Show / Hide Table of Contents

Namespace Amazon.CDK.AWS.Cognito

Amazon Cognito Construct Library

---
Features Stability
CFN Resources Stable
Higher level constructs for User Pools Stable
Higher level constructs for Identity Pools Not Implemented

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.


Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services.

This module is part of the AWS Cloud Development Kit project.

Table of Contents

    User Pools

    User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with social identity providers such as Facebook, Google, Amazon, Microsoft Active Directory, etc. through SAML.

    Using the CDK, a new user pool can be created as part of the stack using the construct's constructor. You may specify the userPoolName to give your own identifier to the user pool. If not, CloudFormation will generate a name.

    // Example automatically generated. See https://github.com/aws/jsii/issues/826
    new UserPool(this, "myuserpool", new UserPoolProps {
        UserPoolName = "myawesomeapp-userpool"
    });

    The default set up for the user pool is configured such that only administrators will be allowed to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not configured by default.

    Sign Up

    Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their account needs to be confirmed. Cognito provides several ways to sign users up and confirm their accounts. Learn more about user sign up here.

    When a user signs up, email and SMS messages are used to verify their account and contact methods. The following code snippet configures a user pool with properties relevant to these verification messages -

    // Example automatically generated. See https://github.com/aws/jsii/issues/826
    new UserPool(this, "myuserpool", new UserPoolProps {
        // ...
        SelfSignUpEnabled = true,
        UserVerification = new UserVerificationConfig {
            EmailSubject = "Verify your email for our awesome app!",
            EmailBody = "Hello {username}, Thanks for signing up to our awesome app! Your verification code is {####}",
            EmailStyle = VerificationEmailStyle.CODE,
            SmsMessage = "Hello {username}, Thanks for signing up to our awesome app! Your verification code is {####}"
        }
    });

    By default, self sign up is disabled. Learn more about email and SMS verification messages here.

    Besides users signing themselves up, an administrator of any user pool can sign users up. The user then receives an invitation to join the user pool. The following code snippet configures a user pool with properties relevant to the invitation messages -

    // Example automatically generated. See https://github.com/aws/jsii/issues/826
    new UserPool(this, "myuserpool", new UserPoolProps {
        // ...
        UserInvitation = new UserInvitationConfig {
            EmailSubject = "Invite to join our awesome app!",
            EmailBody = "Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}",
            SmsMessage = "Your temporary password for our awesome app is {####}"
        }
    });

    All email subjects, bodies and SMS messages for both invitation and verification support Cognito's message templating. Learn more about message templates here.

    Sign In

    Users registering or signing in into your application can do so with multiple identifiers. There are 4 options available:

      The following code sets up a user pool so that the user can sign in with either their username or their email address -

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          // ...
          SignInAliases = new SignInAliases {
              Username = true,
              Email = true
          }
      });

      User pools can either be configured so that user name is primary sign in form, but also allows for the other three to be used additionally; or it can be configured so that email and/or phone numbers are the only ways a user can register and sign in. Read more about this here.

      ⚠️ The Cognito service prevents changing the signInAlias property for an existing user pool.

      To match with 'Option 1' in the above link, with a verified email, signInAliases should be set to { username: true, email: true }. To match with 'Option 2' in the above link with both a verified email and phone number, this property should be set to { email: true, phone: true }.

      Cognito recommends that email and phone number be automatically verified, if they are one of the sign in methods for the user pool. Read more about that here. The CDK does this by default, when email and/or phone number are specified as part of signInAliases. This can be overridden by specifying the autoVerify property.

      The following code snippet sets up only email as a sign in alias, but both email and phone number to be auto-verified.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          // ...
          SignInAliases = new SignInAliases { Username = true, Email = true },
          AutoVerify = new AutoVerifiedAttrs { Email = true, Phone = true }
      });

      A user pool can optionally ignore case when evaluating sign-ins. When signInCaseSensitive is false, Cognito will not check the capitalization of the alias when signing in. Default is true.

      Attributes

      Attributes represent the various properties of each user that's collected and stored in the user pool. Cognito provides a set of standard attributes that are available for all user pools. Users are allowed to select any of these standard attributes to be required. Users will not be able to sign up to the user pool without providing the required attributes. Besides these, additional attributes can be further defined, and are known as custom attributes.

      Learn more on attributes in Cognito's documentation.

