Auth

The Auth construct is a higher level CDK construct that makes it easy to configure a Cognito User Pool and Cognito Identity Pool. Also, allows setting up Auth0, Facebook, Google, Twitter, Apple, and Amazon as authentication providers.

Initializer#

new Auth(scope: Construct, id: string, props: AuthProps)

Parameters

Examples#

Allowing users to sign in using User Pool#

import { Auth } from "@serverless-stack/resources";
new Auth(this, "Auth", {
cognito: true,
});

Allowing users to sign in with their email or phone number#

new Auth(this, "Auth", {
cognito: {
userPool: {
signInAliases: { email: true, phone: true },
},
},
});

Configuring User Pool triggers#

The Cognito User Pool can take invoke a Lambda function for specific triggers.

new Auth(this, "Auth", {
cognito: {
triggers: {
preAuthentication: "src/preAuthentication.main",
postAuthentication: "src/postAuthentication.main",
},
},
});

Specifying function props for all the triggers#

new Auth(this, "Auth", {
cognito: {
defaultFunctionProps: {
timeout: 20,
environment: { tableName: table.tableName },
permissions: [table],
},
triggers: {
preAuthentication: "src/preAuthentication.main",
postAuthentication: "src/postAuthentication.main",
},
},
});

Using the full config for a trigger#

If you wanted to configure each Lambda function separately, you can pass in the FunctionProps.

new Auth(this, "Auth", {
cognito: {
triggers: {
preAuthentication: {
handler: "src/preAuthentication.main",
timeout: 10,
environment: { bucketName: bucket.bucketName },
permissions: [bucket],
},
postAuthentication: "src/postAuthentication.main",
},
},
});

Note that, you can set the defaultFunctionProps while using the FunctionProps per trigger. The function will just override the defaultFunctionProps. Except for the environment, the layers, and the permissions properties, it will be merged.

new Auth(this, "Auth", {
cognito: {
defaultFunctionProps: {
timeout: 20,
environment: { tableName: table.tableName },
permissions: [table],
},
triggers: {
preAuthentication: {
handler: "src/preAuthentication.main",
timeout: 10,
environment: { bucketName: bucket.bucketName },
permissions: [bucket],
},
postAuthentication: "src/postAuthentication.main",
},
},
});

So in the above example, the preAuthentication function doesn't use the timeout that is set in the defaultFunctionProps. It'll instead use the one that is defined in the function definition (10 seconds). And the function will have both the tableName and the bucketName environment variables set; as well as permissions to both the table and the bucket.

Allowing Twitter auth and a User Pool#

new Auth(this, "Auth", {
cognito: true,
twitter: {
consumerKey: "gyMbPOiwefr6x63SjIW8NN2d9",
consumerSecret: "qxld1zic5c2eyahqK3gjGLGQaOTogGfAgGh17MYOIcOUR9l2Nz",
},
});

Adding all the supported social logins#

new Auth(this, "Auth", {
facebook: { appId: "419718329085014" },
apple: { servicesId: "com.myapp.client" },
amazon: { appId: "amzn1.application.24ebe4ee4aef41e5acff038aee2ee65f" },
google: {
clientId:
"38017095028-abcdjaaaidbgt3kfhuoh3n5ts08vodt3.apps.googleusercontent.com",
},
});

Allowing users to login using Auth0#

new Auth(this, "Auth", {
auth0: {
domain: "https://myorg.us.auth0.com",
clientId: "UsGRQJJz5sDfPQDs6bhQ9Oc3hNISuVif",
},
});

Attaching permissions for authenticated users#

import * as iam from "@aws-cdk/aws-iam";
const auth = new Auth(this, "Auth", {
cognito: { signInAliases: { email: true } },
});
auth.attachPermissionsForAuthUsers([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["s3:*"],
resources: ["*"],
}),
]);

Attaching permissions for unauthenticated users#

import * as iam from "@aws-cdk/aws-iam";
const auth = new Auth(this, "Auth", {
cognito: { signInAliases: { email: true } },
});
auth.attachPermissionsForUnauthUsers([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ["s3:*"],
resources: ["*"],
}),
]);

Upgrading to v0.12.0#

The v0.12.0 release of the Auth construct includes a small breaking change. You might be impacted by this change if:

  • You are currently using any version < v0.12.0
  • And using Cognito as the authentication provider

Using signInAliases#

If you are configuring the signInAliases like so:

new Auth(this, "Auth", {
cognito: {
signInAliases: { email: true, phone: true },
},
});

Change it to:

new Auth(this, "Auth", {
cognito: {
userPool: {
signInAliases: { email: true, phone: true },
},
},
});

Note the userPool prop is expected as a part of the cognito prop.

