Package software.amazon.awscdk.services.cognito
Amazon Cognito Construct Library
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. Identity Pool L2 Constructs can be found here.
This module is part of the AWS Cloud Development Kit project.
Table of Contents
- Amazon Cognito Construct Library
User Pools
User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with social identity providers such as Facebook, Google, Amazon, Microsoft Active Directory, etc. through SAML.
Using the CDK, a new user pool can be created as part of the stack using the construct's constructor. You may specify
the userPoolName
to give your own identifier to the user pool. If not, CloudFormation will generate a name.
UserPool.Builder.create(this, "myuserpool") .userPoolName("myawesomeapp-userpool") .signInCaseSensitive(false) .build();
By default, usernames and email addresses in user pools are case sensitive, which means user@example.com
and User@example.com
are considered different. In most situations it is preferred to have usernames and email addresses be case insensitive so that
capitalization differences are ignored. As shown above, you can make a user pool case insensitive by setting signInCaseSensitive
to false
. The case sensitivity cannot be changed once a user pool is created.
The default set up for the user pool is configured such that only administrators will be allowed to create users. Features such as Multi-factor authentication (MFAs) and Lambda Triggers are not configured by default.
Use the grant()
method to add an IAM policy statement associated with the user pool to an
IAM principal's policy.
UserPool userPool = new UserPool(this, "myuserpool"); Role role = Role.Builder.create(this, "role") .assumedBy(new ServicePrincipal("foo")) .build(); userPool.grant(role, "cognito-idp:AdminCreateUser");
User pool feature plans
Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it. Lean more aboug feature plans here.
- Lite - a low-cost feature plan for user pools with lower numbers of monthly active users.
- Essentials - all of the latest user pool authentication features.
- Plus - includes everything in the Essentials plan and adds advanced security features that protect your users.
The default feature plan is Essentials for newly create user pools. For the existing user pools, Lite plan is automatically set.
Previously, some user pool features were included in an advanced security features pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.
Sign Up
Users can either be signed up by the app's administrators or can sign themselves up. Once a user has signed up, their account needs to be confirmed. Cognito provides several ways to sign users up and confirm their accounts. Learn more about user sign up here.
To verify the email address of a user in your user pool with Amazon Cognito, you can send the user an email message with a link that they can select, or you can send them a code that they can enter.
Code Verification
When a user signs up, email and SMS messages are used to verify their account and contact methods. The following code snippet configures a user pool with properties relevant to these verification messages -
UserPool.Builder.create(this, "myuserpool") // ... .selfSignUpEnabled(true) .userVerification(UserVerificationConfig.builder() .emailSubject("Verify your email for our awesome app!") .emailBody("Thanks for signing up to our awesome app! Your verification code is {####}") .emailStyle(VerificationEmailStyle.CODE) .smsMessage("Thanks for signing up to our awesome app! Your verification code is {####}") .build()) .build();
By default, self sign up is disabled. Learn more about email and SMS verification messages here.
Besides users signing themselves up, an administrator of any user pool can sign users up. The user then receives an invitation to join the user pool. The following code snippet configures a user pool with properties relevant to the invitation messages -
UserPool.Builder.create(this, "myuserpool") // ... .userInvitation(UserInvitationConfig.builder() .emailSubject("Invite to join our awesome app!") .emailBody("Hello {username}, you have been invited to join our awesome app! Your temporary password is {####}") .smsMessage("Hello {username}, your temporary password for our awesome app is {####}") .build()) .build();
Link Verification
Alternatively, users can use link as a verification method. The following code snippet configures a user pool with properties relevant to these verification messages and link verification method.
UserPool.Builder.create(this, "myuserpool") .userVerification(UserVerificationConfig.builder() .emailStyle(VerificationEmailStyle.LINK) .emailSubject("Invite to join our awesome app!") .emailBody("You have been invited to join our awesome app! {##Verify Your Email##}") .build()) .build();
All email subjects, bodies and SMS messages for both invitation and verification support Cognito's message templating. Learn more about message templates here.
Sign In
Users registering or signing in into your application can do so with multiple identifiers. There are 4 options available:
username
: Allow signing in using the one time immutable user name that the user chose at the time of sign up.email
: Allow signing in using the email address that is associated with the account.phone
: Allow signing in using the phone number that is associated with the account.preferredUsername
: Allow signing in with an alternate user name that the user can change at any time. However, this is not available if theusername
option is not chosen.
The following code sets up a user pool so that the user can sign in with either their username or their email address -
UserPool.Builder.create(this, "myuserpool") // ... // ... .signInAliases(SignInAliases.builder() .username(true) .email(true) .build()) .build();
User pools can either be configured so that user name is primary sign in form, but also allows for the other three to be used additionally; or it can be configured so that email and/or phone numbers are the only ways a user can register and sign in. Read more about this here.
⚠️ The Cognito service prevents changing the signInAlias
property for an existing user pool.
To match with 'Option 1' in the above link, with a verified email, signInAliases
should be set to
{ username: true, email: true }
. To match with 'Option 2' in the above link with both a verified
email and phone number, this property should be set to { email: true, phone: true }
.
Cognito recommends that email and phone number be automatically verified, if they are one of the sign in methods for
the user pool. Read more about that
here.
The CDK does this by default, when email and/or phone number are specified as part of signInAliases
. This can be
overridden by specifying the autoVerify
property.
The following code snippet sets up only email as a sign in alias, but both email and phone number to be auto-verified.
UserPool.Builder.create(this, "myuserpool") // ... // ... .signInAliases(SignInAliases.builder().username(true).email(true).build()) .autoVerify(AutoVerifiedAttrs.builder().email(true).phone(true).build()) .build();
A user pool can optionally ignore case when evaluating sign-ins. When signInCaseSensitive
is false, Cognito will not
check the capitalization of the alias when signing in. Default is true.
Attributes
Attributes represent the various properties of each user that's collected and stored in the user pool. Cognito provides a set of standard attributes that are available for all user pools. Users are allowed to select any of these standard attributes to be required. Users will not be able to sign up to the user pool without providing the required attributes. Besides these, additional attributes can be further defined, and are known as custom attributes.
Learn more on attributes in Cognito's documentation.
The following code configures a user pool with two standard attributes (name and address) as required and mutable, and adds four custom attributes.
