[ad_1]
Replace: An earlier model of this submit was printed on September 14, 2017, on the Entrance-Finish Net and Cell Weblog.
Amazon Cognito consumer swimming pools provide a completely managed OpenID Join (OIDC) id supplier so you may shortly add authentication and management entry to your cellular app or internet software. Consumer swimming pools scale to thousands and thousands of customers and add layers of extra options for safety, id federation, app integration, and customization of the consumer expertise. Amazon Cognito is on the market in areas across the globe, processing over 100 billion authentications every month. You may benefit from safety features when utilizing consumer swimming pools in Cognito, resembling e mail and telephone quantity verification, multi-factor authentication, and superior safety features, resembling compromised credentials detection, and adaptive authentications.
Many purchasers ask about one of the simplest ways emigrate their current customers to Amazon Cognito consumer swimming pools. On this weblog submit, we describe a number of totally different beneficial approaches and supply step-by-step directions on the right way to implement them.
Key concerns
The principle consideration when migrating customers throughout id suppliers is sustaining a constant end-user expertise. Ideally, customers can proceed to make use of their current passwords in order that their expertise is seamless. Nonetheless, safety finest practices dictate that passwords ought to by no means be saved immediately as cleartext in a consumer retailer. As a substitute, passwords are used to compute cryptographic hashes and verifiers that may later be used to confirm submitted passwords. Because of this you can not securely export passwords in cleartext kind from an current consumer retailer and import them right into a Cognito consumer pool. You may ask your customers to decide on a brand new password throughout the migration. Or, if you wish to retain the present passwords, it is advisable retain entry to the present hashes and verifiers, at the very least throughout the migration interval.
A secondary consideration is the migration timeline. For instance, do you want a quicker migration timeline as a result of your present id retailer’s license is expiring? Or do you favor a gradual and regular migration since you are modernizing your present software, and it takes time to attach your current techniques to the brand new id supplier?
The next two strategies outline our beneficial approaches for migrating current customers right into a consumer pool:
Bulk consumer import – Export your current customers right into a comma-separated (.csv) file, after which add this .csv file to import customers right into a consumer pool. Your required consumer attributes (besides passwords) could be included and mapped to attributes within the goal consumer pool. This method requires customers to reset their passwords once they sign up with Cognito. You may select emigrate your current consumer retailer solely in a single import job or break up customers into a number of jobs for parallel or incremental processing.
Simply-in-time consumer migration – Migrate customers simply in time right into a Cognito consumer pool as they sign up to your cellular or internet app. This method permits customers to retain their present passwords, as a result of the migration course of captures and verifies the password throughout the sign-in course of, seamlessly migrating them to the Cognito consumer pool.
Within the following sections, we describe the majority consumer import and just-in-time consumer migration strategies in additional element after which stroll by the steps of every method.
Bulk consumer import
You carry out bulk import of customers into an Amazon Cognito consumer pool by importing a .csv file that incorporates consumer profile knowledge, together with usernames, e mail addresses, telephone numbers, and different attributes. You may obtain a template .csv file to your consumer pool from Cognito, with a consumer schema structured within the template header.
Following is an instance of performing bulk consumer import.
To create an import job
Open the Cognito consumer pool console and choose the goal consumer pool for migration.
On the Customers tab, navigate to the Import customers part, and select Create import job.
Determine 1: Create import job
Within the Create import job dialog field, obtain the template.csv file for consumer import.
Export your current consumer knowledge out of your current consumer listing or retailer your knowledge into the .csv file
Match the consumer attribute varieties with column headings within the template. Every consumer will need to have an e mail handle or a telephone quantity that’s marked as verified within the .csv file, in an effort to obtain the password reset affirmation code.
Determine 2: Configure import job
Return to the Create import job dialog field (as proven in Determine 2) and do the next:
Enter a Job title.
Select to Create a brand new IAM function or Use an current IAM function. This function grants Amazon Cognito permission to write down to Amazon CloudWatch Logs in your account, in order that Cognito can present logs for profitable imports and errors for skipped or failed transactions.
Add the .csv file that you’ve got ready, and select Create and begin job.
Relying on the scale of the .csv file, the job can run for minutes or hours, and you may comply with the standing from that very same web page within the Amazon Cognito console.
Determine 3: Verify import job standing
Cognito runs by the import job and imports customers with a RESET_REQUIRED state. When customers try and sign up, Cognito will return PasswordResetRequiredException from the sign-in API, and the app ought to direct the consumer into the ForgotPassword move.
Determine 4: View imported consumer
The majority import method can be used repeatedly to incrementally import customers. You may arrange an Extract-Remodel-Load (ETL) batch job course of to extract incremental modifications to your current consumer directories, resembling the brand new sign-ups on the present techniques earlier than you turn over to a Cognito consumer pool. Your batch job will rework the modifications right into a .csv file to map consumer attribute schemas, and cargo the .csv file as a Cognito import job by the CreateUserImportJob CLI or SDK operation. Then begin the import job by the StartUserImportJob CLI or SDK operation. For extra data, see Importing customers into consumer swimming pools within the Amazon Cognito Developer Information.