Using cognitoUserPool and cognitoUserPoolClient#

If you are creating the UserPool and the UserPoolClient manually like this:

import * as cognito from "@aws-cdk/aws-cognito";
const userPool = new cognito.UserPool(this, "UserPool", {
userPoolName: "my-user-pool",
signInAliases: { email: true, phone: true },
});
const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
userPool,
disableOAuth: true,
});
new Auth(this, "Auth", {
cognitoUserPool: userPool,
cognitoUserPoolClient: userPoolClient,
});

Change it to:

import * as cognito from "@aws-cdk/aws-cognito";
const userPool = new cognito.UserPool(this, "UserPool", {
userPoolName: "my-user-pool",
signInAliases: { email: true, phone: true },
});
const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
userPool,
disableOAuth: true,
});
new Auth(this, "Auth", {
cognito: {
userPool,
userPoolClient,
},
});

Read more about the AuthCognitoProps below.

Properties#

An instance of Auth contains the following properties.

cognitoCfnIdentityPool#

Type : cdk.aws-cognito.CfnIdentityPool

The internally created CDK CfnIdentityPool instance.

cognitoUserPool?#

Type : cdk.aws-cognito.UserPool

The internally created CDK UserPool instance. Not available if only social logins are used.

cognitoUserPoolClient?#

Type : cdk.aws-cognito.UserPoolClient

The internally created CDK UserPoolClient instance. Not available if only social logins are used.

iamAuthRole#

Type : cdk.aws-iam.Role

The internally created CDK IAM Role instance for the authenticated users of the Identity Pool.

iamUnauthRole#

Type : cdk.aws-iam.Role

The internally created CDK IAM Role instance for the unauthenticated users of the Identity Pool.

Methods#

An instance of Auth contains the following methods.

attachPermissionsForAuthUsers#

attachPermissionsForAuthUsers(permissions: Permissions)

Parameters

Attaches the given list of permissions to IAM role used for authenticated users. This dictates which resources an authenticated user has access to.

Follows the same format as Function.attachPermissions.

attachPermissionsForUnauthUsers#

attachPermissionsForUnauthUsers(permissions: Permissions)

Parameters

Attaches the given list of permissions to IAM role used for unauthenticated users. This dictates which resources an unauthenticated user has access to.

Follows the same format as Function.attachPermissions.

AuthProps#

cognito?#

Type : AuthCognitoProps

The props that'll be used to configure a Cognito User Pool.

apple?#

Type : AuthAppleProps

The props necessary to configure Apple as an authentication provider for the Identity Pool.

auth0?#

Type : AuthAuth0Props

The props necessary to configure Auth0 as an authentication provider for the Identity Pool.

google?#

Type : AuthGoogleProps

The props necessary to configure Google as an authentication provider for the Identity Pool.

facebook?#

Type : AuthFacebookProps

The props necessary to configure Facebook as an authentication provider for the Identity Pool.

twitter?#

Type : AuthTwitterProps

The props necessary to configure Twitter as an authentication provider for the Identity Pool.

amazon?#

Type : AuthAmazonProps

The props necessary to configure Amazon as an authentication provider for the Identity Pool.

identityPool?#

Type : AuthCdkCfnIdentityPoolProps

The props that'll be used to configure the Cognito Identity Pool.

AuthCognitoProps#

userPool?#

Type : cdk.aws-cognito.UserPoolProps | cdk.aws-cognito.UserPool

Optionally, pass in an instance of the CDK cdk.aws-cognito.UserPoolProps or cdk.aws-cognito.UserPool. This will override the default settings this construct uses to create the CDK UserPool internally.

caution

You cannot change some of the User Pool properties once the it has been created.

For example, SignInAliases cannot be changed after the User Pool has been created.

