Skip to content

How to Fix AWS Cognito User Login Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix AWS Cognito User Login Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Users cannot log in through Cognito — NotAuthorizedException, UserNotFoundException, or InvalidParameterException — the authentication flow is misconfigured.

Step-by-Step Fix

1. Check user pool configuration

aws cognito-idp describe-user-pool --user-pool-id us-east-1_abc123

2. Verify app client settings

aws cognito-idp describe-user-pool-client --user-pool-id us-east-1_abc123 --client-id 1234567890abcdef

Ensure ExplicitAuthFlows includes the correct flows:

{
    "UserPoolClient": {
        "ClientName": "my-app",
        "ExplicitAuthFlows": [
            "ALLOW_USER_PASSWORD_AUTH",
            "ALLOW_REFRESH_TOKEN_AUTH]
        ]
    }
}

3. Update app client to allow password auth

aws cognito-idp update-user-pool-client --user-pool-id us-east-1_abc123 --client-id 1234567890abcdef --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH

4. Initiate authentication

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=user@example.com,PASSWORD=MyPassword123! --client-id 1234567890abcdef

Expected output:

{
    "AuthenticationResult": {
        "AccessToken": "eyJ...",
        "ExpiresIn": 3600,
        "IdToken": "eyJ...",
        "RefreshToken": "eyJ..."
    }
}

5. Handle forgot password flow

aws cognito-idp forgot-password --client-id 1234567890abcdef --username user@example.com

6. Confirm forgot password

aws cognito-idp confirm-forgot-password --client-id 1234567890abcdef --username user@example.com --confirmation-code 123456 --password NewPassword123!

Common Mistakes

Mistake Fix
App client does not allow USER_PASSWORD_AUTH Add to ExplicitAuthFlows
User is not confirmed Admin confirm the user
Wrong user pool ID or client ID Verify both match the application config
Password policy violation Use a password meeting the policy requirements
Lambda trigger returning error Check pre-authentication Lambda for errors

Prevention

  • Use the Cognito hosted UI for standard login flows.
  • Enable advanced security features for compromised credential detection.
  • Implement proper error handling in the client app.
  • Use refresh tokens for persistent sessions.

Common Mistakes with cognito login

  1. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  2. Non-exhaustive pattern matches that compile with warnings then crash at runtime
  3. Misunderstanding that String is [Char] with poor performance for large text operations

These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

Why does Cognito return UserNotFoundException?

Cognito returns this error when the username does not exist in the user pool. It may also return this as a security measure to prevent user enumeration. |||How do I enable the Cognito hosted UI? Create an app client with a callback URL and enable the Cognito Hosted UI in the domain configuration. Users will be redirected to the AWS-managed login page. |||What is the difference between USER_PASSWORD_AUTH and USER_SRP_AUTH? USER_PASSWORD_AUTH sends credentials in plaintext (requires HTTPS). USER_SRP_AUTH uses the Secure Remote Password protocol for secure authentication without transmitting the password.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro