Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →

@aws-cdk/aws-cognito

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

@aws-cdk/aws-cognito

The CDK Construct Library for AWS::Cognito

1.28.0
Source
npm

Version published: 5 years ago

Weekly downloads: 57K; increased by2.06%

Maintainers: 5

Weekly downloads

Created: 6 years ago

Source

Amazon Cognito Construct Library

This is a developer preview (public beta) module.

All classes with the Cfn prefix in this module (CFN Resources) are auto-generated from CloudFormation. They are stable and safe to use.

However, all other classes, i.e., higher level constructs, are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services.

This module is part of the AWS Cloud Development Kit project.

User Pools

User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with social identity providers such as Facebook, Google, Amazon, Microsoft Active Directory, etc. through SAML.

Using the CDK, a new user pool can be created as part of the stack using the construct's constructor. You may specify the userPoolName to give your own identifier to the user pool. If not, CloudFormation will generate a name.

new UserPool(this, 'myuserpool', {
  userPoolName: 'myawesomeapp-userpool',
});

Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their account needs to be confirmed. Cognito provides several ways to sign users up and confirm their accounts. Learn more about user sign up here.

When a user signs up, email and SMS messages are used to verify their account and contact methods. The following code snippet configures a user pool with properties relevant to these verification messages -

new UserPool(this, 'myuserpool', {
  // ...
  selfSignUpEnabled: true,
  userVerification: {
    emailSubject: 'Verify your email for our awesome app!',
    emailBody: 'Hello {username}, Thanks for signing up to our awesome app! Your verification code is {####}',
    emailStyle: VerificationEmailStyle.CODE,
    smsMessage: 'Hello {username}, Thanks for signing up to our awesome app! Your verification code is {####}',
  }
});

By default, self sign up is disabled. Learn more about email and SMS verification messages here.

Besides users signing themselves up, an administrator of any user pool can sign users up. The user then receives an invitation to join the user pool. The following code snippet configures a user pool with properties relevant to the invitation messages -

new UserPool(this, 'myuserpool', {
  // ...
  userInvitation: {
    emailSubject: 'Invite to join our awesome app!',
    emailBody: 'Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}',
    smsMessage: 'Your temporary password for our awesome app is {####}'
  }
});

All email subjects, bodies and SMS messages for both invitation and verification support Cognito's message templating. Learn more about message templates here.

Users registering or signing in into your application can do so with multiple identifiers. There are 4 options available:

username: Allow signing in using the one time immutable user name that the user chose at the time of sign up.
email: Allow signing in using the email address that is associated with the account.
phone: Allow signing in using the phone number that is associated with the account.
preferredUsername: Allow signing in with an alternate user name that the user can change at any time. However, this is not available if the username option is not chosen.

The following code sets up a user pool so that the user can sign in with either their username or their email address -

new UserPool(this, 'myuserpool', {
  // ...
  // ...
  signInAliases: {
    username: true,
    email: true
  },
});

User pools can either be configured so that user name is primary sign in form, but also allows for the other three to be used additionally; or it can be configured so that email and/or phone numbers are the only ways a user can register and sign in. Read more about this here.

To match with 'Option 1' in the above link, with a verified email, signInAliases should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

Cognito recommends that email and phone number be automatically verified, if they are one of the sign in methods for the user pool. Read more about that here. The CDK does this by default, when email and/or phone number are specified as part of signInAliases. This can be overridden by specifying the autoVerify property.

The following code snippet sets up only email as a sign in alias, but both email and phone number to be auto-verified.

new UserPool(this, 'myuserpool', {
  // ...
  // ...
  signInAliases: { username: true, email: true },
  autoVerify: { email: true, phone: true }
});

Security

Cognito sends various messages to its users via SMS, for different actions, ranging from account verification to marketing. In order to send SMS messages, Cognito needs an IAM role that it can assume, with permissions that allow it to send SMS messages. By default, CDK will create this IAM role but can also be explicily specified to an existing IAM role using the smsRole property.

import { Role } from '@aws-cdk/aws-iam';

const poolSmsRole = new Role(this, 'userpoolsmsrole', { /* ... */ });

new UserPool(this, 'myuserpool', {
  // ...
  smsRole: poolSmsRole,
  smsRoleExternalId: 'c87467be-4f34-11ea-b77f-2e728ce88125'
});

When the smsRole property is specified, the smsRoleExternalId may also be specified. The value of smsRoleExternalId will be used as the sts:ExternalId when the Cognito service assumes the role. In turn, the role's assume role policy should be configured to accept this value as the ExternalId. Learn more about ExternalId here.

Importing User Pools

Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool allows for it to be used in other parts of the CDK app that reference an IUserPool. However, imported user pools have limited configurability. As a rule of thumb, none of the properties that is are part of the AWS::Cognito::UserPool CloudFormation resource can be configured.

User pools can be imported either using their id via the UserPool.fromUserPoolId(), or by using their ARN, via the UserPool.fromUserPoolArn() API.

const stack = new Stack(app, 'my-stack');

const awesomePool = UserPool.fromUserPoolId(stack, 'awesome-user-pool', 'us-east-1_oiuR12Abd');

const otherAwesomePool = UserPool.fromUserPoolArn(stack, 'other-awesome-user-pool',
  'arn:aws:cognito-idp:eu-west-1:123456789012:userpool/us-east-1_mtRyYQ14D');

1.28.0 (2020-03-16)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

batch: computeEnvironments is now required
batch: the allocationStrategy property was moved from ComputeEnvironmentProps to the ComputeResources interface, which is where it semantically belongs.
custom-resources: getDataString was renamed to getResponseField.
custom-resources: getData was renamed to getResponseFieldReference.
custom-resources: catchErrorPattern was renamed to ignoreErrorCodesMatching. In addition, a few synth time validations were added when using this property. See Error Handling for details.
custom-resources: policyStatements property was removed in favor of a required policy property. Refer to Execution Policy for more details.

Features

amplify: App, Branch and Domain (#5177) (e126048)
apigateway: authorizationScopes for a Method (#6502) (3887cd2)
apigateway: DomainName supports SecurityPolicy (#6374) (e8c2e0c)
apigateway: rate limited API key (#6509) (040906f), closes #6405
batch: ec2 launch template support (#6602) (2b02693)
cfnspec: cloudformation spec v11.3.0 (#6598) (ee3a530)
cli: pass CloudFormation parameters to "cdk deploy" (#6385) (6551124), closes #1237
core: duration.toHumanString() (#6691) (d833bea)
custom-resources: enforce user opt-in when auto-generating SDK call policies (0f5c24e), closes #5873
custom-resources: log retention for AwsCustomResource (#6698) (bf5ab69)
custom-resources: module is now stable :) (#6584) (a2a738c)
custom-resources: rename catchErrorPattern to ignoreErrorCodesMatching (#6553) (94599f8), closes #5873
custom-resources: rename getData* to getResponseField* (#6556) (d5867b4), closes #5873
dynamodb: expose stream features on ITable (#6635) (52e8b95), closes #6344
efs: create EFS file systems (#6373) (a0fb518), closes #6286 #6286
elbv2: support pathpattern array (#6558) (c3ee413), closes #6497
iam: policy document from json (#6486) (bf08988)
prlinter: support exempting checks from pr based on a label (#6693) (77cbe80)
stepfunctions-tasks: run batch job (#6396) (de1a36b), closes #6467
cloudformation spec v11.4.0 (#6700) (b28b427)

Bug Fixes

apigateway: type mismatch in C# when setting identitySources (#6649) (2d3e7b1), closes #6538 40aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.ts#L26
batch: computeEnvironments is now required for JobQueue (#6616) (0b6c865), closes #6615
batch: managed compute environment now properly works with compute resources and instanceRole has correct docstring and type definition (#6549) (4e81334)
certificatemanager: Route53 endpoint cannot be set and does not work for aws-cn (#6480) (9858cdb)
cli: codepipeline cloudformation action in cross account fail writing outputArtifacts (#6594) (05cf78b)
cloudwatch: missing LessThanLowerOrGreaterThanUpperThreshold (#6597) (9731555)
codepipeline-actions: use IBaseService instead of BaseService in EcsDeployActionProps (#6412) (bed5357)
eks: cannot upgrade version of clusters with an explicit name (#6064) (1dd7104)
eks: sporadic broken pipe when deploying helm charts (#6522) (03df1f1), closes #6381
iam: cannot add multiple conditions using same operator (348a952)

Keywords

FAQs

What is @aws-cdk/aws-cognito?

Is @aws-cdk/aws-cognito popular?

Is @aws-cdk/aws-cognito well maintained?

Package last updated on 16 Mar 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install