UserPool.Builder.create(this, "myuserpool") // ... .standardAttributes(StandardAttributes.builder() .fullname(StandardAttribute.builder() .required(true) .mutable(false) .build()) .address(StandardAttribute.builder() .required(false) .mutable(true) .build()) .build()) .customAttributes(Map.of( "myappid", StringAttribute.Builder.create().minLen(5).maxLen(15).mutable(false).build(), "callingcode", NumberAttribute.Builder.create().min(1).max(3).mutable(true).build(), "isEmployee", BooleanAttribute.Builder.create().mutable(true).build(), "joinedOn", new DateTimeAttribute())) .build();
As shown in the code snippet, there are data types that are available for custom attributes. The 'String' and 'Number' data types allow for further constraints on their length and values, respectively.
Custom attributes cannot be marked as required.
All custom attributes share the property mutable
that specifies whether the value of the attribute can be changed.
The default value is false
.
User pools come with two 'built-in' attributes - email_verified
and phone_number_verified
. These cannot be
configured (required-ness or mutability) as part of user pool creation. However, user pool administrators can modify
them for specific users using the AdminUpdateUserAttributes API.
Attribute verification
When your user updates an email address or phone number attribute, Amazon Cognito marks it unverified until they verify the new value. You can’t send messages to an unverified email address or phone number. Your user can’t sign in with an unverified alias attribute. You can choose how Amazon Cognito handles an updated email address or phone number after the update and before the verification.
Learn more on configuring email or phone verification in Cognito's documentation.
The following code configures a user pool that keeps the original value for the two standard attributes (email and phone_number) until the new values are verified.
UserPool.Builder.create(this, "myuserpool") // ... .signInAliases(SignInAliases.builder().username(true).build()) .autoVerify(AutoVerifiedAttrs.builder().email(true).phone(true).build()) .keepOriginal(KeepOriginalAttrs.builder() .email(true) .phone(true) .build()) .build();
Security
Cognito sends various messages to its users via SMS, for different actions, ranging from account verification to marketing. In order to send SMS messages, Cognito needs an IAM role that it can assume, with permissions that allow it to send SMS messages.
By default, the CDK looks at all of the specified properties (and their defaults when not explicitly specified) and
automatically creates an SMS role, when needed. For example, if MFA second factor by SMS is enabled, the CDK will
create a new role. The smsRole
property can be used to specify the user supplied role that should be used instead.
Additionally, the property enableSmsRole
can be used to override the CDK's default behaviour to either enable or
suppress automatic role creation.
Role poolSmsRole = Role.Builder.create(this, "userpoolsmsrole") .assumedBy(new ServicePrincipal("foo")) .build(); UserPool.Builder.create(this, "myuserpool") // ... .smsRole(poolSmsRole) .smsRoleExternalId("c87467be-4f34-11ea-b77f-2e728ce88125") .build();
When the smsRole
property is specified, the smsRoleExternalId
may also be specified. The value of
smsRoleExternalId
will be used as the sts:ExternalId
when the Cognito service assumes the role. In turn, the role's
assume role policy should be configured to accept this value as the ExternalId. Learn more about ExternalId
here.
Multi-factor Authentication (MFA)
User pools can be configured to enable multi-factor authentication (MFA). It can either be turned off, set to optional or made required. Setting MFA to optional means that individual users can choose to enable it. Additionally, the MFA code can be sent either via SMS text message or via a time-based software token. See the documentation on MFA to learn more.
The following code snippet marks MFA for the user pool as required. This means that all users are required to configure an MFA token and use it for sign in. It also allows for the users to use both SMS based MFA, as well, time-based one time password (TOTP).
If you want to enable email-based MFA, set email
propety to the Amazon SES email-sending configuration and set featurePlan
to FeaturePlan.ESSENTIALS
or FeaturePlan.PLUS
.
For more information, see SMS and email message MFA.
UserPool.Builder.create(this, "myuserpool") // ... .mfa(Mfa.REQUIRED) .mfaSecondFactor(MfaSecondFactor.builder() .sms(true) .otp(true) .email(false) .build()) .build();
User pools can be configured with policies around a user's password. This includes the password length and the character sets that they must contain.
Further to this, it can also be configured with the validity of the auto-generated temporary password. A temporary password is generated by the user pool either when an admin signs up a user or when a password reset is requested. The validity of this password dictates how long to give the user to use this password before expiring it.
The following code snippet configures these properties -
UserPool.Builder.create(this, "myuserpool") // ... .passwordPolicy(PasswordPolicy.builder() .minLength(12) .requireLowercase(true) .requireUppercase(true) .requireDigits(true) .requireSymbols(true) .tempPasswordValidity(Duration.days(3)) .build()) .build();
Note that, tempPasswordValidity
can be specified only in whole days. Specifying fractional days would throw an error.
Account Recovery Settings
User pools can be configured on which method a user should use when recovering the password for their account. This can either be email and/or SMS. Read more at Recovering User Accounts
UserPool.Builder.create(this, "UserPool") // ... .accountRecovery(AccountRecovery.EMAIL_ONLY) .build();
The default for account recovery is by phone if available and by email otherwise. A user will not be allowed to reset their password via phone if they are also using it for MFA.
Advanced Security Mode
⚠️ Advanced Security Mode is deprecated in favor of user pool feature plans.
User pools can be configured to use Advanced security. You can turn the user pool advanced security features on, and customize the actions that are taken in response to different risks. Or you can use audit mode to gather metrics on detected risks without taking action. In audit mode, the advanced security features publish metrics to Amazon CloudWatch. See the documentation on Advanced security to learn more.
UserPool.Builder.create(this, "myuserpool") // ... .advancedSecurityMode(AdvancedSecurityMode.ENFORCED) .build();
Emails
Cognito sends emails to users in the user pool, when particular actions take place, such as welcome emails, invitation emails, password resets, etc. The address from which these emails are sent can be configured on the user pool. Read more at Email settings for User Pools.
By default, user pools are configured to use Cognito's built in email capability, which will send emails
from no-reply@verificationemail.com
. If you want to use a custom email address you can configure
Cognito to send emails through Amazon SES, which is detailed below.
