Can users be migrated from my mongodb database to aws cognito user pool?

For better security I would like to move all of my web application users to aws cognito. Is it possible to migrate the user data from mongodb to cognito in such a way that all my customers can login with their same old password ? Or is it mandated to change the password after migration ?

A rough user table is below:
name:
email:
hash_password:
salt:

The hash_password and salt are strings which may have to be exported to a csv and then uploaded to cognito. But I do not see any such options in cognito.

I have hundreds of Users and I do not want to force change password on all of them. I have checked the aws docs and they do not mention anything about migration from mongodb. Please let me if it is possible and if it is then how can it be achieved ?

Answers 1

  • There are several ways to achieve this,

    1. You use prepare .CSV file and import it in aws cognito user pool. Import process sets all user attributes except password. User's status in cognito will be RESET_REQUIRED. Cognito force to reset password.

    2. Otherwise, you can write one script that will add all users from mongodb to cognito in following steps,

    Use: AdminCreateUser

    1. Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API. Specify the temporary password(will be your user's password in mongodb) or allow Amazon Cognito to automatically generate one.

    2. Specify whether provided email addresses and phone numbers are marked as verified for new users. Specify custom SMS and email invitation messages for new users via the AWS Management Console.

    3. Specify whether invitation messages are sent via SMS, email, or both.

    4. After successful user creation,

      1. authenticate user using same user credentials Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)

      2. After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.

      3. Use RespondToAuthChallenge(Username, , PASSWORD_VERIFIER

      4. Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.

      5. The user is prompted and enters a new password and any missing values for required attributes.

      6. Call RespondToAuthChallenge(Username, , ).

      7. After successful password change user can be able to login using same credentials added in mongodb.

    Note: but there is problem, if you are not able to decrypt user credentials from mongodb then 2nd solution will not work.

    -  In that case, you can specify the temporary password
    (will  allow Amazon Cognito to automatically generate one.).
    
    - all user users will be forced to change their password only at first login.
    

    Reference:

    If you want to know how to write CSV and import it in cognito then check this link, https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool-csv-header.html


Related Articles