      The following code configures a user pool with two standard attributes (name and address) as required and mutable, and adds four custom attributes.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          StandardAttributes = new StandardAttributes {
              Fullname = new StandardAttribute {
                  Required = true,
                  Mutable = false
              },
              Address = new StandardAttribute {
                  Required = false,
                  Mutable = true
              }
          },
          CustomAttributes = new Dictionary<string, ICustomAttribute> {
              { "myappid", new StringAttribute(new StringAttributeProps { MinLen = 5, MaxLen = 15, Mutable = false }) },
              { "callingcode", new NumberAttribute(new NumberAttributeProps { Min = 1, Max = 3, Mutable = true }) },
              { "isEmployee", new BooleanAttribute(new CustomAttributeProps { Mutable = true }) },
              { "joinedOn", new DateTimeAttribute() }
          }
      });

      As shown in the code snippet, there are data types that are available for custom attributes. The 'String' and 'Number' data types allow for further constraints on their length and values, respectively.

      Custom attributes cannot be marked as required.

      All custom attributes share the property mutable that specifies whether the value of the attribute can be changed. The default value is false.

      Security

      Cognito sends various messages to its users via SMS, for different actions, ranging from account verification to marketing. In order to send SMS messages, Cognito needs an IAM role that it can assume, with permissions that allow it to send SMS messages.

      By default, the CDK looks at all of the specified properties (and their defaults when not explicitly specified) and automatically creates an SMS role, when needed. For example, if MFA second factor by SMS is enabled, the CDK will create a new role. The smsRole property can be used to specify the user supplied role that should be used instead. Additionally, the property enableSmsRole can be used to override the CDK's default behaviour to either enable or suppress automatic role creation.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      Role poolSmsRole = new Role(this, "userpoolsmsrole", new RoleProps {
          AssumedBy = new ServicePrincipal("foo")
      });
      
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          SmsRole = poolSmsRole,
          SmsRoleExternalId = "c87467be-4f34-11ea-b77f-2e728ce88125"
      });

      When the smsRole property is specified, the smsRoleExternalId may also be specified. The value of smsRoleExternalId will be used as the sts:ExternalId when the Cognito service assumes the role. In turn, the role's assume role policy should be configured to accept this value as the ExternalId. Learn more about ExternalId here.

      Multi-factor Authentication (MFA)

      User pools can be configured to enable multi-factor authentication (MFA). It can either be turned off, set to optional or made required. Setting MFA to optional means that individual users can choose to enable it. Additionally, the MFA code can be sent either via SMS text message or via a time-based software token. See the documentation on MFA to learn more.

      The following code snippet marks MFA for the user pool as required. This means that all users are required to configure an MFA token and use it for sign in. It also allows for the users to use both SMS based MFA, as well, time-based one time password (TOTP).

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          Mfa = Mfa.REQUIRED,
          MfaSecondFactor = new MfaSecondFactor {
              Sms = true,
              Otp = true
          }
      });

      User pools can be configured with policies around a user's password. This includes the password length and the character sets that they must contain.

      Further to this, it can also be configured with the validity of the auto-generated temporary password. A temporary password is generated by the user pool either when an admin signs up a user or when a password reset is requested. The validity of this password dictates how long to give the user to use this password before expiring it.

      The following code snippet configures these properties -

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          PasswordPolicy = new PasswordPolicy {
              MinLength = 12,
              RequireLowercase = true,
              RequireUppercase = true,
              RequireDigits = true,
              RequireSymbols = true,
              TempPasswordValidity = Duration.Days(3)
          }
      });

      Note that, tempPasswordValidity can be specified only in whole days. Specifying fractional days would throw an error.

      Account Recovery Settings

      User pools can be configured on which method a user should use when recovering the password for their account. This can either be email and/or SMS. Read more at Recovering User Accounts

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "UserPool", new UserPoolProps {
          // ...
          AccountRecovery = AccountRecovery.EMAIL_ONLY
      });

      The default for account recovery is by phone if available and by email otherwise. A user will not be allowed to reset their password via phone if they are also using it for MFA.

      Emails

      Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation emails, password resets, etc. The address from which these emails are sent can be configured on the user pool. Read more about email settings here.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          EmailSettings = new EmailSettings {
              From = "noreply@myawesomeapp.com",
              ReplyTo = "support@myawesomeapp.com"
          }
      });

      By default, user pools are configured to use Cognito's built-in email capability, but it can also be configured to use Amazon SES, however, support for Amazon SES is not available in the CDK yet. If you would like this to be implemented, give this issue a +1. Until then, you can use the cfn layer to configure this.

      If an email address contains non-ASCII characters, it will be encoded using the punycode encoding when generating the template for Cloudformation.

      Lambda Triggers

      User pools can be configured such that AWS Lambda functions can be triggered when certain user operations or actions occur, such as, sign up, user confirmation, sign in, etc. They can also be used to add custom authentication challenges, user migrations and custom verification messages. Learn more about triggers at User Pool Workflows with Triggers.

