Amazon AWS Cognito

  • Published on May 11, 2026
  • 2 minute(s) read
  • WS
  • Bryan Jones
 Prev Next

User Pool

  • Select Create user pool to create a new user pool (as an alternative open an already available user pool and adapt the settings)

  • Select in Application type the Traditional web application

  • Enter a Name for your application like flexAi or flexAIcloud

  • Enable Email and Username as Options for sign-in identifiers

  • Deactivate Enable self-regirstration

  • Set for Requiered attributes for sign-up the following attributes:

    • email

    • preferred_username

  • Select Create user directory

  • Select Go to overview

  • Go to Applications > App clients and open the flexAI web app

  • Go to Login pages select Edit

  • Add the following URLs:

    • Allowed callback URLs: https://<FQDN or hostname>/, https://<FQDN or hostname>/oauth2/callback, https://<FQDN or hostname>/oauth2/signout

    • Default redirect URL: https://<FQDN or hostname>/

    • Allowed sign-out URLs: https://<FQDN or hostname>/oauth2/signout

  • Select as Identity providers the Cognito user pool

  • Select as OAuth 2.0 grant types the Authorization code grant

  • Select Email, OpenID and Profile as OpenID Connect scopes

Lambda Function

  • Open the Lambda Console https://console.aws.amazon.com/lambda/home

  • Select Create a function

  • Choose Author from scratch

  • Enter a Function name like cognito-custom-roles-oidc-flexai

  • Choose as Runtime Node.js

  • Select create function

  • In the tab Code add the following code to index.mjs

https://oneuptime.com/blog/post/2026-02-12-cognito-lambda-triggers-pre-token-generation/view

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#aws-lambda-triggers-pre-token-generation-example-version-2-overview

https://stackoverflow.com/questions/68283215/custom-attributes-in-cognito-access-token

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-custom-attributes-cognito.html

export const handler = async (event, context) => {

    event.response = {
      "claimsAndScopeOverrideDetails": {
        "idTokenGeneration": {
          "claimsToAddOrOverride": {
            "https://flexai.de/roles": [
              "flexai-manager",
              "flexai-editor",
              "flexai-user"
            ],
          },
        },
        "accessTokenGeneration": {
          "claimsToAddOrOverride": {
            "https://flexai.de/roles": [
              "flexai-manager",
              "flexai-editor",
              "flexai-user"
            ],
          },
        },
      }
    };
    // Return to Amazon Cognito
    return event;
};

  • Open the AWS Cognito Console https://console.aws.amazon.com/cognito/home

  • Open the created user pool

  • Go to Authentication > Extensions

  • Select Add Lambda trigger

  • As Trigger type select Authentication, as Authentication select Pre token generation trigger and as Trigger event version select Basic features + access token customization for user identities (version 2)

  • In Lambda funtion > Assign Lambda function select the created  Create Lambda function cognito-custom-roles-oidc-flexai from the drop down list

  • Select Add Lambda trigger

Users and Groups

  • Go to the created user pool > User management > Groups and select Create group to create the following groups:

    • flexai-manager

    • flexai-editor

    • flexai-user

  • Go to the created user pool > User management > Users and select Create user

  • Create a user with Email activated as Alias attributes used to sign in

  • Open the created user and select Edit in User attributes

  • Add a unique value for preferred_username like the email address. If an existing user pool is used, add the optional attribute preferred_username and add a unique value.

  • Open the created user and select Add user to group in Group membership and add at least one of the created flexai groups to the user

URLs and IDs

  • Go to the created user pool > Applications > App clients and open the flexAI app

  • Copy the Client ID and Client Secret from the App client information for later user

  • Go to the created user pool > Overview and open the Token signing key URL and change /.well-known/jwks.json to /.well-known/openid-configuration

  • Copy the following URLs for later use:

    • token_endpoint, looks like https://<AWS_REGION_CODE><COGNITO-USER-POOL-ID_LOWERCASE>.auth.<AWS_REGION_CODE>.amazoncognito.com/oauth2/token

    • authorization_endpoint, looks like https://<AWS_REGION_CODE><COGNITO-USER-POOL-ID_LOWERCASE>.auth.<AWS_REGION_CODE>.amazoncognito.com/oauth2/authorize

    • jwks_uri, looks like https://cognito-idp.<AWS_REGION_CODE>.amazonaws.com/<AWS_REGION_CODE>_<COGNITO-USER-POOL-ID>/.well-known/jwks.json

    • issuer, looks like https://cognito-idp.<AWS_REGION_CODE>.amazonaws.com/<AWS_REGION_CODE>_<COGNITO-USER-POOL-ID>

Related articles
  • Auth0
    Jünger > flexAI > Manual > flexAIcloud > Authentication > Configure IAM
  • Keycloak
    Jünger > flexAI > Manual > flexAIcloud > Authentication > Configure IAM
  • Microsoft Entra ID
    Jünger > flexAI > Manual > flexAIcloud > Authentication > Configure IAM

© 2026 Telos Alliance