UserPool.Builder.create(this, "myuserpool") .email(UserPoolEmail.withCognito("support@myawesomeapp.com")) .build();
For typical production environments, the default email limit is below the required delivery volume. To enable a higher delivery volume, you can configure the UserPool to send emails through Amazon SES. To do so, follow the steps in the Cognito Developer Guide to verify an email address, move the account out of the SES sandbox, and grant Cognito email permissions via an authorization policy.
Once the SES setup is complete, the UserPool can be configured to use the SES email.
UserPool.Builder.create(this, "myuserpool") .email(UserPoolEmail.withSES(UserPoolSESOptions.builder() .fromEmail("noreply@myawesomeapp.com") .fromName("Awesome App") .replyTo("support@myawesomeapp.com") .build())) .build();
Sending emails through SES requires that SES be configured (as described above) in a valid SES region.
If the UserPool is being created in a different region, sesRegion
must be used to specify the correct SES region.
UserPool.Builder.create(this, "myuserpool") .email(UserPoolEmail.withSES(UserPoolSESOptions.builder() .sesRegion("us-east-1") .fromEmail("noreply@myawesomeapp.com") .fromName("Awesome App") .replyTo("support@myawesomeapp.com") .build())) .build();
When sending emails from an SES verified domain, sesVerifiedDomain
can be used to specify the domain.
The email address does not need to be verified when sending emails from a verified domain, because the identity of the email configuration is can be determined from the domain alone.
UserPool.Builder.create(this, "myuserpool") .email(UserPoolEmail.withSES(UserPoolSESOptions.builder() .sesRegion("us-east-1") .fromEmail("noreply@myawesomeapp.com") .fromName("Awesome App") .replyTo("support@myawesomeapp.com") .sesVerifiedDomain("myawesomeapp.com") .build())) .build();
If fromName
does not comply RFC 5322 atom or quoted-string, it will be quoted or mime-encoded.
UserPool.Builder.create(this, "myuserpool") .email(UserPoolEmail.withSES(UserPoolSESOptions.builder() .fromEmail("noreply@myawesomeapp.com") .fromName("myname@mycompany.com") .build())) .build();
Device Tracking
User pools can be configured to track devices that users have logged in to. Read more at Device Tracking
UserPool.Builder.create(this, "myuserpool") // ... .deviceTracking(DeviceTracking.builder() .challengeRequiredOnNewDevice(true) .deviceOnlyRememberedOnUserPrompt(true) .build()) .build();
The default is to not track devices.
Lambda Triggers
User pools can be configured such that AWS Lambda functions can be triggered when certain user operations or actions occur, such as, sign up, user confirmation, sign in, etc. They can also be used to add custom authentication challenges, user migrations and custom verification messages. Learn more about triggers at User Pool Workflows with Triggers.
Lambda triggers can either be specified as part of the UserPool
initialization, or it can be added later, via methods
on the construct, as so -
Function authChallengeFn = Function.Builder.create(this, "authChallengeFn") .runtime(Runtime.NODEJS_LATEST) .handler("index.handler") .code(Code.fromAsset(join(__dirname, "path/to/asset"))) .build(); UserPool userpool = UserPool.Builder.create(this, "myuserpool") // ... .lambdaTriggers(UserPoolTriggers.builder() .createAuthChallenge(authChallengeFn) .build()) .build(); userpool.addTrigger(UserPoolOperation.USER_MIGRATION, Function.Builder.create(this, "userMigrationFn") .runtime(Runtime.NODEJS_LATEST) .handler("index.handler") .code(Code.fromAsset(join(__dirname, "path/to/asset"))) .build());
Additionally, only the pre token generation Lambda trigger supports trigger events with lambda version V2.0:
UserPool userpool; Function preTokenGenerationFn; userpool.addTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, preTokenGenerationFn, LambdaVersion.V2_0);
The following table lists the set of triggers available, and their corresponding method to add it to the user pool. For more information on the function of these triggers and how to configure them, read User Pool Workflows with Triggers.
Trigger Permissions
The function.attachToRolePolicy()
API can be used to add additional IAM permissions to the lambda trigger
as necessary.
⚠️ Using the attachToRolePolicy
API to provide permissions to your user pool will result in a circular dependency. See aws/aws-cdk#7016.
Error message when running cdk synth
or cdk deploy
:
Circular dependency between resources: [pool056F3F7E, fnPostAuthFnCognitoA630A2B1, ...]
To work around the circular dependency issue, use the attachInlinePolicy()
API instead, as shown below.
Function postAuthFn; UserPool userpool = UserPool.Builder.create(this, "myuserpool") .lambdaTriggers(UserPoolTriggers.builder() .postAuthentication(postAuthFn) .build()) .build(); // provide permissions to describe the user pool scoped to the ARN the user pool postAuthFn.role.attachInlinePolicy(Policy.Builder.create(this, "userpool-policy") .statements(List.of(PolicyStatement.Builder.create() .actions(List.of("cognito-idp:DescribeUserPool")) .resources(List.of(userpool.getUserPoolArn())) .build())) .build());
Importing User Pools
Any user pool that has been created outside of this stack, can be imported into the CDK app. Importing a user pool
allows for it to be used in other parts of the CDK app that reference an IUserPool
. However, imported user pools have
limited configurability. As a rule of thumb, none of the properties that are part of the
AWS::Cognito::UserPool
CloudFormation resource can be configured.
User pools can be imported either using their id via the UserPool.fromUserPoolId()
, or by using their ARN, via the
UserPool.fromUserPoolArn()
API.
IUserPool awesomePool = UserPool.fromUserPoolId(this, "awesome-user-pool", "us-east-1_oiuR12Abd"); IUserPool otherAwesomePool = UserPool.fromUserPoolArn(this, "other-awesome-user-pool", "arn:aws:cognito-idp:eu-west-1:123456789012:userpool/us-east-1_mtRyYQ14D");
Identity Providers
Users that are part of a user pool can sign in either directly through a user pool, or federate through a third-party identity provider. Once configured, the Cognito backend will take care of integrating with the third-party provider. Read more about Adding User Pool Sign-in Through a Third Party.
The following third-party identity providers are currently supported in the CDK -
The following code configures a user pool to federate with the third party provider, 'Login with Amazon'. The identity provider needs to be configured with a set of credentials that the Cognito backend can use to federate with the third-party identity provider.
