Cognito User Pool
User Pool Configuration
The StackFlow Cognito User Pool (us-east-1_WKK1AVJ2m) is the authoritative identity store for all native StackFlow users. It is configured in the us-east-1 region under AWS account 373544523367. The pool uses email as the primary sign-in attribute and enforces case-insensitive email matching.
- User Pool:
us-east-1_WKK1AVJ2mactive inus-east-1under account373544523367 - Pre-Token Lambda:
StackFlowCognitoPreTokentrigger attached and deployed - Post-Confirmation Lambda:
StackFlowCognitoPostConfirmtrigger attached withdynamodb:PutItemonStackFlow_User - IAM Role: Cognito service role must have
lambda:InvokeFunctionon all three trigger Lambdas - SES:
no-reply@stackflow-tech.comverified inus-east-1for welcome emails
| Setting | Value |
|---|---|
| Pool ID | us-east-1_WKK1AVJ2m |
| App Client ID | 570cnagpgoochn29a113du6jnt |
| Hosted UI Domain | stackflow-identity-373544523367.auth.us-east-1.amazoncognito.com |
| Sign-in Method | Email (case-insensitive) |
| MFA | Optional (TOTP and SMS) |
| Password Policy | 12+ chars, upper, lower, digit, symbol |
| Token Validity | Access: 1h | ID: 1h | Refresh: 30d |
App Client Settings
The 570cnagpgoochn29a113du6jnt app client is configured for the Authorization Code flow with PKCE, which is the recommended OAuth 2.0 flow for SPAs and web applications. The implicit flow is explicitly disabled. Allowed callback URLs must be registered in the app client configuration before they can be used in authentication requests.
# View app client configuration
aws cognito-idp describe-user-pool-client --user-pool-id us-east-1_WKK1AVJ2m --client-id 570cnagpgoochn29a113du6jnt --region us-east-1
# Add a new callback URL (e.g., for a dev environment)
aws cognito-idp update-user-pool-client --user-pool-id us-east-1_WKK1AVJ2m --client-id 570cnagpgoochn29a113du6jnt --callback-urls '["https://your-instance.stackflow-tech.com/callback","https://localhost:3000/callback"]' --region us-east-1User Attributes
StackFlow uses standard Cognito attributes plus custom attributes for role assignment and tenant isolation. Custom attributes are prefixed with custom: and are read-only from the user's perspective (only administrators can modify them).
| Attribute | Type | Description |
|---|---|---|
email | Standard | Primary identifier, must be verified |
given_name | Standard | First name |
family_name | Standard | Last name |
custom:tenant_id | Custom (string) | Tenant identifier for multi-tenancy isolation |
custom:role | Custom (string) | Comma-separated StackFlow role names |
custom:department | Custom (string) | Department ID from StackFlow org structure |
Triggers & Lambdas
Three Cognito Lambda triggers are configured to customize the authentication flow. The Pre-Signup trigger validates new user emails against an approved domain allowlist. The Post-Confirmation trigger creates the user's StackFlow profile record in Aurora PostgreSQL. The Pre-Token-Generation trigger enriches the JWT with role claims from the StackFlow database.
StackFlowCacheWarmer scheduled function (every 4 minutes).
User Management via CLI
Administrators can manage users directly via the AWS CLI when the portal UI is unavailable. Common operations include resetting passwords, enabling/disabling accounts, and updating custom attributes.
# Create a new user
aws cognito-idp admin-create-user --user-pool-id us-east-1_WKK1AVJ2m --username user@example.com --user-attributes Name=email,Value=user@example.com Name=email_verified,Value=true Name=custom:role,Value=itsm_agent Name=custom:tenant_id,Value=tenant_001 --temporary-password "TempPass123!" --region us-east-1
# Reset a user's password
aws cognito-idp admin-set-user-password --user-pool-id us-east-1_WKK1AVJ2m --username user@example.com --password "NewSecurePass456!" --permanent --region us-east-1
# Disable a user account
aws cognito-idp admin-disable-user --user-pool-id us-east-1_WKK1AVJ2m --username user@example.com --region us-east-1