      Lambda triggers can either be specified as part of the UserPool initialization, or it can be added later, via methods on the construct, as so -

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      Function authChallengeFn = new Function(this, "authChallengeFn", new FunctionProps {
          Runtime = Runtime.NODEJS_12_X,
          Handler = "index.handler",
          Code = Code.FromInline("auth challenge")
      });
      
      UserPool userpool = new UserPool(this, "myuserpool", new UserPoolProps {
          // ...
          LambdaTriggers = new UserPoolTriggers {
              CreateAuthChallenge = authChallengeFn
          }
      });
      
      userpool.AddTrigger(UserPoolOperation.USER_MIGRATION, new Function(this, "userMigrationFn", new FunctionProps {
          Runtime = Runtime.NODEJS_12_X,
          Handler = "index.handler",
          Code = Code.FromInline("user migration")
      }));

      The following table lists the set of triggers available, and their corresponding method to add it to the user pool. For more information on the function of these triggers and how to configure them, read User Pool Workflows with Triggers.

      Trigger Permissions

      The function.attachToRolePolicy() API can be used to add additional IAM permissions to the lambda trigger as necessary.

      ⚠️ Using the attachToRolePolicy API to provide permissions to your user pool will result in a circular dependency. See aws/aws-cdk#7016. Error message when running cdk synth or cdk deploy:

      Circular dependency between resources: [pool056F3F7E, fnPostAuthFnCognitoA630A2B1, ...]
      

      To work around the circular dependency issue, use the attachInlinePolicy() API instead, as shown below.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      // provide permissions to describe the user pool scoped to the ARN the user pool
      postAuthFn.Role.AttachInlinePolicy(new Policy(this, "userpool-policy", new PolicyProps {
          Statements = new [] { new PolicyStatement(new PolicyStatementProps {
              Actions = new [] { "cognito-idp:DescribeUserPool" },
              Resources = new [] { userpool.UserPoolArn }
          }) }
      }));

      Importing User Pools

      Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool allows for it to be used in other parts of the CDK app that reference an IUserPool. However, imported user pools have limited configurability. As a rule of thumb, none of the properties that are part of the AWS::Cognito::UserPool CloudFormation resource can be configured.

      User pools can be imported either using their id via the UserPool.fromUserPoolId(), or by using their ARN, via the UserPool.fromUserPoolArn() API.

      // Example automatically generated. See https://github.com/aws/jsii/issues/826
      IUserPool awesomePool = UserPool.FromUserPoolId(this, "awesome-user-pool", "us-east-1_oiuR12Abd");
      
      IUserPool otherAwesomePool = UserPool.FromUserPoolArn(this, "other-awesome-user-pool", "arn:aws:cognito-idp:eu-west-1:123456789012:userpool/us-east-1_mtRyYQ14D");

      Identity Providers

      Users that are part of a user pool can sign in either directly through a user pool, or federate through a third-party identity provider. Once configured, the Cognito backend will take care of integrating with the third-party provider. Read more about Adding User Pool Sign-in Through a Third Party.

      The following third-party identity providers are currently supported in the CDK -

        The following code configures a user pool to federate with the third party provider, 'Login with Amazon'. The identity provider needs to be configured with a set of credentials that the Cognito backend can use to federate with the third-party identity provider.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool userpool = new UserPool(this, "Pool");
        
        UserPoolIdentityProviderAmazon provider = new UserPoolIdentityProviderAmazon(this, "Amazon", new UserPoolIdentityProviderAmazonProps {
            ClientId = "amzn-client-id",
            ClientSecret = "amzn-client-secret",
            UserPool = userpool
        });

        Attribute mapping allows mapping attributes provided by the third-party identity providers to standard and custom attributes of the user pool. Learn more about Specifying Identity Provider Attribute Mappings for Your User Pool.

        The following code shows how different attributes provided by 'Login With Amazon' can be mapped to standard and custom user pool attributes.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool userpool = new UserPool(this, "Pool");
        
        new UserPoolIdentityProviderAmazon(this, "Amazon", new UserPoolIdentityProviderAmazonProps {
            ClientId = "amzn-client-id",
            ClientSecret = "amzn-client-secret",
            UserPool = userpool,
            AttributeMapping = new AttributeMapping {
                Email = ProviderAttribute.AMAZON_EMAIL,
                Website = ProviderAttribute.Other("url"), // use other() when an attribute is not pre-defined in the CDK
                Custom = new Dictionary<string, ProviderAttribute> {
                    // custom user pool attributes go here
                    { "uniqueId", ProviderAttribute.AMAZON_USER_ID }
                }
            }
        });

        App Clients

        An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret. Read Configuring a User Pool App Client to learn more.