UserPool userpool = new UserPool(this, "Pool"); UserPoolIdentityProviderAmazon provider = UserPoolIdentityProviderAmazon.Builder.create(this, "Amazon") .clientId("amzn-client-id") .clientSecret("amzn-client-secret") .userPool(userpool) .build();
Using Google identity provider is possible to use clientSecretValue with SecretValue from secrets manager.
UserPool userpool = new UserPool(this, "Pool"); SecretValue secret = Secret.fromSecretAttributes(this, "CognitoClientSecret", SecretAttributes.builder() .secretCompleteArn("arn:aws:secretsmanager:xxx:xxx:secret:xxx-xxx") .build()).getSecretValue(); UserPoolIdentityProviderGoogle provider = UserPoolIdentityProviderGoogle.Builder.create(this, "Google") .clientId("amzn-client-id") .clientSecretValue(secret) .userPool(userpool) .build();
Using SAML identity provider is possible to use SAML metadata file content or SAML metadata file url.
UserPool userpool = new UserPool(this, "Pool"); // specify the metadata as a file content // specify the metadata as a file content UserPoolIdentityProviderSaml.Builder.create(this, "userpoolIdpFile") .userPool(userpool) .metadata(UserPoolIdentityProviderSamlMetadata.file("my-file-contents")) // Whether to require encrypted SAML assertions from IdP .encryptedResponses(true) // The signing algorithm for the SAML requests .requestSigningAlgorithm(SigningAlgorithm.RSA_SHA256) // Enable IdP initiated SAML auth flow .idpInitiated(true) .build(); // specify the metadata as a URL // specify the metadata as a URL UserPoolIdentityProviderSaml.Builder.create(this, "userpoolidpUrl") .userPool(userpool) .metadata(UserPoolIdentityProviderSamlMetadata.url("https://my-metadata-url.com")) .build();
Attribute mapping allows mapping attributes provided by the third-party identity providers to standard and custom attributes of the user pool. Learn more about Specifying Identity Provider Attribute Mappings for Your User Pool.
The following code shows how different attributes provided by 'Login With Amazon' can be mapped to standard and custom user pool attributes.
UserPool userpool = new UserPool(this, "Pool"); UserPoolIdentityProviderAmazon.Builder.create(this, "Amazon") .clientId("amzn-client-id") .clientSecret("amzn-client-secret") .userPool(userpool) .attributeMapping(AttributeMapping.builder() .email(ProviderAttribute.AMAZON_EMAIL) .website(ProviderAttribute.other("url")) // use other() when an attribute is not pre-defined in the CDK .custom(Map.of( // custom user pool attributes go here "uniqueId", ProviderAttribute.AMAZON_USER_ID)) .build()) .build();
App Clients
An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret. Read Configuring a User Pool App Client to learn more.
The following code creates an app client and retrieves the client id -
UserPool pool = new UserPool(this, "pool"); UserPoolClient client = pool.addClient("customer-app-client"); String clientId = client.getUserPoolClientId();
Existing app clients can be imported into the CDK app using the UserPoolClient.fromUserPoolClientId()
API. For new
and imported user pools, clients can also be created via the UserPoolClient
constructor, as so -
IUserPool importedPool = UserPool.fromUserPoolId(this, "imported-pool", "us-east-1_oiuR12Abd"); UserPoolClient.Builder.create(this, "customer-app-client") .userPool(importedPool) .build();
Clients can be configured with authentication flows. Authentication flows allow users on a client to be authenticated with a user pool. Cognito user pools provide several different types of authentication, such as, SRP (Secure Remote Password) authentication, username-and-password authentication, etc. Learn more about this at UserPool Authentication Flow.
The following code configures a client to use both SRP and username-and-password authentication -
UserPool pool = new UserPool(this, "pool"); pool.addClient("app-client", UserPoolClientOptions.builder() .authFlows(AuthFlow.builder() .userPassword(true) .userSrp(true) .build()) .build());
Custom authentication protocols can be configured by setting the custom
property under authFlow
and defining lambda
functions for the corresponding user pool triggers. Learn more at Custom Authentication
Flow.
Choice-based authentication can be configured by setting the user
property under authFlow
. This enables the
USER_AUTH
authentication flow. Learn more at Choice-based authentication.
In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more about the OAuth 2.0 authorization framework and Cognito user pool's implementation of OAuth2.0.
The following code configures an app client with the authorization code grant flow and registers the the app's welcome page as a callback (or redirect) URL. It also configures the access token scope to 'openid'. All of these concepts can be found in the OAuth 2.0 RFC.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() .oAuth(OAuthSettings.builder() .flows(OAuthFlows.builder() .authorizationCodeGrant(true) .build()) .scopes(List.of(OAuthScope.OPENID)) .callbackUrls(List.of("https://my-app-domain.com/welcome")) .logoutUrls(List.of("https://my-app-domain.com/signin")) .build()) .build());
To set a default redirect URI, use the defaultRedirectUri
property.
Its value must be present in the callbackUrls
list.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() .oAuth(OAuthSettings.builder() .flows(OAuthFlows.builder() .authorizationCodeGrant(true) .build()) .scopes(List.of(OAuthScope.OPENID)) .defaultRedirectUri("https://my-app-domain.com/welcome") .callbackUrls(List.of("https://my-app-domain.com/welcome", "https://my-app-domain.com/hello")) .logoutUrls(List.of("https://my-app-domain.com/signin")) .build()) .build());
An app client can be configured to prevent user existence errors. This instructs the Cognito authentication API to return generic authentication failure responses instead of an UserNotFoundException. By default, the flag is not set, which means the CloudFormation default (false) will be used. See the documentation for the full details on the behavior of this flag.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() .preventUserExistenceErrors(true) .build());
All identity providers created in the CDK app are automatically registered into the corresponding user pool. All app clients created in the CDK have all of the identity providers enabled by default. The 'Cognito' identity provider, that allows users to register and sign in directly with the Cognito user pool, is also enabled by default. Alternatively, the list of supported identity providers for a client can be explicitly specified -
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() // ... .supportedIdentityProviders(List.of(UserPoolClientIdentityProvider.AMAZON, UserPoolClientIdentityProvider.COGNITO)) .build());
If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to make sure that the identity provider already exists when the app client will be created. The app client cannot handle the dependency to the identity provider automatically because the client does not have access to the provider's construct.
