I'm using AWS Cognito and working with the Hosted UI. The problem I have is that I'm unable to remember a device for a given user, so I can't prevent the requirement of entering the authenticator code at every login—it is always required. From what I understand it is even not possible to achieve it using Hosted UI -> https://repost.aws/questions/QUBLMX7pNpR2ayKpP1VRCTLQ/remember-device-to-suppress-mfa-challenge-using-cognito-hosted-ui#ANGEUjk3hsS1yeFgP4Dyo-EQ
I decided to write my own UI for logging in and managing authenticator codes. I'm using the amazon-cognito-identity-js library. This way, I'm able to remember the device, and the user doesn't have to enter the code every time they log in. However, another problem arises — in the access_token, several values are missing in the "scope" field.
The access_token I receive after logging in via the Hosted UI contains:
"scope": "aws.cognito.signin.user.admin phone openid profile email"
The access_token I receive after logging in contains:
"scope": "aws.cognito.signin.user.admin"
So several scopes are missing, especially openid, which means the user is unable to use the application.
How can I achieve my intended goal — that is, allow the user to log in with all the scopes in the access token and remember their device so they don't have to enter the Authenticator code at every login?
It doesn't matter whether I achieve this using the Hosted UI or a custom UI.
Cognito does not provide those scopes out of the box, and some additional setup is required to add the scopes to the access token.
Specifically, you need to set up advanced security for your userpool, and then use a pre token generation lambda to add the scopes. It is explained here:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.
Your use case is explicitly mentioned in this section: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken.
Good luck with your project.