        The following code creates an app client and retrieves the client id -

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "pool");
        UserPoolClient client = pool.AddClient("customer-app-client");
        string clientId = client.UserPoolClientId;

        Existing app clients can be imported into the CDK app using the UserPoolClient.fromUserPoolClientId() API. For new and imported user pools, clients can also be created via the UserPoolClient constructor, as so -

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        IUserPool importedPool = UserPool.FromUserPoolId(this, "imported-pool", "us-east-1_oiuR12Abd");
        new UserPoolClient(this, "customer-app-client", new UserPoolClientProps {
            UserPool = importedPool
        });

        Clients can be configured with authentication flows. Authentication flows allow users on a client to be authenticated with a user pool. Cognito user pools provide several several different types of authentication, such as, SRP (Secure Remote Password) authentication, username-and-password authentication, etc. Learn more about this at UserPool Authentication Flow.

        The following code configures a client to use both SRP and username-and-password authentication -

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "pool");
        pool.AddClient("app-client", new UserPoolClientOptions {
            AuthFlows = new AuthFlow {
                UserPassword = true,
                UserSrp = true
            }
        });

        Custom authentication protocols can be configured by setting the custom property under authFlow and defining lambda functions for the corresponding user pool triggers. Learn more at Custom Authentication Flow.

        In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more about the OAuth 2.0 authorization framework and Cognito user pool's implementation of OAuth2.0.

        The following code configures an app client with the authorization code grant flow and registers the the app's welcome page as a callback (or redirect) URL. It also configures the access token scope to 'openid'. All of these concepts can be found in the OAuth 2.0 RFC.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        pool.AddClient("app-client", new UserPoolClientOptions {
            OAuth = new OAuthSettings {
                Flows = new OAuthFlows {
                    AuthorizationCodeGrant = true
                },
                Scopes = new [] { OAuthScope.OPENID },
                CallbackUrls = new [] { "https://my-app-domain.com/welcome" },
                LogoutUrls = new [] { "https://my-app-domain.com/signin" }
            }
        });

        An app client can be configured to prevent user existence errors. This instructs the Cognito authentication API to return generic authentication failure responses instead of an UserNotFoundException. By default, the flag is not set, which means different things for existing and new stacks. See the documentation for the full details on the behavior of this flag.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        pool.AddClient("app-client", new UserPoolClientOptions {
            PreventUserExistenceErrors = true
        });

        All identity providers created in the CDK app are automatically registered into the corresponding user pool. All app clients created in the CDK have all of the identity providers enabled by default. The 'Cognito' identity provider, that allows users to register and sign in directly with the Cognito user pool, is also enabled by default. Alternatively, the list of supported identity providers for a client can be explicitly specified -

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        pool.AddClient("app-client", new UserPoolClientOptions {
            // ...
            SupportedIdentityProviders = new [] { UserPoolClientIdentityProvider.AMAZON, UserPoolClientIdentityProvider.COGNITO }
        });

        In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens. More information is available at Using Tokens with User Pools. The expiration time for these tokens can be configured as shown below.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        pool.AddClient("app-client", new UserPoolClientOptions {
            // ...
            AccessTokenValidity = Duration.Minutes(60),
            IdTokenValidity = Duration.Minutes(60),
            RefreshTokenValidity = Duration.Days(30)
        });

        Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to read the given_name attribute but not every client should be allowed to set the email_verified attribute. The same criteria applies for both standard and custom attributes, more info is available at Attribute Permissions and Scopes. The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be configured for a client.

        // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        
        var clientWriteAttributes = (new ClientAttributes()).WithStandardAttributes(new Struct { Fullname = true, Email = true }).WithCustomAttributes("favouritePizza", "favouriteBeverage");
        
        var clientReadAttributes = clientWriteAttributes.WithStandardAttributes(new Struct { EmailVerified = true }).WithCustomAttributes("pointsEarned");
        
        pool.AddClient("app-client", new UserPoolClientOptions {
            // ...
            ReadAttributes = clientReadAttributes,
            WriteAttributes = clientWriteAttributes
        });

        Resource Servers

        A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token. See Defining Resource Servers for more information.

        An application may choose to model custom permissions via OAuth. Resource Servers provide this capability via custom scopes that are attached to an app client. The following example sets up a resource server for the 'users' resource for two different app clients and configures the clients to use these scopes.

        // Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        
        var readOnlyScope = new ResourceServerScope(new Struct { ScopeName = "read", ScopeDescription = "Read-only access" });
        var fullAccessScope = new ResourceServerScope(new Struct { ScopeName = "*", ScopeDescription = "Full access" });
        
        UserPoolResourceServer userServer = pool.AddResourceServer("ResourceServer", new UserPoolResourceServerOptions {
            Identifier = "users",
            Scopes = new [] { readOnlyScope, fullAccessScope }
        });
        
        UserPoolClient readOnlyClient = pool.AddClient("read-only-client", new UserPoolClientOptions {
            // ...
            OAuth = new OAuthSettings {
                // ...
                Scopes = new [] { OAuthScope.ResourceServer(userServer, readOnlyScope) }
            }
        });
        
        UserPoolClient fullAccessClient = pool.AddClient("full-access-client", new UserPoolClientOptions {
            // ...
            OAuth = new OAuthSettings {
                // ...
                Scopes = new [] { OAuthScope.ResourceServer(userServer, fullAccessScope) }
            }
        });

        Domains

        After setting up an app client, the address for the user pool's sign-up and sign-in webpages can be configured using domains. There are two ways to set up a domain - either the Amazon Cognito hosted domain can be chosen with an available domain prefix, or a custom domain name can be chosen. The custom domain must be one that is already owned, and whose certificate is registered in AWS Certificate Manager.

        The following code sets up a user pool domain in Amazon Cognito hosted domain with the prefix 'my-awesome-app', and another domain with the custom domain 'user.myapp.com' -

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool pool = new UserPool(this, "Pool");
        
        pool.AddDomain("CognitoDomain", new UserPoolDomainOptions {
            CognitoDomain = new CognitoDomainOptions {
                DomainPrefix = "my-awesome-app"
            }
        });
        
        string certificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d";
        
        ICertificate domainCert = Certificate.FromCertificateArn(this, "domainCert", certificateArn);
        pool.AddDomain("CustomDomain", new UserPoolDomainOptions {
            CustomDomain = new CustomDomainOptions {
                DomainName = "user.myapp.com",
                Certificate = domainCert
            }
        });

        Read more about Using the Amazon Cognito Domain and Using Your Own Domain.

        The signInUrl() methods returns the fully qualified URL to the login page for the user pool. This page comes from the hosted UI configured with Cognito. Learn more at Hosted UI with the Amazon Cognito Console.

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        UserPool userpool = new UserPool(this, "UserPool", new UserPoolProps { });
        UserPoolClient client = userpool.AddClient("Client", new UserPoolClientOptions {
            // ...
            OAuth = new OAuthSettings {
                Flows = new OAuthFlows {
                    ImplicitCodeGrant = true
                },
                CallbackUrls = new [] { "https://myapp.com/home", "https://myapp.com/users" }
            }
        });
        UserPoolDomain domain = userpool.AddDomain("Domain", new UserPoolDomainOptions { });
        string signInUrl = domain.SignInUrl(client, new SignInUrlOptions {
            RedirectUri = "https://myapp.com/home"
        });

        Existing domains can be imported into CDK apps using UserPoolDomain.fromDomainName() API

        // Example automatically generated. See https://github.com/aws/jsii/issues/826
        IUserPoolDomain myUserPoolDomain = UserPoolDomain.FromDomainName(this, "my-user-pool-domain", "domain-name");

        Classes

        AccountRecovery

        How will a user be able to recover their account?

        AttributeMapping

        The mapping of user pool attributes to the attributes provided by the identity providers.

        AuthFlow

        Types of authentication flow.

        AutoVerifiedAttrs

        Attributes that can be automatically verified for users in a user pool.

        BooleanAttribute

        The Boolean custom attribute type.

        CfnIdentityPool

        A CloudFormation AWS::Cognito::IdentityPool.

        CfnIdentityPool.CognitoIdentityProviderProperty
        CfnIdentityPool.CognitoStreamsProperty
        CfnIdentityPool.PushSyncProperty
        CfnIdentityPoolProps

        Properties for defining a AWS::Cognito::IdentityPool.

        CfnIdentityPoolRoleAttachment

        A CloudFormation AWS::Cognito::IdentityPoolRoleAttachment.

        CfnIdentityPoolRoleAttachment.MappingRuleProperty
        CfnIdentityPoolRoleAttachment.RoleMappingProperty
        CfnIdentityPoolRoleAttachment.RulesConfigurationTypeProperty
        CfnIdentityPoolRoleAttachmentProps

        Properties for defining a AWS::Cognito::IdentityPoolRoleAttachment.

        CfnUserPool

        A CloudFormation AWS::Cognito::UserPool.

        CfnUserPool.AccountRecoverySettingProperty
        CfnUserPool.AdminCreateUserConfigProperty
        CfnUserPool.CustomEmailSenderProperty
        CfnUserPool.CustomSMSSenderProperty
        CfnUserPool.DeviceConfigurationProperty
        CfnUserPool.EmailConfigurationProperty
        CfnUserPool.InviteMessageTemplateProperty
        CfnUserPool.LambdaConfigProperty
        CfnUserPool.NumberAttributeConstraintsProperty
        CfnUserPool.PasswordPolicyProperty
        CfnUserPool.PoliciesProperty
        CfnUserPool.RecoveryOptionProperty
        CfnUserPool.SchemaAttributeProperty
        CfnUserPool.SmsConfigurationProperty
        CfnUserPool.StringAttributeConstraintsProperty
        CfnUserPool.UsernameConfigurationProperty
        CfnUserPool.UserPoolAddOnsProperty
        CfnUserPool.VerificationMessageTemplateProperty
        CfnUserPoolClient

        A CloudFormation AWS::Cognito::UserPoolClient.

