Working with Amazon Cognito - AWS SDK for Java
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

At Amazon Web Services (AWS), we’re focused on finding ways to improve our products and provide a better customer experience. To do that, we need your feedback. Please take 5 minutes of your time to share insights regarding your experience with Java Spring and your need for Spring integration with AWS.

Click here to take a quick survey

This survey is hosted by an external company (Qualtrics), so the link above does not lead to our website. Please note that AWS will own the data gathered via this survey, and will not share the information/results collected with survey respondents. AWS handles your information as described in the AWS Privacy Notice.

Working with Amazon Cognito

With Amazon Cognito, you can quickly add user sign-up or sign-in capability to your web or mobile app. The examples here demonstrate some of the basic functionality of Cognito.

Create a user pool

A user pool is a directory of users that you can configure for your web or mobile app.

To create a user pool, start by building a CreateUserPoolRequest object, with the name of the user pool as the value of its poolName(). Call the createUserPool() method of your CreateUserPoolRequest, passing in the CreateUserPoolRequest object. You can capture the result of this request as a CreateUserPoolResponse object, as demonstrated in the following code snippet.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException; import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolResponse;

Code

public static String createPool(CognitoIdentityProviderClient cognitoclient,String userPoolName ) { try { CreateUserPoolResponse userPoolResponse = cognitoclient.createUserPool( CreateUserPoolRequest.builder() .poolName(userPoolName) .build() ); return userPoolResponse.userPool().id(); } catch (CognitoIdentityProviderException e){ System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return "";

See the complete example on GitHub.

List users from a user pool

To list users from your user pools, start by building a ListUserPoolsRequest object, with the number of maximum results as the value of its maxResults(). Call the listUserPools() method of your CognitoIdentityProviderClient, passing in the ListUserPoolsRequest object. You can capture the result of this request as a ListUserPoolsResponse object, as demonstrated in the following code snippet. Create a UserPoolDescriptionType object to easily iterate over the results and pull out the attributes of each user.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException; import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.UserPoolDescriptionType;

Code

public static void listAllUserPools(CognitoIdentityProviderClient cognitoclient ) { try { ListUserPoolsResponse response = cognitoclient .listUserPools( ListUserPoolsRequest.builder() .maxResults(10) .build() ); for (UserPoolDescriptionType userpool : response.userPools()) { System.out.println("User pool " + userpool.name() + ", User ID " + userpool.id() + ", Status " + userpool.status()); } } catch (CognitoIdentityProviderException e){ System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

Create an identity pool

An identity pool is a container that organizes the IDs from your external identity provider, keeping a unique identifier for each user. To create an identity pool, start by building a CreateIdentityPoolRequest with the name of the user pool as the value of its identityPoolName(). Set allowUnauthenticatedIdentities() to true or false. Call the createIdentityPool() method of your CognitoIdentityClient object, passing in the CreateIdentityPoolRequest object. You can capture the result of this request as a CreateIdentityPoolResponse object, as demonstrated in the following code snippet.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient; import software.amazon.awssdk.services.cognitoidentity.model.CreateIdentityPoolRequest; import software.amazon.awssdk.services.cognitoidentity.model.CreateIdentityPoolResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;

Code

public static String createIdPool(CognitoIdentityClient cognitoclient, String identityPoolName ) { try { CreateIdentityPoolResponse response = cognitoclient.createIdentityPool( CreateIdentityPoolRequest.builder() .allowUnauthenticatedIdentities(false) .identityPoolName(identityPoolName) .build() ); return response.identityPoolId(); } catch (CognitoIdentityProviderException e){ System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return "";

See the complete example on GitHub.

