Makes working with AWS Cognito easier for Python developers.
- Install
- Environment Variables
- COGNITO_JWKS (optional)
- Cognito Utility Class
warrant.Cognito
- Cognito SRP Utility
warrant.aws_srp.AWSSRP
- Django Utilities
- Auth Backend
warrant.django.backend.CognitoBackend
- Profile Views
- API Gateway Integration
- API Key Middleware
warrant.django.middleware.APIKeyMiddleware
- API Key Middleware
- Auth Backend
pip install warrant
Optional: This environment variable is a dictionary that represent the well known JWKs assigned to your user pool by AWS Cognito. You can find the keys for your user pool by substituting in your AWS region and pool id for the following example.
https://cognito-idp.{aws-region}.amazonaws.com/{user-pool-id}/.well-known/jwks.json
Example Value (Not Real):
COGNITO_JWKS={"keys": [{"alg": "RS256","e": "AQAB","kid": "123456789ABCDEFGHIJKLMNOP","kty": "RSA","n": "123456789ABCDEFGHIJKLMNOP","use": "sig"},{"alg": "RS256","e": "AQAB","kid": "123456789ABCDEFGHIJKLMNOP","kty": "RSA","n": "123456789ABCDEFGHIJKLMNOP","use": "sig"}]}
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
username='optional-username',
id_token='optional-id-token',
refresh_token='optional-refresh-token',
access_token='optional-access-token',
access_key='optional-access-key',
secret_key='optional-secret-key')
- user_pool_id: Cognito User Pool ID
- client_id: Cognito User Pool Application client ID
- username: User Pool username
- id_token: ID Token returned by authentication
- refresh_token: Refresh Token returned by authentication
- access_token: Access Token returned by authentication
- access_key: AWS IAM access key
- secret_key: AWS IAM secret key
Used when you only need information about the user pool (ex. list users in the user pool)
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id')
Used when the user has not logged in yet. Start with these arguments when you plan to authenticate with either SRP (authenticate) or admin_authenticate (admin_initiate_auth).
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
Used after the user has already authenticated and you need to build a new Cognito instance (ex. for use in a view).
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
id_token='your-id-token',
refresh_token='your-refresh-token',
access_token='your-access-token')
Register a user to the user pool
Important: The keyword arguments used for this method depend on your user pool's configuration, and make sure the client id (app id) used has write permissions for the attriubtes you are trying to create. Example, if you want to create a user with a given_name equal to Johnson make sure the client_id you're using has permissions to edit or create given_name for a user in the pool.
from warrant import Cognito
u = Cognito('your-user-pool-id', 'your-client-id')
u.register('username', 'password', email='[email protected]', some_random_attr='random value') # **kwargs are the other attributes that should be set ex. email, given_name, family_name
- username: User Pool username
- password: User Pool password
- attr_map: Attribute map to Cognito's attributes
- kwargs: Additional User Pool attributes ex.
**{'email':'[email protected]'}
Authenticates a user
If this method call succeeds the instance will have the following attributes id_token, refresh_token, access_token, expires_in, expires_datetime, and token_type.
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
u.authenticate(password='bobs-password')
- password: - User's password
Authenticate the user using admin super privileges
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
u.admin_authenticate(password='bobs-password')
- password: User's password
Sends a verification code to the user to use to change their password.
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
u.initiate_forgot_password()
No arguments
Allows a user to enter a code provided when they reset their password to update their password.
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
u.confirm_forgot_password('your-confirmation-code','your-new-password')
- confirmation_code: The confirmation code sent by a user's request to retrieve a forgotten password
- password: New password
Changes the user's password
from warrant import Cognito
#If you don't use your tokens then you will need to
#use your username and password and call the authenticate method
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.change_password('previous-password','proposed-password')
- previous_password: - User's previous password
- proposed_password: - The password that the user wants to change to.
Use the confirmation code that is sent via email or text to confirm the user's account
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id')
u.confirm_sign_up('users-conf-code',username='bob')
- confirmation_code: Confirmation code sent via text or email
- username: User's username
Update the user's profile
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.update_profile({'given_name':'Edward','family_name':'Smith',},attr_map=dict())
- attrs: Dictionary of attribute name, values
- attr_map: Dictionary map from Cognito attributes to attribute names we would like to show to our users
Send verification email or text for either the email or phone attributes.
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.send_verification(attribute='email')
- attribute: - The attribute (email or phone) that needs to be verified
Returns an instance of the specified user_class.
