Cognito

User pools (and clients/domains), identity pools, OAuth2 flows (/oauth2/*, /login, /logout), JWKS at /.well-known/jwks.json.

JSON-RPC (X-Amz-Target) multi-tenant 62 operations

Quick start

import boto3
cidp = boto3.client("cognito-idp", endpoint_url="http://localhost:4566",
                    region_name="us-east-1",
                    aws_access_key_id="test", aws_secret_access_key="test")
pool = cidp.create_user_pool(PoolName="users")
client = cidp.create_user_pool_client(UserPoolId=pool["UserPool"]["Id"],
                                      ClientName="web")

Supported operations

62 operations exposed by this service as of MiniStack 1.3.14. Extracted directly from the handler dispatch in the source module.

AdminAddUserToGroup AdminConfirmSignUp AdminCreateUser AdminDeleteUser AdminDisableUser AdminEnableUser AdminGetUser AdminInitiateAuth AdminListGroupsForUser AdminListUserAuthEvents AdminRemoveUserFromGroup AdminResetUserPassword AdminRespondToAuthChallenge AdminSetUserMFAPreference AdminSetUserPassword AdminUpdateUserAttributes AdminUserGlobalSignOut AssociateSoftwareToken ChangePassword ConfirmForgotPassword ConfirmSignUp CreateGroup CreateIdentityProvider CreateUserPool CreateUserPoolClient CreateUserPoolDomain DeleteGroup DeleteIdentityProvider DeleteUser DeleteUserPool DeleteUserPoolClient DeleteUserPoolDomain DescribeIdentityProvider DescribeUserPool DescribeUserPoolClient DescribeUserPoolDomain ForgotPassword GetGroup GetIdentityProviderByIdentifier GetUser GetUserPoolMfaConfig GlobalSignOut InitiateAuth ListGroups ListIdentityProviders ListTagsForResource ListUserPoolClients ListUserPools ListUsers ListUsersInGroup RespondToAuthChallenge RevokeToken SetUserMFAPreference SetUserPoolMfaConfig SignUp TagResource UntagResource UpdateIdentityProvider UpdateUserAttributes UpdateUserPool UpdateUserPoolClient VerifySoftwareToken

CloudFormation

The CloudFormation engine provisions these resource types via this service:

AWS::Cognito::UserPool AWS::Cognito::UserPoolClient AWS::Cognito::UserPoolDomain AWS::Cognito::IdentityPool

See CloudFormation engine for intrinsic support and lifecycle details.

Known limitations

Lambda triggers (PreSignUp, PostConfirmation, CustomMessage, Pre/PostAuth, PreTokenGeneration) are stored but never invoked.
SES delivery of verification codes / password-reset links is not performed (unless SMTP_HOST is set).
Both cognito-idp and cognito-identity share one service module; some identity-pool mappings have partial coverage.

Source

ministack/services/cognito.py:566-626

Read the source to verify the ops list above — dispatch tables and handler functions are the ground truth.

See also: all services · configuration · limitations.