        CfnUserPoolClient.AnalyticsConfigurationProperty
        CfnUserPoolClient.TokenValidityUnitsProperty
        CfnUserPoolClientProps

        Properties for defining a AWS::Cognito::UserPoolClient.

        CfnUserPoolDomain

        A CloudFormation AWS::Cognito::UserPoolDomain.

        CfnUserPoolDomain.CustomDomainConfigTypeProperty
        CfnUserPoolDomainProps

        Properties for defining a AWS::Cognito::UserPoolDomain.

        CfnUserPoolGroup

        A CloudFormation AWS::Cognito::UserPoolGroup.

        CfnUserPoolGroupProps

        Properties for defining a AWS::Cognito::UserPoolGroup.

        CfnUserPoolIdentityProvider

        A CloudFormation AWS::Cognito::UserPoolIdentityProvider.

        CfnUserPoolIdentityProviderProps

        Properties for defining a AWS::Cognito::UserPoolIdentityProvider.

        CfnUserPoolProps

        Properties for defining a AWS::Cognito::UserPool.

        CfnUserPoolResourceServer

        A CloudFormation AWS::Cognito::UserPoolResourceServer.

        CfnUserPoolResourceServer.ResourceServerScopeTypeProperty
        CfnUserPoolResourceServerProps

        Properties for defining a AWS::Cognito::UserPoolResourceServer.

        CfnUserPoolRiskConfigurationAttachment

        A CloudFormation AWS::Cognito::UserPoolRiskConfigurationAttachment.

        CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty
        CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty
        CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty
        CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty
        CfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolRiskConfigurationAttachment.

        CfnUserPoolUICustomizationAttachment

        A CloudFormation AWS::Cognito::UserPoolUICustomizationAttachment.

        CfnUserPoolUICustomizationAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolUICustomizationAttachment.

        CfnUserPoolUser

        A CloudFormation AWS::Cognito::UserPoolUser.

        CfnUserPoolUser.AttributeTypeProperty
        CfnUserPoolUserProps

        Properties for defining a AWS::Cognito::UserPoolUser.

        CfnUserPoolUserToGroupAttachment

        A CloudFormation AWS::Cognito::UserPoolUserToGroupAttachment.

        CfnUserPoolUserToGroupAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolUserToGroupAttachment.

        ClientAttributes

        A set of attributes, useful to set Read and Write attributes.

        CognitoDomainOptions

        Options while specifying a cognito prefix domain.

        CustomAttributeConfig

        Configuration that will be fed into CloudFormation for any custom attribute type.

        CustomAttributeProps

        Constraints that can be applied to a custom attribute of any type.

        CustomDomainOptions

        Options while specifying custom domain.

        DateTimeAttribute

        The DateTime custom attribute type.

        EmailSettings

        Email settings for the user pool.

        Mfa

        The different ways in which a user pool's MFA enforcement can be configured.

        MfaSecondFactor

        The different ways in which a user pool can obtain their MFA token for sign in.

        NumberAttribute

        The Number custom attribute type.

        NumberAttributeConstraints

        Constraints that can be applied to a custom attribute of number type.

        NumberAttributeProps

        Props for NumberAttr.

        OAuthFlows

        Types of OAuth grant flows.

        OAuthScope

        OAuth scopes that are allowed with this client.

        OAuthSettings

        OAuth settings to configure the interaction between the app and this client.

        PasswordPolicy

        Password policy for User Pools.

        ProviderAttribute

        An attribute available from a third party identity provider.

        ResourceServerScope

        A scope for ResourceServer.

        ResourceServerScopeProps

        Props to initialize ResourceServerScope.

        SignInAliases

        The different ways in which users of this pool can sign up or sign in.

        SignInUrlOptions

        Options to customize the behaviour of signInUrl().

        StandardAttribute

        Standard attribute that can be marked as required or mutable.

        StandardAttributes

        The set of standard attributes that can be marked as required or mutable.

        StandardAttributesMask

        This interface contains all standard attributes recognized by Cognito from https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html including email_verified and phone_number_verified.

        StringAttribute

        The String custom attribute type.

        StringAttributeConstraints

        Constraints that can be applied to a custom attribute of string type.

        StringAttributeProps

        Props for constructing a StringAttr.