Add an app client

To enable the hosted web sign-up or sign-in UI for your app, create an app client. To create an app client, start by building a CreateUserPoolClientRequest object, with the name of the client as the value of its clientName(). Set userPoolId() to the ID of the user pool to which you want to attach this app client. Call the createUserPoolClient() method of your CognitoIdentityProviderClient, passing in the CreateUserPoolClientRequest object. You can capture the result of this request as a CreateUserPoolClientResponse object, as demonstrated in the following code snippet.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException; import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolClientRequest; import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolClientResponse;

Code

public static void createPoolClient ( CognitoIdentityProviderClient cognitoclient, String clientName, String userPoolId ) { try { CreateUserPoolClientResponse repsonse = cognitoclient.createUserPoolClient( CreateUserPoolClientRequest.builder() .clientName(clientName) .userPoolId(userPoolId) .build() ); System.out.println("User pool " + repsonse.userPoolClient().clientName() + " created. ID: " + repsonse.userPoolClient().clientId()); } catch (CognitoIdentityProviderException e){ System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

Add a third-party identity provider

Adding an external identity provider (IdP) enables your users to log into your app using that service’s login mechanism. To add a third-party IdP, start by building an UpdateIdentityPoolRequest object, with the name of the identity pool as the value of its identityPoolName(). Set allowUnauthenticatedIdentities() to true or false, specify the identityPoolId(), and define which login providers will be supported with supportedLoginProviders(). Call the updateIdentityPool() method of your CognitoIdentityClient, passing in the UpdateIdentityPoolRequest object. You can capture the result of this request as an UpdateIdentityPoolResponse object, as demonstrated in the following code snippet.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient; import software.amazon.awssdk.services.cognitoidentity.model.CognitoIdentityProvider; import software.amazon.awssdk.services.cognitoidentity.model.UpdateIdentityPoolRequest; import software.amazon.awssdk.services.cognitoidentity.model.UpdateIdentityPoolResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException; import java.util.ArrayList; import java.util.List;

Code

public static void setLoginProvider(CognitoIdentityClient cognitoclient, String appId, String identityPoolName, String identityPoolId, String providerName) { CognitoIdentityProvider identityProvider = CognitoIdentityProvider.builder() .providerName(providerName) .clientId(appId) .build(); List<CognitoIdentityProvider> proList = new ArrayList<>(); proList.add(identityProvider); try { UpdateIdentityPoolRequest poolRequest = UpdateIdentityPoolRequest.builder() .allowUnauthenticatedIdentities(true) .identityPoolName(identityPoolName) .identityPoolId(identityPoolId) .cognitoIdentityProviders(proList) .build() ; UpdateIdentityPoolResponse response = cognitoclient.updateIdentityPool(poolRequest); List<CognitoIdentityProvider> providers = response.cognitoIdentityProviders(); for (CognitoIdentityProvider provider: providers) { System.out.println("The client ID is : "+provider.clientId()); System.out.println("The provider name is : "+provider.providerName()); } } catch (CognitoIdentityProviderException e){ System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

Get credentials for an ID

To get the credentials for an identity in an identity pool, first build a GetCredentialsForIdentityRequest with the identity ID as the value of its identityId(). Call the getCredentialsForIdentity() method of your CognitoIdentityClient, passing in the GetCredentialsForIdentityRequest. You can capture the result of this request as a GetCredentialsForIdentityResponse object, as demonstrated in the following code snippet.

Imports

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient; import software.amazon.awssdk.services.cognitoidentity.model.GetCredentialsForIdentityRequest; import software.amazon.awssdk.services.cognitoidentity.model.GetCredentialsForIdentityResponse; import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;

Code

public static void getCredsForIdentity(CognitoIdentityClient cognitoclient, String identityId) { try { GetCredentialsForIdentityRequest getCredentialsForIdentityRequest = GetCredentialsForIdentityRequest.builder() .identityId(identityId) .build(); GetCredentialsForIdentityResponse response = cognitoclient.getCredentialsForIdentity(getCredentialsForIdentityRequest); System.out.println("Identity ID " + response.identityId() + ", Access key ID " + response.credentials().accessKeyId()); } catch (CognitoIdentityProviderException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); }

See the complete example on GitHub.

For more information, see the Amazon Cognito Developer Guide.