The different aliases a user can use to sign in to our application for our User Pool. For example, you might want a user to be able to sign in with their email or username. Or with their phone number.

There are two ways of setting this up.

  1. User signs up with username and signs in with username or alias

    A user signs up with a username. In addition to the username, you can optionally allow users to sign in with one or more of the following aliases:

    Note that, the username that Cognito refers to, is an internally used user id. So in practice, you'll ask a user to create a new username, this is called the preferred username by Cognito.

    • A verified email address
    • A verified phone number
    • A preferred username

    These aliases can be changed after the user signs up.

    To use this option, set the userPool prop to:

    {
    signInAliases: {
    username: true,
    email: true,
    phone: true,
    preferredUsername: true,
    }
    }

    Read more on this over on the AWS docs.

  2. User signs up and signs in with email or phone number instead of username

    A user signs up with an email address or phone number as their username. You can choose whether to allow sign-up with only email addresses, only phone numbers, or either one.

    Note that, the email or phone number that gets set as a username needs to be unique. This is because when Cognito refers to the username, it really refers to an internally used user id.

    In addition, if a user signs up with an email address, they can only change it to another email address and not a phone number. The same applies if they sign up with a phone number. It cannot be changed to an email.

    To use this option, set the userPool prop to:

    {
    signInAliases: {
    email: true,
    phone: true,
    }
    }

    Read more on this over on the AWS docs.

userPoolClient?#

Type : cdk.aws-cognito.UserPoolClientOptions | cdk.aws-cognito.UserPoolClient

Optionally, pass in an instance of the CDK cdk.aws-cognito.UserPoolClientOptions or cdk.aws-cognito.UserPoolClient. This will override the default settings this construct uses to create the CDK UserPoolClient internally.

triggers?#

Type : AuthUserPoolTriggers, defaults to undefined

The triggers for the User Pool. Takes an associative array, where the key is the trigger type and the value is a FunctionDefinition.

defaultFunctionProps?#

Type : FunctionProps, defaults to {}

The default function props to be applied to all the Lambda functions for the triggers. These default values are overridden by the function props for each trigger. Except for the environment, the layers, and the permissions properties, it will be merged.

AuthAuth0Props#

domain#

Type : string

The Domain for your Auth0 app.

clientId#

Type : string

The Client ID for your Auth0 app.

AuthAppleProps#

servicesId#

Type : string

The Services id of your Apple app.

AuthGoogleProps#

clientId#

Type : string

The client id of your Google app.

AuthFacebookProps#

appId#

Type : string

The id of your Facebook app.

AuthTwitterProps#

consumerKey#

Type : string

The Consumer key for your Twitter app.

consumerSecret#

Type : string

The Consumer secret key for your Twitter app.

AuthAmazonProps#

appId#

Type : string

The id of your Amazon app.

AuthUserPoolTriggers#

The following User Pool triggers can be connected to Lambda functions in your app. Read more about this over on the AWS docs.

createAuthChallenge?#

Type: FunctionDefinition

Creates a challenge in a custom auth flow.

customMessage?#

Type: FunctionDefinition

Customize the message that is sent to a user.

defineAuthChallenge?#

Type: FunctionDefinition

Determine the next challenge in a custom auth flow.

postAuthentication?#

Type: FunctionDefinition

Triggered after a user is authenticated.

postConfirmation?#

Type: FunctionDefinition

Triggered after a user has been confirmed.

preAuthentication?#

Type: FunctionDefinition

Custom validation to accept or deny the sign-in request.

preSignUp?#

Type: FunctionDefinition

Custom validation to accept or deny the sign-up request.

preTokenGeneration?#

Type: FunctionDefinition

Add or remove attributes in Id tokens.

userMigration?#

Type: FunctionDefinition

Migrate a user from an existing user directory to User Pools.

verifyAuthChallengeResponse?#

Type: FunctionDefinition

Determines if a response is correct in a custom auth flow.

AuthCdkCfnIdentityPoolProps#

AuthCdkCfnIdentityPoolProps extends cdk.aws-cognito.CfnIdentityPoolProps with the exception that the allowUnauthenticatedIdentities fields is optional, and defaults to true.

You can use AuthCdkCfnIdentityPoolProps to configure the other Identity Pool properties.