        UserInvitationConfig

        User pool configuration when administrators sign users up.

        UserPool

        Define a Cognito User Pool.

        UserPoolClient

        Define a UserPool App Client.

        UserPoolClientIdentityProvider

        Identity providers supported by the UserPoolClient.

        UserPoolClientOptions

        Options to create a UserPoolClient.

        UserPoolClientProps

        Properties for the UserPoolClient construct.

        UserPoolDomain

        Define a user pool domain.

        UserPoolDomainOptions

        Options to create a UserPoolDomain.

        UserPoolDomainProps

        Props for UserPoolDomain construct.

        UserPoolIdentityProvider

        User pool third-party identity providers.

        UserPoolIdentityProviderAmazon

        Represents a identity provider that integrates with 'Login with Amazon'.

        UserPoolIdentityProviderAmazonProps

        Properties to initialize UserPoolAmazonIdentityProvider.

        UserPoolIdentityProviderApple

        Represents a identity provider that integrates with 'Apple'.

        UserPoolIdentityProviderAppleProps

        Properties to initialize UserPoolAppleIdentityProvider.

        UserPoolIdentityProviderFacebook

        Represents a identity provider that integrates with 'Facebook Login'.

        UserPoolIdentityProviderFacebookProps

        Properties to initialize UserPoolFacebookIdentityProvider.

        UserPoolIdentityProviderGoogle

        Represents a identity provider that integrates with 'Google'.

        UserPoolIdentityProviderGoogleProps

        Properties to initialize UserPoolGoogleIdentityProvider.

        UserPoolIdentityProviderProps

        Properties to create a new instance of UserPoolIdentityProvider.

        UserPoolOperation

        User pool operations to which lambda triggers can be attached.

        UserPoolProps

        Props for the UserPool construct.

        UserPoolResourceServer

        Defines a User Pool OAuth2.0 Resource Server.

        UserPoolResourceServerOptions

        Options to create a UserPoolResourceServer.

        UserPoolResourceServerProps

        Properties for the UserPoolResourceServer construct.

        UserPoolTriggers

        Triggers for a user pool.

        UserVerificationConfig

        User pool configuration for user self sign up.

        VerificationEmailStyle

        The email verification style.

        Interfaces

        CfnIdentityPool.ICognitoIdentityProviderProperty
        CfnIdentityPool.ICognitoStreamsProperty
        CfnIdentityPool.IPushSyncProperty
        CfnIdentityPoolRoleAttachment.IMappingRuleProperty
        CfnIdentityPoolRoleAttachment.IRoleMappingProperty
        CfnIdentityPoolRoleAttachment.IRulesConfigurationTypeProperty
        CfnUserPool.IAccountRecoverySettingProperty
        CfnUserPool.IAdminCreateUserConfigProperty
        CfnUserPool.ICustomEmailSenderProperty
        CfnUserPool.ICustomSMSSenderProperty
        CfnUserPool.IDeviceConfigurationProperty
        CfnUserPool.IEmailConfigurationProperty
        CfnUserPool.IInviteMessageTemplateProperty
        CfnUserPool.ILambdaConfigProperty
        CfnUserPool.INumberAttributeConstraintsProperty
        CfnUserPool.IPasswordPolicyProperty
        CfnUserPool.IPoliciesProperty
        CfnUserPool.IRecoveryOptionProperty
        CfnUserPool.ISchemaAttributeProperty
        CfnUserPool.ISmsConfigurationProperty
        CfnUserPool.IStringAttributeConstraintsProperty
        CfnUserPool.IUsernameConfigurationProperty
        CfnUserPool.IUserPoolAddOnsProperty
        CfnUserPool.IVerificationMessageTemplateProperty
        CfnUserPoolClient.IAnalyticsConfigurationProperty
        CfnUserPoolClient.ITokenValidityUnitsProperty
        CfnUserPoolDomain.ICustomDomainConfigTypeProperty
        CfnUserPoolResourceServer.IResourceServerScopeTypeProperty
        CfnUserPoolRiskConfigurationAttachment.IAccountTakeoverActionsTypeProperty
        CfnUserPoolRiskConfigurationAttachment.IAccountTakeoverActionTypeProperty
        CfnUserPoolRiskConfigurationAttachment.IAccountTakeoverRiskConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.ICompromisedCredentialsActionsTypeProperty
        CfnUserPoolRiskConfigurationAttachment.ICompromisedCredentialsRiskConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.INotifyConfigurationTypeProperty
        CfnUserPoolRiskConfigurationAttachment.INotifyEmailTypeProperty
        CfnUserPoolRiskConfigurationAttachment.IRiskExceptionConfigurationTypeProperty
        CfnUserPoolUser.IAttributeTypeProperty
        IAttributeMapping

        The mapping of user pool attributes to the attributes provided by the identity providers.

