Flask AWSCognito

1.3 verified Fri May 01 auth: no python maintenance

Flask extension for authenticating users with AWS Cognito. Version 1.3 supports Flask-Login integration and JWT token verification. Release cadence is low; last updated in 2021.

pip install flask-awscognito

Common errors

error AttributeError: module 'flask_awscognito' has no attribute 'AWSCognitoAuthentication' ↓

cause Importing an outdated or wrong class name.

fix

Use 'from flask_awscognito import AWSCognitoAuthentication' (note capital A, W, and no underscore before Authentication).

error ImportError: cannot import name 'CognitoAuth' from 'flask_awscognito' ↓

cause CognitoAuth class was renamed to AWSCognitoAuthentication in version 1.0.

fix

If using version <1.0, use CognitoAuth; for >=1.0 use AWSCognitoAuthentication.

error flask_awscognito.exceptions.CognitoError: Invalid redirect URI ↓

cause The redirect URI in the Cognito app client settings does not match the one configured in Flask (AWS_COGNITO_REDIRECT_URL).

fix

Match the exact URI in AWS Cognito console under App client settings -> Callback URL(s).

Warnings

deprecated This library is in maintenance mode; consider using flask-cognito or flask-cognito-auth for newer Python/Flask versions. ↓

fix Migrate to flask-cognito or a custom integration with pycognito.

gotcha Requires Flask-Login to be installed and configured, even if not using its session management. ↓

fix Ensure flask-login is installed and flask_login.LoginManager is initialized on the app.

breaking In version 1.2+, the redirect URI configuration key changed from 'AWS_COGNITO_REDIRECT_URL' to 'AWS_COGNITO_REDIRECT_URL' (same name) but the library now validates that the redirect URI in the request matches exactly. Previously it was lenient. ↓

fix Ensure your Cognito App Client settings in AWS have the exact redirect URL as configured in the app.

gotcha OpenID configuration discovery fails if the AWS Cognito domain is not accessible from the server; no fallback provided. ↓

fix Use a valid Cognito domain and ensure network connectivity.

Imports

AWSCognitoAuthentication

wrong

from flask_awscognito import FlaskAWSCognito

correct

from flask_awscognito import AWSCognitoAuthentication

Incorrect class name; the main class is AWSCognitoAuthentication.

CognitoAuth
```
from flask_awscognito import CognitoAuth
```
Alternative class for simpler setups.

Quickstart

Basic Flask app with Cognito login using AWSCognitoAuthentication.

from flask import Flask, jsonify
from flask_awscognito import AWSCognitoAuthentication

app = Flask(__name__)
app.config['AWS_DEFAULT_REGION'] = 'us-east-1'
app.config['AWS_COGNITO_DOMAIN'] = 'https://your-domain.auth.us-east-1.amazoncognito.com'
app.config['AWS_COGNITO_USER_POOL_ID'] = 'us-east-1_xxxxxxxxx'
app.config['AWS_COGNITO_CLIENT_ID'] = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
app.config['AWS_COGNITO_CLIENT_SECRET'] = os.environ.get('CLIENT_SECRET', '')
app.config['AWS_COGNITO_REDIRECT_URL'] = 'https://localhost:5000/aws_cognito/redirect'

aws_auth = AWSCognitoAuthentication(app)

@app.route('/login')
def login():
    return aws_auth.sign_in()

@app.route('/callback')
def callback():
    access_token = aws_auth.get_access_token(request.args)
    return jsonify({'token': access_token})

if __name__ == '__main__':
    app.run(ssl_context='adhoc')