UserPool pool = new UserPool(this, "Pool"); UserPoolIdentityProviderAmazon provider = UserPoolIdentityProviderAmazon.Builder.create(this, "Amazon") .userPool(pool) .clientId("amzn-client-id") .clientSecret("amzn-client-secret") .build(); UserPoolClient client = pool.addClient("app-client", UserPoolClientOptions.builder() // ... .supportedIdentityProviders(List.of(UserPoolClientIdentityProvider.AMAZON)) .build()); client.node.addDependency(provider);
The property authSessionValidity
is the session token for each API request in the authentication flow.
Valid duration is from 3 to 15 minutes.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() // ... .authSessionValidity(Duration.minutes(15)) .build());
In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens. More information is available at Using Tokens with User Pools. The expiration time for these tokens can be configured as shown below.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() // ... .accessTokenValidity(Duration.minutes(60)) .idTokenValidity(Duration.minutes(60)) .refreshTokenValidity(Duration.days(30)) .build());
Clients can (and should) be allowed to read and write relevant user attributes only. Usually every client can be allowed to
read the given_name
attribute but not every client should be allowed to set the email_verified
attribute.
The same criteria applies for both standard and custom attributes, more info is available at
Attribute Permissions and Scopes.
The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be
configured for a client.
UserPool pool = new UserPool(this, "Pool"); ClientAttributes clientWriteAttributes = (new ClientAttributes()).withStandardAttributes(StandardAttributesMask.builder().fullname(true).email(true).build()).withCustomAttributes("favouritePizza", "favouriteBeverage"); ClientAttributes clientReadAttributes = clientWriteAttributes.withStandardAttributes(StandardAttributesMask.builder().emailVerified(true).build()).withCustomAttributes("pointsEarned"); pool.addClient("app-client", UserPoolClientOptions.builder() // ... .readAttributes(clientReadAttributes) .writeAttributes(clientWriteAttributes) .build());
Token revocation can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.
UserPool pool = new UserPool(this, "Pool"); pool.addClient("app-client", UserPoolClientOptions.builder() // ... .enableTokenRevocation(true) .build());
User Pool clients can generate a client ID as well as a client secret, to support more advanced authentication workflows.
To create a client with an autogenerated client secret, pass the generateSecret: true
prop:
UserPool importedPool; UserPoolClient userPoolClient = UserPoolClient.Builder.create(this, "UserPoolClient") .userPool(importedPool) .generateSecret(true) .build(); // Allows you to pass the generated secret to other pieces of infrastructure SecretValue secret = userPoolClient.getUserPoolClientSecret();
If you set enablePropagateAdditionalUserContextData: true
, you can collect and pass
information about your user's session to Amazon Cognito advanced security
when you use the API to sign them up, sign them in, and reset their password.
UserPool importedPool; UserPoolClient userPoolClient = UserPoolClient.Builder.create(this, "UserPoolClient") .userPool(importedPool) .generateSecret(true) .enablePropagateAdditionalUserContextData(true) .build();
See Adding user device and session data to API requests for more information.
Resource Servers
A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token. See Defining Resource Servers for more information.
An application may choose to model custom permissions via OAuth. Resource Servers provide this capability via custom scopes that are attached to an app client. The following example sets up a resource server for the 'users' resource for two different app clients and configures the clients to use these scopes.
UserPool pool = new UserPool(this, "Pool"); ResourceServerScope readOnlyScope = ResourceServerScope.Builder.create().scopeName("read").scopeDescription("Read-only access").build(); ResourceServerScope fullAccessScope = ResourceServerScope.Builder.create().scopeName("*").scopeDescription("Full access").build(); UserPoolResourceServer userServer = pool.addResourceServer("ResourceServer", UserPoolResourceServerOptions.builder() .identifier("users") .scopes(List.of(readOnlyScope, fullAccessScope)) .build()); UserPoolClient readOnlyClient = pool.addClient("read-only-client", UserPoolClientOptions.builder() // ... .oAuth(OAuthSettings.builder() // ... .scopes(List.of(OAuthScope.resourceServer(userServer, readOnlyScope))) .build()) .build()); UserPoolClient fullAccessClient = pool.addClient("full-access-client", UserPoolClientOptions.builder() // ... .oAuth(OAuthSettings.builder() // ... .scopes(List.of(OAuthScope.resourceServer(userServer, fullAccessScope))) .build()) .build());
Domains
After setting up an app client, the address for the user pool's sign-up and sign-in webpages can be configured using domains. There are two ways to set up a domain - either the Amazon Cognito hosted domain can be chosen with an available domain prefix, or a custom domain name can be chosen. The custom domain must be one that is already owned, and whose certificate is registered in AWS Certificate Manager.
The following code sets up a user pool domain in Amazon Cognito hosted domain with the prefix 'my-awesome-app', and another domain with the custom domain 'user.myapp.com' -
UserPool pool = new UserPool(this, "Pool"); pool.addDomain("CognitoDomain", UserPoolDomainOptions.builder() .cognitoDomain(CognitoDomainOptions.builder() .domainPrefix("my-awesome-app") .build()) .build()); String certificateArn = "arn:aws:acm:us-east-1:123456789012:certificate/11-3336f1-44483d-adc7-9cd375c5169d"; ICertificate domainCert = Certificate.fromCertificateArn(this, "domainCert", certificateArn); pool.addDomain("CustomDomain", UserPoolDomainOptions.builder() .customDomain(CustomDomainOptions.builder() .domainName("user.myapp.com") .certificate(domainCert) .build()) .build());
Read more about Using the Amazon Cognito Domain and Using Your Own Domain.
The signInUrl()
methods returns the fully qualified URL to the login page for the user pool. This page comes from the
hosted UI configured with Cognito. Learn more at Hosted UI with the Amazon Cognito
Console.
UserPool userpool = UserPool.Builder.create(this, "UserPool").build(); UserPoolClient client = userpool.addClient("Client", UserPoolClientOptions.builder() // ... .oAuth(OAuthSettings.builder() .flows(OAuthFlows.builder() .implicitCodeGrant(true) .build()) .callbackUrls(List.of("https://myapp.com/home", "https://myapp.com/users")) .build()) .build()); UserPoolDomain domain = userpool.addDomain("Domain", UserPoolDomainOptions.builder().build()); String signInUrl = domain.signInUrl(client, SignInUrlOptions.builder() .redirectUri("https://myapp.com/home") .build());
Existing domains can be imported into CDK apps using UserPoolDomain.fromDomainName()
API
IUserPoolDomain myUserPoolDomain = UserPoolDomain.fromDomainName(this, "my-user-pool-domain", "domain-name");
To get the domain name of the CloudFront distribution associated with the user pool domain, use cloudFrontEndpoint
method.