Simply-in-time consumer migration
The just-in-time (JIT) consumer migration technique entails first making an attempt to signal within the consumer by the Amazon Cognito consumer pool. Then, if the consumer doesn’t exist within the Cognito consumer pool, Cognito calls your Migrate Consumer Lambda set off and sends the username and password to the Lambda set off to signal the consumer in by the present consumer retailer. If profitable, the Migrate Consumer Lambda set off can even fetch consumer attributes and return them to Cognito. Then Cognito silently creates the consumer within the consumer pool with consumer attributes, in addition to salts and password verifiers from the user-provided password. With the Migrate Consumer Lambda set off, your shopper app can begin to use the Cognito consumer pool to sign up customers who’ve already been migrated, and proceed migrating customers who’re signing in for the primary time in direction of the consumer pool. This just-in-time migration method helps to create a seamless authentication expertise to your customers.
Cognito, by default, makes use of the USER_SRP_AUTH authentication move with the Safe Distant Password (SRP) protocol. This move doesn’t contain sending the password throughout the community, however fairly permits the shopper to trade a cryptographic proof with the Cognito service to show the shopper’s information of the password. For JIT consumer migration, Cognito must confirm the username and password in opposition to the present consumer retailer. Subsequently, it is advisable allow a special Cognito authentication move. You may select to make use of both the USER_PASSWORD_AUTH move for client-side authentication or the ADMIN_USER_PASSWORD_AUTH move for server-side authentication. This may enable the password to be despatched to Cognito over an encrypted TLS connection, and permit Cognito to go the data to the Lambda perform to carry out consumer authentication in opposition to the unique consumer retailer.
This JIT method won’t be suitable with current id suppliers which have multi-factor authentication (MFA) enabled, as a result of the Lambda perform can not help a number of rounds of challenges. If the present id supplier requires MFA, you may contemplate the choice JIT migration method mentioned later on this weblog submit.
Determine 5 illustrates the steps for the JIT sign-in move. The cellular or internet app first tries to signal within the consumer within the consumer pool. If the consumer isn’t already within the consumer pool, Cognito handles consumer authentication and invokes the Migrate Consumer Lambda set off emigrate the consumer. This move retains the logic within the app easy and permits the app to make use of the Amazon Cognito SDK to sign up customers in the usual manner. The migration logic takes place within the Lambda perform within the backend.
Determine 5: JIT migration consumer authentication move
The move in Determine 5 begins within the cellular or internet app, which makes an attempt to signal within the consumer through the use of the AWS SDK. If the consumer doesn’t exist within the consumer pool, the migration try begins. Cognito calls the Migrate Consumer Lambda set off with triggerSource set to UserMigration_Authentication, and passes the consumer’s username and password within the request in an effort to try and migrate the consumer.
This method additionally works within the forgot password move proven in Determine 6, the place the consumer has forgotten their password and hasn’t been migrated but. On this case, as soon as the consumer makes a “Forgot Password” request, your cellular or internet app will ship a forgot password request to Cognito. Cognito invokes your Migrate Consumer Lambda set off with triggerSource set to UserMigration_ForgotPassword, and passes the username within the request in an effort to try consumer lookup, migrate the consumer profile, and facilitate the password reset course of.
Determine 6: JIT migration forgot password move
Simply-in-time consumer migration pattern code
On this part, we present pattern supply codes for a Migrate Consumer Lambda set off general construction. We’ll fill within the commented sections with extra code, proven later within the part. Whenever you arrange your personal Lambda perform, configure a Lambda execution function to grant permissions for CloudWatch logs.
if (occasion.triggerSource == “UserMigration_Authentication”) {
}
else if (occasion.triggerSource == “UserMigration_ForgotPassword”) {
}
return occasion;
};
export { handler };
Within the migration move, the Lambda set off will signal within the consumer and confirm the consumer’s password within the current consumer retailer. Which will contain a sign-in try in opposition to your current consumer retailer or a examine of the password in opposition to a saved hash. You want to customise this step primarily based in your current setup. You can even create a perform to fetch consumer attributes that you just wish to migrate. In case your current consumer retailer conforms to the OIDC specification, you may parse the ID Token claims to retrieve the consumer’s attributes. The next instance reveals the right way to set the username and attributes for the migrated consumer.
if (occasion.triggerSource == “UserMigration_Authentication”) {
const consumer = await authenticateUser(occasion.userName, occasion.request.password);
if (consumer) {
occasion.response.userAttributes = {
username: occasion.userName,
e mail: consumer.emailAddress,
email_verified: “true”,
};
occasion.response.finalUserStatus = “CONFIRMED”;
occasion.response.messageAction = “SUPPRESS”;
}
}
The consumer is now migrated from the present consumer retailer to the consumer pool, in addition to the consumer’s attributes. Customers can even be redirected to your software with the authorization code or JSON Net Tokens, relying on the OAuth 2.0 grant varieties you configured within the consumer pool.
