Pre authentication Lambda trigger - Amazon Cognito
Pre authentication Lambda flowsPre authentication Lambda trigger parametersAuthentication tutorialsPre authentication example

Pre authentication Lambda trigger

Amazon Cognito invokes this trigger when a user attempts to sign in so that you can create custom validation that accepts or denies the authentication request.

Note

Triggers depend on the user existing in the user pool before Amazon Cognito activates the trigger.

Pre authentication Lambda flows

Client authentication flow

Pre authentication Lambda trigger - client flow

Server authentication flow

Pre authentication Lambda trigger - server flow

The request includes client validation data from the ClientMetadata values that your app passes to the user pool InitiateAuth and AdminInitiateAuth API operations.

For more information, see User pool authentication flow.

Pre authentication Lambda trigger parameters

These are the parameters that Amazon Cognito passes to this Lambda function along with the event information in the common parameters.

JSON
{
    "request": {
        "userAttributes": {
            "string": "string",
            . . .
        },
        "validationData": {
            "string": "string",
            . . .
        },
        "userNotFound": boolean
    },
    "response": {}
}

Pre authentication request parameters

userAttributes

One or more name-value pairs that represent user attributes.

userNotFound

When you set PreventUserExistenceErrors to ENABLED for your user pool client, Amazon Cognito populates this Boolean.

validationData

One or more key-value pairs that contain the validation data in the user's sign-in request. To pass this data to your Lambda function, use the ClientMetadata parameter in the InitiateAuth and AdminInitiateAuth API actions.

Pre authentication response parameters

Amazon Cognito does not expect any additional return information in the response. Your function can return an error to reject the sign-in attempt, or use API operations to query and modify your resources.

Authentication tutorials

Amazon Cognito activates the pre-authentication Lambda function before Amazon Cognito signs in a new user. See these sign-in tutorials for JavaScript, Android, and iOS.

Platform Tutorial
JavaScript Identity SDK Sign in users with JavaScript
Android Identity SDK Sign in users with Android
iOS Identity SDK Sign in users with iOS

Pre authentication example

This sample function prevents users from a specific user pool app client from signing in to the user pool.

Node.js
exports.handler = (event, context, callback) => {
    if (event.callerContext.clientId === "user-pool-app-client-id-to-be-blocked") {
        var error = new Error("Cannot authenticate users from this user pool app client");

        // Return error to Amazon Cognito
        callback(error, event);
    }

    // Return to Amazon Cognito
    callback(null, event);
};
Python
def lambda_handler(event, context):
    if event['callerContext']['clientId'] == "<user pool app client id to be blocked>":
        raise Exception("Cannot authenticate users from this user pool app client")

    # Return to Amazon Cognito
    return event

Amazon Cognito passes event information to your Lambda function. The function then returns the same event object to Amazon Cognito, with any changes in the response. In the Lambda console, you can set up a test event with data that is relevant to your Lambda trigger. The following is a test event for this code sample:

JSON
{
    "callerContext": {
        "clientId": "<user pool app client id to be blocked>"
    },
    "response": {}
}