UserPool userpool = new UserPool(this, "UserPool"); UserPoolDomain domain = userpool.addDomain("Domain", UserPoolDomainOptions.builder() .cognitoDomain(CognitoDomainOptions.builder() .domainPrefix("my-awesome-app") .build()) .build()); CfnOutput.Builder.create(this, "CloudFrontEndpoint") .value(domain.getCloudFrontEndpoint()) .build();
Deletion protection
Deletion protection can be enabled on a user pool to prevent accidental deletion:
UserPool userpool = UserPool.Builder.create(this, "UserPool") // ... .deletionProtection(true) .build();
By default deletion protection is disabled.
email_verified
Attribute Mapping
If you use a third-party identity provider, you can specify the email_verified
attribute in attributeMapping.
UserPool userpool = new UserPool(this, "Pool"); UserPoolIdentityProviderGoogle.Builder.create(this, "google") .userPool(userpool) .clientId("google-client-id") .attributeMapping(AttributeMapping.builder() .email(ProviderAttribute.GOOGLE_EMAIL) .emailVerified(ProviderAttribute.GOOGLE_EMAIL_VERIFIED) .build()) .build();
User Pool Group
Support for groups in Amazon Cognito user pools enables you to create and manage groups and add users to groups. Use groups to create collections of users to manage their permissions or to represent different types of users.
You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group.
For more information, see Adding groups to a user pool.
UserPool userPool; Role role; UserPoolGroup.Builder.create(this, "UserPoolGroup") .userPool(userPool) .groupName("my-group-name") .precedence(1) .role(role) .build(); // You can also add a group by using addGroup method. userPool.addGroup("AnotherUserPoolGroup", UserPoolGroupOptions.builder() .groupName("another-group-name") .build());
-
ClassDescriptionHow will a user be able to recover their account?Deprecated.Advanced Security Mode is deprecated in favor of user pool feature plans.The mapping of user pool attributes to the attributes provided by the identity providers.A builder for
AttributeMapping
An implementation forAttributeMapping
Types of authentication flow.A builder forAuthFlow
An implementation forAuthFlow
Attributes that can be automatically verified for users in a user pool.A builder forAutoVerifiedAttrs
An implementation forAutoVerifiedAttrs
Options to customize the behaviour ofbaseUrl()
.A builder forBaseUrlOptions
An implementation forBaseUrlOptions
The Boolean custom attribute type.A fluent builder forBooleanAttribute
.TheAWS::Cognito::IdentityPool
resource creates an Amazon Cognito identity pool.A fluent builder forCfnIdentityPool
.CognitoIdentityProvider
is a property of the AWS::Cognito::IdentityPool resource that represents an Amazon Cognito user pool and its client ID.A builder forCfnIdentityPool.CognitoIdentityProviderProperty
An implementation forCfnIdentityPool.CognitoIdentityProviderProperty
CognitoStreams
is a property of the AWS::Cognito::IdentityPool resource that defines configuration options for Amazon Cognito streams.A builder forCfnIdentityPool.CognitoStreamsProperty
An implementation forCfnIdentityPool.CognitoStreamsProperty
PushSync
is a property of the AWS::Cognito::IdentityPool resource that defines the configuration options to be applied to an Amazon Cognito identity pool.A builder forCfnIdentityPool.PushSyncProperty
An implementation forCfnIdentityPool.PushSyncProperty
A list of the identity pool principal tag assignments for attributes for access control.A fluent builder forCfnIdentityPoolPrincipalTag
.Properties for defining aCfnIdentityPoolPrincipalTag
.A builder forCfnIdentityPoolPrincipalTagProps
An implementation forCfnIdentityPoolPrincipalTagProps
Properties for defining aCfnIdentityPool
.A builder forCfnIdentityPoolProps
An implementation forCfnIdentityPoolProps
TheAWS::Cognito::IdentityPoolRoleAttachment
resource manages the role configuration for an Amazon Cognito identity pool.A fluent builder forCfnIdentityPoolRoleAttachment
.Defines how to map a claim to a role ARN.A builder forCfnIdentityPoolRoleAttachment.MappingRuleProperty
An implementation forCfnIdentityPoolRoleAttachment.MappingRuleProperty
One of a set ofRoleMappings
, a property of the AWS::Cognito::IdentityPoolRoleAttachment resource that defines the role-mapping attributes of an Amazon Cognito identity pool.A builder forCfnIdentityPoolRoleAttachment.RoleMappingProperty
An implementation forCfnIdentityPoolRoleAttachment.RoleMappingProperty
RulesConfigurationType
is a subproperty of the RoleMapping property that defines the rules to be used for mapping users to roles.An implementation forCfnIdentityPoolRoleAttachment.RulesConfigurationTypeProperty
Properties for defining aCfnIdentityPoolRoleAttachment
.A builder forCfnIdentityPoolRoleAttachmentProps
An implementation forCfnIdentityPoolRoleAttachmentProps
Sets up or modifies the logging configuration of a user pool.A fluent builder forCfnLogDeliveryConfiguration
.Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.An implementation forCfnLogDeliveryConfiguration.CloudWatchLogsConfigurationProperty
Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features.An implementation forCfnLogDeliveryConfiguration.FirehoseConfigurationProperty
The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.A builder forCfnLogDeliveryConfiguration.LogConfigurationProperty
An implementation forCfnLogDeliveryConfiguration.LogConfigurationProperty
Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features.A builder forCfnLogDeliveryConfiguration.S3ConfigurationProperty
An implementation forCfnLogDeliveryConfiguration.S3ConfigurationProperty
Properties for defining aCfnLogDeliveryConfiguration
.A builder forCfnLogDeliveryConfigurationProps
An implementation forCfnLogDeliveryConfigurationProps
Creates a new set of branding settings for a user pool style and associates it with an app client.An image file from a managed login branding style in a user pool.A builder forCfnManagedLoginBranding.AssetTypeProperty
An implementation forCfnManagedLoginBranding.AssetTypeProperty
A fluent builder forCfnManagedLoginBranding
.Properties for defining aCfnManagedLoginBranding
.A builder forCfnManagedLoginBrandingProps
An implementation forCfnManagedLoginBrandingProps
TheAWS::Cognito::UserPool
resource creates an Amazon Cognito user pool.The available verified method a user can use to recover their password when they callForgotPassword
.A builder forCfnUserPool.AccountRecoverySettingProperty
An implementation forCfnUserPool.AccountRecoverySettingProperty