Let’s take a look at the forgot password move. Your Lambda perform calls the present consumer retailer and migrates different attributes within the consumer’s profile first, after which Lambda units consumer attributes within the response to the Cognito consumer pool. Cognito initiates the ForgotPassword move and sends a affirmation code to the consumer to verify the password reset course of. The consumer must have a verified e mail handle or telephone quantity migrated from the present consumer retailer to obtain the forgot password affirmation code. The next pattern code demonstrates the right way to full the ForgotPassword move.
else if (occasion.triggerSource == “UserMigration_ForgotPassword”) {
const lookupResult = await lookupUser(occasion.userName);
if (lookupResult) {
occasion.response.userAttributes = {
username: occasion.userName,
e mail: lookupResult.emailAddress,
email_verified: “true”,
};
occasion.response.finalUserStatus = “RESET_REQUIRED”;
occasion.response.messageAction = “SUPPRESS”;
}
}
Simply-in-time consumer migration – different method
Utilizing the Migrate Consumer Lambda set off, we confirmed the JIT migration method the place the app switches to make use of the Cognito consumer pool originally of the migration interval, to interface with the consumer for signing in and migrating them from the present consumer retailer. An alternate JIT method is to take care of the present techniques and consumer retailer, however to silently create every consumer within the Cognito consumer pool in a backend course of as customers sign up, then swap over to make use of Cognito after sufficient customers have been migrated.
Determine 7: JIT migration different method with backend course of
Determine 7 reveals this different method in depth. When an finish consumer indicators in efficiently in your cellular or internet app, the backend migration course of is initiated. This backend course of first calls the Cognito admin API operation, AdminCreateUser, to create customers and map consumer attributes within the vacation spot consumer pool. The consumer will likely be created with a short lived password and be positioned in FORCE_CHANGE_PASSWORD standing. For those who seize the consumer password throughout the sign-in course of, you may as well migrate the password by setting it completely for the newly created consumer within the Cognito consumer pool utilizing the AdminSetUserPassword API operation. This operation can even set the consumer standing to CONFIRMED to permit the consumer to sign up to Cognito utilizing the present password.
Following is a code instance for the AdminCreateUser perform utilizing the AWS SDK for JavaScript.
MessageAction: “SUPPRESS”,
UserAttributes: [{
Name: “name”,
Value: “Nikki Wolf”
},
{
Name: “email”,
Value: “nikki_wolf@example.com”
},
{
Name: “email_verified”,
Value: “True”
}
],
UserPoolId: “us-east-1_EXAMPLE”,
Username: “nikki_wolf”
};
const cognito = new CognitoIdentityProviderClient();
const createUserCommand = new AdminCreateUserCommand(params);
await cognito.ship (createUserCommand);
The next is a code instance for the AdminSetUserPassword perform.
UserPoolId: ‘us-east-1_EXAMPLE’ ,
Username: ‘nikki_wolf’ ,
Password: ‘ExamplePassword1$’ ,
Everlasting: true
};
const cognito = new CognitoIdentityProviderClient();
const setUserPasswordCommand = new AdminSetUserPasswordCommand(params);
await cognito.ship(setUserPasswordCommand);
This different method doesn’t require the app to replace its authentication codebase till a majority of customers are migrated, however it is advisable propagate consumer attribute modifications and new consumer signups from the present techniques to Cognito. In case you are capturing and migrating passwords, you also needs to construct the same logic to seize password modifications in current techniques and set the brand new password within the consumer pool to maintain it synchronized till you carry out a full switchover from the present id retailer to the Cognito consumer pool.
Abstract and finest practices
On this submit, we described our two beneficial approaches for migrating customers into an Amazon Cognito consumer pool. You may resolve which method is finest suited to your use case. The majority technique is easier to implement, however it doesn’t protect consumer passwords just like the just-in-time migration does. The just-in-time migration is clear to customers and mitigates the potential attrition of customers that may happen when customers must reset their passwords.
You could possibly additionally contemplate a hybrid method, the place you first apply JIT migration as customers are actively signing in to your app, and carry out bulk import for the remaining less-active customers. This hybrid method helps present a great expertise to your energetic consumer communities, whereas with the ability to decommission current consumer shops in a manageable timeline since you don’t want to attend for each consumer to sign up and be migrated by JIT migration.
We hope you need to use these explanations and code samples to arrange essentially the most appropriate method to your migration undertaking.
In case you have suggestions about this submit, submit feedback within the Feedback part beneath. In case you have questions on this submit, contact AWS Assist.
Need extra AWS Safety information? Comply with us on Twitter.
Edward Solar
Edward is a Safety Specialist Options Architect centered on id and entry administration. He loves serving to prospects all through their cloud transformation journey with structure design, safety finest practices, migration, and price optimizations. Exterior of labor, Edward enjoys mountain climbing, {golfing}, and cheering for his alma mater, the Georgia Bulldogs.
[ad_2]
Source link
