Swiftpack.co - Package - adam-fowler/soto-cognito-authentication
Swiftpack.co is a collection of thousands of indexed Swift packages. Search packages.

Soto Cognito Authentication

Swift 5.1

This is the Vapor wrapper for Soto Cognito Authentication Kit. It provides application storage for configurations and authentication calls on request. Documentation on Soto Cognito Authentication Kit can be found here

Using with Vapor


Store your CognitoConfiguration on the Application object. In configure.swift add the following with your configuration details

let awsCognitoConfiguration = CognitoConfiguration(
    userPoolId: String = "eu-west-1_userpoolid",
    clientId: String = "23432clientId234234",
    clientSecret: String = "1q9ln4m892j2cnsdapa0dalh9a3aakmpeugiaag8k3cacijlbkrp",
    cognitoIDP: CognitoIdentityProvider = CognitoIdentityProvider(region: .euwest1)
app.cognito.authenticatable = CognitoAuthenticatable(configuration: awsCognitoConfiguration)

The CognitoIdentity configuration can be setup in a similar way.

let awsCognitoIdentityConfiguration = CognitoIdentityConfiguration(
    identityPoolId: String = "eu-west-1_identitypoolid"
    identityProvider: String = "provider"
    cognitoIdentity: CognitoIdentity = CognitoIdentity(region: .euwest1)
let app.cognito.identifiable = CognitoIdentifiable(configuration: awsCognitoIdentityConfiguration)

Accessing functionality

Functions like createUser, signUp, authenticate with username and password and responseToChallenge are all accessed through request.application.cognito.authenticatable. The following login route will return the full response from CognitoAuthenticable.authenticate.

    func login(_ req: Request) throws -> EventLoopFuture<CognitoAuthenticateResponse> {
        let user = try req.content.decode(User.self)
        return req.application.cognito.authenticatable.authenticate(
            username: user.username,
            password: user.password,
            context: req,

If id, access or refresh tokens are provided in the 'Authorization' header as Bearer tokens the following functions in Request can be used to verify them authenticate(idToken:), authenticate(accessToken:), refresh. as in the following

func authenticateAccess(_ req: Request) throws -> Future<> {
    req.cognito.authenticateAccess().flatMap { _ in


Three authenticators are available. See the Vapor docs for more details on authentication in Vapor.CognitoBasicAuthenticator will do username, password authentication and returns a CognitoAuthenticateResponse. CognitoAccessAuthenticator will do access token authentication and returns an CognitoAccessToken which holds all the information that could be extracted from the access token. CognitoIdAuthenticator<Payload> does id token authentication and extracts information from the id token into your own Payload type. The standard list of claims that can be found in an id token are detailed in the [OpenID spec] (https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). Your Payload type needs to decode using these tags, the username tag "cognito:username" and any custom tags you may have setup for the user pool. Below is an example of using the id token authenticator.

First create a User type to store your id token payload in.

struct User: Content & Authenticatable {
    let username: String
    let email: String

    private enum CodingKeys: String, CodingKey {
        case username = "cognito:username"
        case email = "email"

Add a route using the authenticator. The CognitoIdAuthenticator authenticates the request, the guardMiddleware ensures the user if authenticated. The actual function accesses the User type via req.auth.require.

    .get("user") { (req) throws -> EventLoopFuture<User> in
    let user = try req.auth.require(User.self)
    return req.eventLoop.next().makeSucceededFuture(user)


Stars: 12


v2.0.0 - 2020-12-07T12:46:26

Major version changes

  • Replaced AWS prefix on library name with Soto
  • Uses v2.0 of soto-aws-cognito-authentication
  • Renamed Application.awsCognito to Application.cognito
  • Renamed Request.awsCognito to Request.cognito
  • Removed AWS prefix from Authenticators

Version 1.0.0 - 2020-07-30T09:11:28

  • Use version 1.0.0 of aws-cognito-authentication-kit
  • Authenticator doesn't throw errors on failed authentication so other authenticators can attempt authentication.

v1.0.0 RC 2 - 2020-04-11T17:14:29

  • Using Vapor 4.0.0
  • Fixed authenticators to work with release version of Vapor 4

v1.0.0 RC 1 (Vapor 4 Release Candidate) - 2020-03-11T19:03:16

  • Updated to work with release candidate version of Vapor

v1.0.0 Beta 3.1 (Vapor 4) - 2020-03-11T10:46:34

  • Added Authenticator classes AWSCognitoBasicAuthenticator, AWSCognitoAccessAuthenticator and AWSCognitoIdAuthenticator.
  • Extend AWSCognitoAuthenticateResponse to conform to Content

v1.0.0 Beta 3 (Vapor 4) - 2020-03-06T10:12:43

  • Split off AWSCognitoAuthenticationKit into a separate repository

v1.0.0 Beta 2.1 (Vapor 4) - 2020-03-03T13:17:24

  • Using swift-crypto instead of open-crypto

v1.0.0 Beta 2 (Vapor 4) - 2019-12-16T23:41:51

Split project into two targets, core code (AWSCognitoAuthenticationKit) and Vapor integration code (AWSCognitoAuthentication).


  • Refactored how configuration of system is setup to be more inline with Vapor 4.
  • Added custom respond to challenge functions for password renewal and MFA tokens.
  • Removed EventLoopWithContextData. The two values are treated as two separate function parameters.
  • Provide clientMetadata for custom Lambda functions in functions that require it.
  • Added parameter requireAuthentication to switch between admin and non-admin versions of Cognito functions.


  • Extended Application to store global AWSCognito objects
  • Extended Request to authenticate bearer tokens

v1.0.0 Beta 1 (Vapor 4) - 2019-12-09T21:41:40

Updated to using: Linux 5.1.2 AWSSDKSwift 4.0.0 Vapor 4.0.0-beta.2 JWTKit 4.0.0-beta.2

  • Added Authenication using secure remote password
  • Throw errors internal to aws-cognito-authentication, instead of Vapor abort errors

v1.0.0 Alpha 2 (Vapor 4) - 2019-11-16T17:12:07

  • Added EventLoopWithContext protocol and extend Vapor Request to conform to it. Use this protocol in authenticate functions instead of Request.
  • Added tests for creating a user, verifying access, id, and refresh tokens.


  • removed hard coded regions

v1.0.0 Alpha 1 (Vapor 4) - 2019-11-14T12:20:57

AWS Cognito Authentication now works with Vapor 4

  • Added AWSCognitoIdentifiable to support AWS Cognito Federated Identities
  • Added AWSCognitoUserPoolIdentifiable to support AWS Cognito Federated Identities using Cognito User Pools for identification
  • Added messageAction to AWSCognitoAuthenticable.createUser so emails can be resent/suppressed.
  • Added authenticateIdToken and authenticateAccessToken which take Vapor Request classes.

v0.1.0 - 2019-11-09T12:10:24

  • Added signUp() and confirmSignUp() for creating users. signUp() sends a confirmation email which either includes a confirmation link or a confirmation code to be sent to confirmSignUp().
  • Returning more detail about why access token may fail.
  • Added CognitoIdentity id and AWS Authentication code access

v0.0.1 - 2019-11-02T13:10:52

Initial release. Includes

  • createUser
  • authenticate with user/password
  • authenticate with refresh token
  • respond to authentication challenges
  • verify status/id JWT tokens