The settings for administrator creation of users in a user pool.A builder forCfnUserPool.AdminCreateUserConfigProperty
An implementation forCfnUserPool.AdminCreateUserConfigProperty
Example:A builder forCfnUserPool.AdvancedSecurityAdditionalFlowsProperty
An implementation forCfnUserPool.AdvancedSecurityAdditionalFlowsProperty
A fluent builder forCfnUserPool
.The configuration of a custom email sender Lambda trigger.A builder forCfnUserPool.CustomEmailSenderProperty
An implementation forCfnUserPool.CustomEmailSenderProperty
The configuration of a custom SMS sender Lambda trigger.A builder forCfnUserPool.CustomSMSSenderProperty
An implementation forCfnUserPool.CustomSMSSenderProperty
The device-remembering configuration for a user pool.A builder forCfnUserPool.DeviceConfigurationProperty
An implementation forCfnUserPool.DeviceConfigurationProperty
The email configuration of your user pool.A builder forCfnUserPool.EmailConfigurationProperty
An implementation forCfnUserPool.EmailConfigurationProperty
The template for the welcome message to new users.A builder forCfnUserPool.InviteMessageTemplateProperty
An implementation forCfnUserPool.InviteMessageTemplateProperty
A collection of user pool Lambda triggers.A builder forCfnUserPool.LambdaConfigProperty
An implementation forCfnUserPool.LambdaConfigProperty
The minimum and maximum values of an attribute that is of the number type, for examplecustom:age
.A builder forCfnUserPool.NumberAttributeConstraintsProperty
An implementation forCfnUserPool.NumberAttributeConstraintsProperty
The password policy settings for a user pool, including complexity, history, and length requirements.A builder forCfnUserPool.PasswordPolicyProperty
An implementation forCfnUserPool.PasswordPolicyProperty
A list of user pool policies.A builder forCfnUserPool.PoliciesProperty
An implementation forCfnUserPool.PoliciesProperty
The properties of a pre token generation Lambda trigger.A builder forCfnUserPool.PreTokenGenerationConfigProperty
An implementation forCfnUserPool.PreTokenGenerationConfigProperty
A recovery option for a user.A builder forCfnUserPool.RecoveryOptionProperty
An implementation forCfnUserPool.RecoveryOptionProperty
A list of the user attributes and their properties in your user pool.A builder forCfnUserPool.SchemaAttributeProperty
An implementation forCfnUserPool.SchemaAttributeProperty
Example:A builder forCfnUserPool.SignInPolicyProperty
An implementation forCfnUserPool.SignInPolicyProperty
User pool configuration for delivery of SMS messages with Amazon Simple Notification Service.A builder forCfnUserPool.SmsConfigurationProperty
An implementation forCfnUserPool.SmsConfigurationProperty
The minimum and maximum length values of an attribute that is of the string type, for examplecustom:department
.A builder forCfnUserPool.StringAttributeConstraintsProperty
An implementation forCfnUserPool.StringAttributeConstraintsProperty
The settings for updates to user attributes.A builder forCfnUserPool.UserAttributeUpdateSettingsProperty
An implementation forCfnUserPool.UserAttributeUpdateSettingsProperty
Case sensitivity of the username input for the selected sign-in option.A builder forCfnUserPool.UsernameConfigurationProperty
An implementation forCfnUserPool.UsernameConfigurationProperty
User pool add-ons.A builder forCfnUserPool.UserPoolAddOnsProperty
An implementation forCfnUserPool.UserPoolAddOnsProperty
The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.A builder forCfnUserPool.VerificationMessageTemplateProperty
An implementation forCfnUserPool.VerificationMessageTemplateProperty
TheAWS::Cognito::UserPoolClient
resource specifies an Amazon Cognito user pool client.The settings for Amazon Pinpoint analytics configuration.A builder forCfnUserPoolClient.AnalyticsConfigurationProperty
An implementation forCfnUserPoolClient.AnalyticsConfigurationProperty
A fluent builder forCfnUserPoolClient
.The time units you use when you set the duration of ID, access, and refresh tokens.A builder forCfnUserPoolClient.TokenValidityUnitsProperty
An implementation forCfnUserPoolClient.TokenValidityUnitsProperty
Properties for defining aCfnUserPoolClient
.A builder forCfnUserPoolClientProps
An implementation forCfnUserPoolClientProps
The AWS::Cognito::UserPoolDomain resource creates a new domain for a user pool.A fluent builder forCfnUserPoolDomain
.The configuration for a hosted UI custom domain.A builder forCfnUserPoolDomain.CustomDomainConfigTypeProperty
An implementation forCfnUserPoolDomain.CustomDomainConfigTypeProperty
Properties for defining aCfnUserPoolDomain
.A builder forCfnUserPoolDomainProps
An implementation forCfnUserPoolDomainProps
A user pool group.A fluent builder forCfnUserPoolGroup
.Properties for defining aCfnUserPoolGroup
.A builder forCfnUserPoolGroupProps
An implementation forCfnUserPoolGroupProps
TheAWS::Cognito::UserPoolIdentityProvider
resource creates an identity provider for a user pool.A fluent builder forCfnUserPoolIdentityProvider
.Properties for defining aCfnUserPoolIdentityProvider
.A builder forCfnUserPoolIdentityProviderProps
An implementation forCfnUserPoolIdentityProviderProps
Properties for defining aCfnUserPool
.A builder forCfnUserPoolProps
An implementation forCfnUserPoolProps
TheAWS::Cognito::UserPoolResourceServer
resource creates a new OAuth2.0 resource server and defines custom scopes in it.A fluent builder forCfnUserPoolResourceServer
.One custom scope associated with a user pool resource server.An implementation forCfnUserPoolResourceServer.ResourceServerScopeTypeProperty
Properties for defining aCfnUserPoolResourceServer
.A builder forCfnUserPoolResourceServerProps
An implementation forCfnUserPoolResourceServerProps
TheAWS::Cognito::UserPoolRiskConfigurationAttachment
resource sets the risk configuration that is used for Amazon Cognito advanced security features.A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features.An implementation forCfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty
The automated response to a risk level for adaptive authentication in full-function, orENFORCED
, mode.An implementation forCfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty
The settings for automated responses and notification templates for adaptive authentication with advanced security features.An implementation forCfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty
A fluent builder forCfnUserPoolRiskConfigurationAttachment
.Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-functionENFORCED