        IAuthFlow

        Types of authentication flow.

        IAutoVerifiedAttrs

        Attributes that can be automatically verified for users in a user pool.

        ICfnIdentityPoolProps

        Properties for defining a AWS::Cognito::IdentityPool.

        ICfnIdentityPoolRoleAttachmentProps

        Properties for defining a AWS::Cognito::IdentityPoolRoleAttachment.

        ICfnUserPoolClientProps

        Properties for defining a AWS::Cognito::UserPoolClient.

        ICfnUserPoolDomainProps

        Properties for defining a AWS::Cognito::UserPoolDomain.

        ICfnUserPoolGroupProps

        Properties for defining a AWS::Cognito::UserPoolGroup.

        ICfnUserPoolIdentityProviderProps

        Properties for defining a AWS::Cognito::UserPoolIdentityProvider.

        ICfnUserPoolProps

        Properties for defining a AWS::Cognito::UserPool.

        ICfnUserPoolResourceServerProps

        Properties for defining a AWS::Cognito::UserPoolResourceServer.

        ICfnUserPoolRiskConfigurationAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolRiskConfigurationAttachment.

        ICfnUserPoolUICustomizationAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolUICustomizationAttachment.

        ICfnUserPoolUserProps

        Properties for defining a AWS::Cognito::UserPoolUser.

        ICfnUserPoolUserToGroupAttachmentProps

        Properties for defining a AWS::Cognito::UserPoolUserToGroupAttachment.

        ICognitoDomainOptions

        Options while specifying a cognito prefix domain.

        ICustomAttribute

        Represents a custom attribute type.

        ICustomAttributeConfig

        Configuration that will be fed into CloudFormation for any custom attribute type.

        ICustomAttributeProps

        Constraints that can be applied to a custom attribute of any type.

        ICustomDomainOptions

        Options while specifying custom domain.

        IEmailSettings

        Email settings for the user pool.

        IMfaSecondFactor

        The different ways in which a user pool can obtain their MFA token for sign in.

        INumberAttributeConstraints

        Constraints that can be applied to a custom attribute of number type.

        INumberAttributeProps

        Props for NumberAttr.

        IOAuthFlows

        Types of OAuth grant flows.

        IOAuthSettings

        OAuth settings to configure the interaction between the app and this client.

        IPasswordPolicy

        Password policy for User Pools.

        IResourceServerScopeProps

        Props to initialize ResourceServerScope.

        ISignInAliases

        The different ways in which users of this pool can sign up or sign in.

        ISignInUrlOptions

        Options to customize the behaviour of signInUrl().

        IStandardAttribute

        Standard attribute that can be marked as required or mutable.

        IStandardAttributes

        The set of standard attributes that can be marked as required or mutable.

        IStandardAttributesMask

        This interface contains all standard attributes recognized by Cognito from https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html including email_verified and phone_number_verified.

        IStringAttributeConstraints

        Constraints that can be applied to a custom attribute of string type.

        IStringAttributeProps

        Props for constructing a StringAttr.

        IUserInvitationConfig

        User pool configuration when administrators sign users up.

        IUserPool

        Represents a Cognito UserPool.

        IUserPoolClient

        Represents a Cognito user pool client.

        IUserPoolClientOptions

        Options to create a UserPoolClient.

        IUserPoolClientProps

        Properties for the UserPoolClient construct.

        IUserPoolDomain

        Represents a user pool domain.

        IUserPoolDomainOptions

        Options to create a UserPoolDomain.

        IUserPoolDomainProps

        Props for UserPoolDomain construct.

        IUserPoolIdentityProvider

        Represents a UserPoolIdentityProvider.

        IUserPoolIdentityProviderAmazonProps

        Properties to initialize UserPoolAmazonIdentityProvider.

        IUserPoolIdentityProviderAppleProps

        Properties to initialize UserPoolAppleIdentityProvider.

        IUserPoolIdentityProviderFacebookProps

        Properties to initialize UserPoolFacebookIdentityProvider.

        IUserPoolIdentityProviderGoogleProps

        Properties to initialize UserPoolGoogleIdentityProvider.

        IUserPoolIdentityProviderProps

        Properties to create a new instance of UserPoolIdentityProvider.

        IUserPoolProps

        Props for the UserPool construct.

        IUserPoolResourceServer

        Represents a Cognito user pool resource server.

        IUserPoolResourceServerOptions

        Options to create a UserPoolResourceServer.

        IUserPoolResourceServerProps

        Properties for the UserPoolResourceServer construct.

        IUserPoolTriggers

        Triggers for a user pool.

        IUserVerificationConfig

        User pool configuration for user self sign up.

        Back to top Generated by DocFX