Seamless migrations of users in AWS Cognito user pools
Cognito User pools comes in with out of the box and quick integrations when you start. With this in place users had the flexibility of signing in, signing up using web or mobile. But as soon as we started supporting Social Authentication, this became a problem.
Problem:
We hit a limitation where user pools cannot be updated after you have configured Attributes which are predefined. e.g. if one creates a user pool with phone as mandatory it remains forever and cannot be changed.
Solution
The only way to get out of this problem is to move to a new pool with desired configuration and not an easy task when you have hundred thousand users live. Only way was to build a migration strategy where existing users get seamlessly moved to a new pool
We devised a 2 step migration approach
Step 1 — Migration of users registered using Phone — Lesser complexity
Since these users were authenticated using custom authentication flow where they were logged into app using OTP. We do not have to worry about passwords.
An export script to get users from one Cognito Pool and importing them into another Cognito pool
Step 2 — Migration of users registered using email, this involved not only login but forgot password too.
Export and import in this case would have resulted in temporary password emails to all our users.
Step 2 (a) — Users Login to Web app
We came up with a migration lambdas which took care of moving users pool to another pool. Flow diagram in screenshot below.
Step 2 (a) — Users resetting their password using Web app
Flow diagram.
Lambda
References: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html