Stacktape

Sign up for freeSign up

Community slack channel
Discord channel
Github page

Authentication (Cognito)

Overview

  • Userpools securely store your users and provide sign-up, sign-in, and access control for your applications.

  • Userpools support OAuth 2.0, SAML 2.0, and OpenID Connect standards.

  • Userpools can be integrated with HTTP API Gateways using authorizers to provide access only for authenticated users.

When to use

Userpools can be used almost anytime your application needs to authenticate and authorize users.


Advantages

  • Pay-per-MAU - You pay for Monthly Active Users.
  • Free-tier - There's a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools (not using SAML or OIDC federation).
  • Serverless - You can seamlessly scale your userbase almost indefinitely.
  • Secure by default - Your users are securely stored by AWS.
  • Compliant - With userpools, you are HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant by default.

Disadvantages

  • Not cheap for large user bases - When you have more than 50,000 MAUs or many users with SAML or OIDC federation, can get expensive.
  • Not easy to understand - Similarly to almost everything related to authentication or OAUTH, understanding user pool authentication flows can be complicated.

Basic usage

  • Example: Lambda function connected to HTTP API Gateway with authorizer that allows only users authenticated using myUserPool to access the configured path.

Copy
resources:
  createPost:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: src/index.ts
      events:
        - type: http-api-gateway
          properties:
            httpApiGatewayName: myGateway
            path: /post/create
            method: POST
            authorizer:
              type: cognito
              properties:
                userPoolName: myUserPool


  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8

Using firewall

You can use web-app-firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.

To lean more, check web-app-firewall documentation.

Copy
resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8
      useFirewall: myFirewall

Pricing

Work in progress

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

id

  • Id of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'id')
clientId

  • Id of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'clientId')
domain

  • Domain of the userpool

  • Usage: $ResourceParam('<<resource-name>>', 'domain')

API reference

UserAuthPool  API reference
type
Required
properties.allowOnlyAdminsToCreateAccount
properties.unusedAccountValidityDays
properties.requireEmailVerification
properties.requirePhoneNumberVerification
properties.hostedUiDomainPrefix
properties.hostedUiCSS
properties.hooks
properties.emailConfiguration
properties.inviteMessageConfig
properties.userVerificationType
properties.userVerificationMessageConfig
properties.mfaConfiguration
properties.passwordPolicy
properties.schema
properties.allowPhoneNumberAsUserName
properties.allowEmailAsUserName
properties.accessTokenValiditySeconds
properties.idTokenValiditySeconds
properties.refreshTokenValidityDays
properties.allowedOAuthFlows
properties.allowedOAuthScopes
properties.callbackURLs
properties.logoutURLs
properties.identityProviders
properties.useFirewall
overrides
UserPoolHooks  API reference
Parent:UserAuthPool
customMessage
postAuthentication
postConfirmation
preAuthentication
preSignUp
preTokenGeneration
userMigration
createAuthChallenge
defineAuthChallenge
verifyAuthChallengeResponse
EmailConfiguration  API reference
Parent:UserAuthPool
sesAddressArn
from
replyToEmailAddress
InviteMessageConfig  API reference
Parent:UserAuthPool
emailMessage
emailSubject
smsMessage
UserVerificationMessageConfig  API reference
Parent:UserAuthPool
emailMessageUsingCode
emailMessageUsingLink
emailSubjectUsingCode
emailSubjectUsingLink
smsMessage
MfaConfiguration  API reference
Parent:UserAuthPool
status
enabledTypes
PasswordPolicy  API reference
Parent:UserAuthPool
minimumLength
requireLowercase
requireNumbers
requireSymbols
requireUppercase
temporaryPasswordValidityDays
AttributeSchema  API reference
Parent:UserAuthPool
name
attributeDataType
developerOnlyAttribute
mutable
required
numberMaxValue
numberMinValue
stringMaxLength
stringMinLength
IdentityProvider  API reference
Parent:UserAuthPool
type
Required
clientId
Required
clientSecret
Required
attributeMapping
authorizeScopes
providerDetails

Need help? Ask a question on SlackDiscord or info@stacktape.com.