiration limit on the user’s account. Set to SUPPRESS to suppress sending the message.
desired_delivery = [DesiredDelivery.EMAIL | DesiredDelivery.SMS] or [DesiredDelivery.EMAIL, DesiredDelivery.SMS]
Specify EMAIL if email will be used to send the welcome message. Specify SMS if the phone number will be used.
optional temporary_password
cognito.admin_create_user(username="XXXXX@mail.to", force_alias=True, user_attributes={},
message_action=MessageAction.SUPPRESS, desired_delivery=[DesiredDelivery.EMAIL],
temporary_password="XXXXXXX")
We disable a user from the administrator credentials.
cognito.admin_disable_user(username="XXXXX@mail.to")
We enabled a user from the administrator credentials.
cognito.admin_enable_user(username="XXXXX@mail.to")
We get info about a user from the administrator credentials.
data_user = cognito.admin_get_user(username="XXXXX@mail.to")
print(data_user)
We login a user from the administrator credentials.
tokens = cognito.admin_login(username="XXXXX@mail.to", password="XXXXXXX")
print(tokens)
We renew access token a user from the administrator credentials.
token = cognito.admin_renew_access_token(access_token="XXXXX", refresh_token="XXXXXXX")
print(token)
We list groups for user from the administrator credentials.
groups = cognito.admin_list_groups_for_user(username="XXXXX@mail.to", limit=10)
print(groups)
groups = cognito.admin_list_groups_for_user(username="XXXXX@mail.to", limit=10, next_token=groups["NextToken"])
print(groups)
We reset password from the administrator credentials.
After applying this function it will be necessary to launch the initiate_forgot_password function, since the user's password will be disabled.
cognito.admin_reset_password(username="XXXXX@mail.to")
We resolve challenge sms mfa.
tokens = cognito.resolve_challenge_challenge_sms_mfa(username="XXXXX@mail.to", session="XXXXXX", sms_mfa_code="XXXXXX")
print(tokens)
We resolve challenge new password required.
tokens = cognito.resolve_challenge_new_password(username="XXXXX@mail.to", session="XXXXXX", new_password="XXXXXX")
print(tokens)