Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Configuring policies for user
creation
Your user pool can allow users to sign up, or you can create them as an administrator. You
can also control how much of the process of verification and confirmation after sign-up is in
the hands of your users. For example, you might want to review sign-ups and accept them based on
an external validation process. This configuration, or admin create user
policy, also sets the amount of time before a user can no longer confirm their user
account.
Amazon Cognito can serve the needs of your public customers as the customer identity and access
management (CIAM) platform for your software. A user pool that accepts sign-up and has an app
client, with or without managed login, creates a user profile for anyone on the internet who
knows your publicly-discoverable app client ID and requests to sign up. A signed-up user profile
can receive access and identity tokens and can access resources that you've authorized for your
app. Before you activate sign-up in your user pool, review your options and ensure that your
configuration complies with your security standards. Set Enable
self-registration and AllowAdminCreateUserOnly
, described in the
following procedures, with care.
- Amazon Web Services Management Console
-
The Sign-up menu of your user pool contains some of the settings
for sign-up and administrative creation of users in your user pool.
To configure the sign-up experience
-
In Cognito-assisted verification and confirmation, choose
whether you want to Allow Cognito to automatically send messages to verify
and confirm. With this setting enabled, Amazon Cognito sends an email or SMS
message to new users with a code that they must present to your user pool. This
confirms their ownership of the email address or phone number, setting the equivalent
attribute as verified and confirming the user account for sign-in. The
Attributes to verify that you choose determine the delivery
methods and destinations of the verification messages.
-
Verifying attribute changes isn't significant when you're
creating users, but relates to attribute verification. You can permit users who have
changed but not yet verified their sign-in attributes to continue to sign in either with their new attribute
value or with their original. For more information, see Verifying when users
change their email or phone number.
-
Required attributes displays the attributes that must be
provided a value before a user can sign up or you can create a user. You can only set
required attributes when you create a user pool.
-
Custom attributes are important to the user creation and
sign-up process because you can only set a value for immutable custom attributes when you first create a user. For more
information about custom attributes, see Custom attributes.
-
In Self-service sign-up, select Enable
self-registration if you want users to be able to generate a new account
with the unauthenticated
SignUp
API. If you disable self-registration, you can only create new
users as an administrator, in the Amazon Cognito console or with AdminCreateUser API requests. In a user pool where self-registration is
inactive, SignUp API requests return NotAuthorizedException
and managed
login doesn't display a Sign up link.
For user pools where you plan to create users as an administrator, you can configure
the duration of their temporary passwords in the setting in the
Sign-in menu Temporary passwords set by administrators
expire in.
Another important element of the creation of users as an administrator is the
invitation message. When you create a new user, Amazon Cognito sends them a message with a link to
your app so that they can sign in for the first time. Customize this message template in
the Authentication methods menu under Message
templates.
You can configure confidential app clients, typically web applications, with a client secret that
prevents sign-up without the app client secret. As a security best practice, do not
distribute app client secrets in public app clients, typically mobile apps. You can create
app clients with client secrets in the App clients menu of the Amazon Cognito
console.
- Amazon Cognito user pools API
-
You can programmatically set the parameters for creation of users in a user pool in a
CreateUserPool or UpdateUserPool API request.
The AdminCreateUserConfig element sets values for the following properties of a
user pool.
-
Enable self-service sign-up
-
The invitation message that you send to new admin-created users
The following example, when added to a full API request body, sets a user pool with
self-service sign-up inactive and a basic invitation email.
"AdminCreateUserConfig": {
"AllowAdminCreateUserOnly": true,
"InviteMessageTemplate": {
"EmailMessage": "Your username is {username} and temporary password is {####}.",
"EmailSubject": "Welcome to ExampleApp",
"SMSMessage": "Your username is {username} and temporary password is {####}."
}
}
The following additional parameters of a CreateUserPool or UpdateUserPool API request govern the creation of new users.
- AutoVerifiedAttributes
-
The attributes, email addresses or phone numbers, that you want to automatically send a
message to when you register a new user.
- Policies
-
The user pool password
policy.
- Schema
-
The user pool custom
attributes. They are important to the user creation and sign-up process
because you can only set a value for immutable
custom attributes when you first create a user.
This parameter also sets the required attributes for your user pool. The
following text, when inserted into the Schema
element of a full API
request body, set the email
attribute as required.
{
"Name": "email",
"Required": true
}