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.get_user_obj(username='bjones',
attribute_list=[{'Name': 'string','Value': 'string'},],
metadata={},
attr_map={"given_name":"first_name","family_name":"last_name"}
)
- username: Username of the user
- attribute_list: List of tuples that represent the user's attributes as returned by the admin_get_user or get_user boto3 methods
- metadata: (optional) Metadata about the user
- attr_map: (optional) Dictionary that maps the Cognito attribute names to what we'd like to display to the users
Get all of the user's attributes. Gets the user's attributes using Boto3 and uses that info to create an instance of the user_class
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id',
username='bob')
user = u.get_user(attr_map={"given_name":"first_name","family_name":"last_name"})
- attr_map: Dictionary map from Cognito attributes to attribute names we would like to show to our users
Get a list of the user in the user pool.
from warrant import Cognito
u = Cognito('your-user-pool-id','your-client-id')
user = u.get_users(attr_map={"given_name":"first_name","family_name":"last_name"})
- attr_map: Dictionary map from Cognito attributes to attribute names we would like to show to our users
Checks the exp attribute of the access_token and either refreshes the tokens by calling the renew_access_tokens method or does nothing. IMPORTANT: Access token is required
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.check_token()
No arguments for check_token
Logs the user out of all clients and removes the expires_in, expires_datetime, id_token, refresh_token, access_token, and token_type attributes.
from warrant import Cognito
#If you don't use your tokens then you will need to
#use your username and password and call the authenticate method
u = Cognito('your-user-pool-id','your-client-id',
id_token='id-token',refresh_token='refresh-token',
access_token='access-token')
u.logout()
No arguments for check_token
The AWSSRP
class is used to perform SRP(Secure Remote Password protocol) authentication.
This is the preferred method of user authentication with AWS Cognito.
The process involves a series of authentication challenges and responses, which if successful,
results in a final response that contains ID, access and refresh tokens.
The AWSSRP
class takes a username, password, cognito user pool id, cognito app id, and an optional
boto3
client. Afterwards, the authenticate_user
class method is used for SRP authentication.
import boto3
from warrant.aws_srp import AWSSRP
client = boto3('cognito-idp')
aws = AWSSRP(username='username', password='password', pool_id='user_pool_id',
client_id='client_id', client=client)
tokens = aws.authenticate_user()
-
In your Django project settings file, add the dotted path of
CognitoBackend
to your list ofAUTHENTICATION_BACKENDS
. Keep in mind that Django will attempt to authenticate a user using each backend listed, in the order listed until successful.AUTHENTICATION_BACKENDS = [ 'warrant.django.backend.CognitoBackend', ... ]
-
Set
COGNITO_USER_POOL_ID
andCOGNITO_APP_ID
in your settings file as well. Your User Pool ID can be found in the Pool Details tab in the AWS console. Your App ID is found in the Apps tab, listed as "App client id". -
Set
COGNITO_ATTR_MAPPING
in your settings file to a dictionary mapping a Cognito attribute name to a Django User attribute name. If your Cognito User Pool has any custom attributes, it is automatically prefixed withcustom:
. Therefore, you will want to add a mapping to your mapping dictionary as such{'custom:custom_attr': 'custom_attr'}
. Defaults to:{ 'email': 'email', 'given_name': 'first_name', 'family_name': 'last_name', }
-
Optional - Set
CREATE_UNKNOWN_USERS
toTrue
orFalse
, depending on if you wish local Django users to be created upon successful login. If set toFalse
, only existing local Django users are updated. Defaults toTrue
. -
Optional - Set
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
to the AWS access keys you would like to use. Defaults toNone
, which will use the default credentials in your~/.aws/credentials
file.
Since the username of a Cognito User can never change, this is used by the backend to match a Cognito User with a local Django User.
If a Django user is not found, one is created using the attributes fetched from Cognito. If an existing Django user is found, their attributes are updated.
If the boto3 client comes back with either a NotAuthorizedException
or
UserNotFoundException
, then None
is returned instead of a User.
Otherwise, the exception is raised.
Upon successful login, the three identity tokens returned from Cognito
(ID token, Refresh token, Access token) are stored in the user's request
session. In Django >= 1.11, this is done directly in the backend class.
Otherwise, this is done via the user_logged_in
signal.
Check the django/demo directory for an example app with a login and user details page.
Setting the Django setting CREATE_UNKNOWN_USERS
to False
prevents the backend
from creating a new local Django user and only updates existing users.
If you create your own backend class that inhereits from CognitoBackend
, you may
want to also create your own custom user_logged_in
so that it checks
for the name of your custom class.
The APIKeyMiddleware
checks for a HTTP_AUTHORIZATION_ID
header
in the request and attaches it to the request object as api_key
.