Integrate Amazon Cognito with Corbado Connect for passkeys. Offer secure and convenient passkey authentication to all your Cognito users.
define_auth_challenge
: This Lambda acts as the orchestrator of our custom flow. It determines which challenge to present to the user at each step of the authentication process.create_auth_challenge
: This Lambda is responsible for creating the challenge itself. In our case, it won’t be creating a secret, but rather preparing for the verification that happens in the next step.verify_auth_challenge_response
: This is where the core verification logic resides. This Lambda takes the signed passkey data from the frontend (provided by Corbado Connect), and verifies it against Corbado’s Backend API to confirm the user’s identity. If verification is successful, it informs Cognito to issue the session tokens.@corbado/connect-react
library. The component takes care of the entire UI and logic for creating and storing the passkey.
Here’s how it’s used in our example application’s post-login
page:
appendTokenProvider
to request a connect token from Corbado’s Backend API (this token authorizes the creation of a passkey for a specific and authenticated user).
The frontend first needs to get the idToken
for the currently logged-in user from AWS Amplify. This JWT is proof of the user’s session with Amazon Cognito. The idToken
is then sent to a Next.js Server Action:
idToken
to ensure it’s valid and extracts the user’s identity, then requests the connect token by calling the utility function getCorbadoConnectToken()
:
post-append
action utilizes the AdminGetUser
command from Amazon Cognito to verify if MFA is already configured. If it is not, the AdminSetUserMFAPreference
command is executed to update the settings:
@corbado/connect-react
library. The component takes care of the entire UI and logic for handling the passkey login and passing the result to our application logic to complete the login with Amazon Cognito.
The core logic resides in a client component that wraps the CorbadoConnectLogin component:
onComplete
handler triggers our postPasskeyLoginNew
function, which performs the final steps to log the user into Cognito:
webauthnId
, which is a stable identifier for the user in Corbado’s system. We will use this as the username
for Amazon Cognito’s custom flow.signIn
: We call signIn
from the AWS Amplify library, passing the webauthnId
as the username
and specifying authFlowType: 'CUSTOM_WITHOUT_SRP'
. This initiates the custom authentication flow and triggers our define_auth_challenge
and create_auth_challenge
Lambdas.confirmSignIn
: We then immediately call confirmSignIn
, providing the entire signedPasskeyData as the challengeResponse
. This is the answer to the custom challenge, which triggers our verify_auth_challenge_response
Lambda.confirmSignIn
completes successfully, Amazon Cognito has issued valid session tokens to the Amplify library. The user is now fully authenticated, and we can redirect them to a protected page, like their profile.pre-login
action utilizes the AdminGetUser
command from Amazon Cognito to search for a user by their email address and return the corresponding Amazon Cognito username to Corbado Connect:
SecureString
parameters in the SSM Parameter Store, you ensure that they are encrypted at rest. You can then grant the Lambda function’s IAM role the necessary permissions to read these specific parameters at runtime. This approach provides a secure and scalable way to manage your secrets, separating them from your application code.
@corbado/connect-react
library. This component provides a complete user interface for managing passkeys, including viewing, adding, and deleting them.
Here’s how it’s used in our example application’s profile page:
connectTokenProvider
to request a connect token from Corbado’s Backend API. This token authorizes the specific operation for the authenticated user.
The frontend first gets the idToken
for the currently logged-in user from AWS Amplify. This JWT proves the user’s session with Amazon Cognito. The idToken
is then sent to a Next.js Server Action:
idToken
to ensure it’s valid and extracts the user’s identity, then requests the connect token by calling the utility function getCorbadoConnectToken()
:
connectTokenType
to specify which operation the token should authorize (in this case, it could be ‘passkey-list’, ‘passkey-add’, or ‘passkey-delete’).