Create Auth Challenge Lambda Trigger - Amazon Cognito

Create Auth Challenge Lambda Trigger

            Challenge Lambda triggers
Create auth challenge

Amazon Cognito invokes this trigger after Define Auth Challenge if a custom challenge has been specified as part of the Define Auth Challenge trigger. It creates a custom authentication flow.

This Lambda trigger is invoked to create a challenge to present to the user. The request for this Lambda trigger includes the challengeName and session. The challengeName is a string and is the name of the next challenge to the user. The value of this attribute is set in the Define Auth Challenge Lambda trigger.

The challenge loop will repeat until all challenges are answered.

Create Auth Challenge Lambda Trigger Parameters

These are the parameters required by this Lambda function in addition to the common parameters.

{ "request": { "userAttributes": { "string": "string", . . . }, "challengeName": "string", "session": [ ChallengeResult, . . . ], "clientMetadata": { "string": "string", . . . }, "userNotFound": boolean }, "response": { "publicChallengeParameters": { "string": "string", . . . }, "privateChallengeParameters": { "string": "string", . . . }, "challengeMetadata": "string" } }

Create Auth Challenge Request Parameters


One or more name-value pairs representing user attributes.


This boolean is populated when PreventUserExistenceErrors is set to ENABLED for your User Pool client.


The name of the new challenge.


The session element is an array of ChallengeResult elements, each of which contains the following elements:




Set to true if the user successfully completed the challenge, or false otherwise.


Your name for the custom challenge. Used only if challengeName is "CUSTOM_CHALLENGE".


One or more key-value pairs that you can provide as custom input to the Lambda function that you specify for the create auth challenge trigger. You can pass this data to your Lambda function by using the ClientMetadata parameter in the AdminRespondToAuthChallenge and RespondToAuthChallenge API actions.

Create Auth Challenge Response Parameters


One or more key-value pairs for the client app to use in the challenge to be presented to the user. This parameter should contain all of the necessary information to accurately present the challenge to the user.


This parameter is only used by the Verify Auth Challenge Response Lambda trigger. This parameter should contain all of the information that is required to validate the user's response to the challenge. In other words, the publicChallengeParameters parameter contains the question that is presented to the user and privateChallengeParameters contains the valid answers for the question.


Your name for the custom challenge, if this is a custom challenge.

Create Auth Challenge Example

A CAPTCHA is created as a challenge to the user. The URL for the CAPTCHA image is added to the public challenge parameters as "captchaUrl", and the expected answer is added to the private challenge parameters.

exports.handler = (event, context, callback) => { if (event.request.challengeName == 'CUSTOM_CHALLENGE') { event.response.publicChallengeParameters = {}; event.response.publicChallengeParameters.captchaUrl = 'url/123.jpg' event.response.privateChallengeParameters = {}; event.response.privateChallengeParameters.answer = '5'; event.response.challengeMetadata = 'CAPTCHA_CHALLENGE'; } Return to Amazon Cognito callback(null, event); }