Authentication (Cognito)

Overview

Userpools securely store your users and provide sign-up, sign-in, and access control for your applications.
Userpools support OAuth 2.0, SAML 2.0, and OpenID Connect standards.
Userpools can be integrated with HTTP API Gateways using authorizers to provide access only for authenticated users.

When to use

Userpools can be used almost anytime your application needs to authenticate and authorize users.

Advantages

Pay-per-MAU - You pay for Monthly Active Users.
Free-tier - There's a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools (not using SAML or OIDC federation).
Serverless - You can seamlessly scale your userbase almost indefinitely.
Secure by default - Your users are securely stored by AWS.
Compliant - With userpools, you are HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant by default.

Disadvantages

Not cheap for large user bases - When you have more than 50,000 MAUs or many users with SAML or OIDC federation, can get expensive.
Not easy to understand - Similarly to almost everything related to authentication or OAUTH, understanding user pool authentication flows can be complicated.

Basic usage

Example: Lambda function connected to HTTP API Gateway with authorizer that allows only users authenticated using myUserPool to access the configured path.


Copy
resources:
  createPost:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: src/index.ts
      events:
        - type: http-api-gateway
          properties:
            httpApiGatewayName: myGateway
            path: /post/create
            method: POST
            authorizer:
              type: cognito
              properties:
                userPoolName: myUserPool

  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8

Using firewall

You can use web-app-firewall to protect your resources from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Web app firewall protects your application by filtering dangerous requests coming to your app. You can read more about the firewall in our docs.

To lean more, check web-app-firewall documentation.


Copy
resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8
      useFirewall: myFirewall

Pricing

Work in progress

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

Id of the userpool
Usage: $ResourceParam('<<resource-name>>', 'id')

clientId

Id of the userpool
Usage: $ResourceParam('<<resource-name>>', 'clientId')

domain

Domain of the userpool
Usage: $ResourceParam('<<resource-name>>', 'domain')

API reference

UserAuthPool API reference

type

Required

properties.allowOnlyAdminsToCreateAccount

properties.unusedAccountValidityDays

properties.requireEmailVerification

properties.requirePhoneNumberVerification

properties.enableHostedUi

properties.hostedUiDomainPrefix

properties.hostedUiCSS

properties.hooks

properties.emailConfiguration

properties.inviteMessageConfig

properties.userVerificationType

properties.userVerificationMessageConfig

properties.mfaConfiguration

properties.passwordPolicy

properties.schema

properties.allowPhoneNumberAsUserName

Default: true

properties.allowEmailAsUserName

Default: true

properties.accessTokenValiditySeconds

properties.idTokenValiditySeconds

properties.refreshTokenValidityDays

properties.allowedOAuthFlows

properties.allowedOAuthScopes

properties.callbackURLs

properties.logoutURLs

properties.identityProviders

properties.useFirewall

properties.generateClientSecret

properties.allowOnlyExternalIdentityProviders

overrides

UserPoolHooks API reference

Parent:UserAuthPool

customMessage

postAuthentication

postConfirmation

preAuthentication

preSignUp

preTokenGeneration

userMigration

createAuthChallenge

defineAuthChallenge

verifyAuthChallengeResponse

EmailConfiguration API reference

Parent:UserAuthPool

sesAddressArn

from

replyToEmailAddress

InviteMessageConfig API reference

Parent:UserAuthPool

emailMessage

emailSubject

smsMessage

UserVerificationMessageConfig API reference

Parent:UserAuthPool

emailMessageUsingCode

emailMessageUsingLink

emailSubjectUsingCode

emailSubjectUsingLink

smsMessage

MfaConfiguration API reference

Parent:UserAuthPool

status

enabledTypes

PasswordPolicy API reference

Parent:UserAuthPool

minimumLength

requireLowercase

requireNumbers

requireSymbols

requireUppercase

temporaryPasswordValidityDays

AttributeSchema API reference

Parent:UserAuthPool

name

attributeDataType

developerOnlyAttribute

mutable

required

numberMaxValue

numberMinValue

stringMaxLength

stringMinLength

IdentityProvider API reference

Parent:UserAuthPool

type

Required

clientId

Required

clientSecret

Required

attributeMapping

authorizeScopes

providerDetails