3

For better security I would like to move all of my web application users to aws cognito. Is it possible to migrate the user data from mongodb to cognito in such a way that all my customers can login with their same old password ? Or is it mandated to change the password after migration ?

A rough user table is below:
name:
email:
hash_password:
salt:

The hash_password and salt are strings which may have to be exported to a csv and then uploaded to cognito. But I do not see any such options in cognito.

I have hundreds of Users and I do not want to force change password on all of them. I have checked the aws docs and they do not mention anything about migration from mongodb. Please let me if it is possible and if it is then how can it be achieved ?

sp497
  • 2,363
  • 7
  • 25
  • 43

2 Answers2

2

There are several ways to achieve this,

  1. You use prepare .CSV file and import it in aws cognito user pool. Import process sets all user attributes except password. User's status in cognito will be RESET_REQUIRED. Cognito force to reset password.

  2. Otherwise, you can write one script that will add all users from mongodb to cognito in following steps,

Use: AdminCreateUser

  1. Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password in mongodb) or allow Amazon Cognito to automatically generate one.

  2. Specify whether provided email addresses and phone numbers are marked as verified for new users. Specify custom SMS and email invitation messages for new users via the AWS Management Console.

  3. Specify whether invitation messages are sent via SMS, email, or both.

  4. After successful user creation,

    1. authenticate user using same user credentials Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)

    2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.

    3. Use RespondToAuthChallenge(Username, , PASSWORD_VERIFIER

    4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.

    5. The user is prompted and enters a new password and any missing values for required attributes.

    6. Call RespondToAuthChallenge(Username, , ).

    7. After successful password change user can be able to login using same credentials added in mongodb.

Note: but there is problem, if you are not able to decrypt user credentials from mongodb then 2nd solution will not work.

-  In that case, you can specify the temporary password
(will  allow Amazon Cognito to automatically generate one.).

- all user users will be forced to change their password only at first login.

Reference:

If you want to know how to write CSV and import it in cognito then check this link, https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool-csv-header.html

Nikhil Kadam
  • 143
  • 6
  • Nikhil In the step2 you mention dynamo db. But I use mongodb as our backend database. Will it work for that too ? – sp497 Mar 12 '19 at 10:16
  • Sorry, but those steps are not dependent on any database. If you need any more help please add your comment here. – Nikhil Kadam Mar 12 '19 at 14:02
1

Have you tried using the UserMigration Lambda trigger? It allows you to migrate users with their existing password during the authentication flow.

Check the blog post as well as the trigger documentation with an example

Tomasz
  • 657
  • 3
  • 9
  • Any idea, how to migrate Bcrypt passwords into AWS Cognito? Triggers could help to customize the authentications? – Karthikeyan Oct 21 '19 at 06:48
  • 1
    It's not possible to import hashed passwords into Cognito user pool. The UserMigration lambda trigger is kicked off when the user authenticates, so it has access to the cleartext password supplied by the user. In the Lambda function, you can verify the cleartext password against your bcrypt hash. If they match then Cognito will insert the user to the user pool (including the password) – Tomasz Oct 25 '19 at 00:22