mode.An implementation forCfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty
Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-functionENFORCED
mode.The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a Notify action.An implementation forCfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty
The template for email messages that advanced security features sends to a user when your threat protection automated response has a Notify action.An implementation forCfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty
Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.An implementation forCfnUserPoolRiskConfigurationAttachment.RiskExceptionConfigurationTypeProperty
Properties for defining aCfnUserPoolRiskConfigurationAttachment
.A builder forCfnUserPoolRiskConfigurationAttachmentProps
An implementation forCfnUserPoolRiskConfigurationAttachmentProps
A container for the UI customization information for the hosted UI in a user pool.A fluent builder forCfnUserPoolUICustomizationAttachment
.Properties for defining aCfnUserPoolUICustomizationAttachment
.A builder forCfnUserPoolUICustomizationAttachmentProps
An implementation forCfnUserPoolUICustomizationAttachmentProps
TheAWS::Cognito::UserPoolUser
resource creates an Amazon Cognito user pool user.The name and value of a user attribute.A builder forCfnUserPoolUser.AttributeTypeProperty
An implementation forCfnUserPoolUser.AttributeTypeProperty
A fluent builder forCfnUserPoolUser
.Properties for defining aCfnUserPoolUser
.A builder forCfnUserPoolUserProps
An implementation forCfnUserPoolUserProps
Adds a user to a group.A fluent builder forCfnUserPoolUserToGroupAttachment
.Properties for defining aCfnUserPoolUserToGroupAttachment
.A builder forCfnUserPoolUserToGroupAttachmentProps
An implementation forCfnUserPoolUserToGroupAttachmentProps
A set of attributes, useful to set Read and Write attributes.Options while specifying a cognito prefix domain.A builder forCognitoDomainOptions
An implementation forCognitoDomainOptions
Configuration that will be fed into CloudFormation for any custom attribute type.A builder forCustomAttributeConfig
An implementation forCustomAttributeConfig
Constraints that can be applied to a custom attribute of any type.A builder forCustomAttributeProps
An implementation forCustomAttributeProps
Options while specifying custom domain.A builder forCustomDomainOptions
An implementation forCustomDomainOptions
The DateTime custom attribute type.A fluent builder forDateTimeAttribute
.Device tracking settings.A builder forDeviceTracking
An implementation forDeviceTracking
Email settings for the user pool.A builder forEmailSettings
An implementation forEmailSettings
The user pool feature plan, or tier.Represents a custom attribute type.Internal default implementation forICustomAttribute
.A proxy class which represents a concrete javascript instance of this type.Represents a Cognito UserPool.Internal default implementation forIUserPool
.A proxy class which represents a concrete javascript instance of this type.Represents a Cognito user pool client.Internal default implementation forIUserPoolClient
.A proxy class which represents a concrete javascript instance of this type.Represents a user pool domain.Internal default implementation forIUserPoolDomain
.A proxy class which represents a concrete javascript instance of this type.Represents a user pool group.Internal default implementation forIUserPoolGroup
.A proxy class which represents a concrete javascript instance of this type.Represents a UserPoolIdentityProvider.Internal default implementation forIUserPoolIdentityProvider
.A proxy class which represents a concrete javascript instance of this type.Represents a Cognito user pool resource server.Internal default implementation forIUserPoolResourceServer
.A proxy class which represents a concrete javascript instance of this type.Attributes that will be kept until the user verifies the changed attribute.A builder forKeepOriginalAttrs
An implementation forKeepOriginalAttrs
The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.The different ways in which a user pool's MFA enforcement can be configured.The different ways in which a user pool can obtain their MFA token for sign in.A builder forMfaSecondFactor
An implementation forMfaSecondFactor
The Number custom attribute type.A fluent builder forNumberAttribute
.Constraints that can be applied to a custom attribute of number type.A builder forNumberAttributeConstraints
An implementation forNumberAttributeConstraints
Props for NumberAttr.A builder forNumberAttributeProps
An implementation forNumberAttributeProps
Types of OAuth grant flows.A builder forOAuthFlows
An implementation forOAuthFlows
OAuth scopes that are allowed with this client.OAuth settings to configure the interaction between the app and this client.A builder forOAuthSettings
An implementation forOAuthSettings
The method to use to request attributes.OpenID Connect endpoints.A builder forOidcEndpoints
An implementation forOidcEndpoints
Password policy for User Pools.A builder forPasswordPolicy
An implementation forPasswordPolicy
An attribute available from a third party identity provider.A scope for ResourceServer.A fluent builder forResourceServerScope
.Props to initialize ResourceServerScope.A builder forResourceServerScopeProps
An implementation forResourceServerScopeProps
The different ways in which users of this pool can sign up or sign in.A builder forSignInAliases
An implementation forSignInAliases
Signing algorithms for SAML requests.Options to customize the behaviour ofsignInUrl()
.A builder forSignInUrlOptions
An implementation forSignInUrlOptions
Standard attribute that can be marked as required or mutable.A builder forStandardAttribute
An implementation forStandardAttribute
The set of standard attributes that can be marked as required or mutable.A builder forStandardAttributes
An implementation forStandardAttributes
This interface contains standard attributes recognized by Cognito from https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html including built-in attributesemail_verified
andphone_number_verified
.A builder forStandardAttributesMask
An implementation forStandardAttributesMask
The String custom attribute type.A fluent builder forStringAttribute
.Constraints that can be applied to a custom attribute of string type.A builder forStringAttributeConstraints
An implementation forStringAttributeConstraints
Props for constructing a StringAttr.A builder forStringAttributeProps
An implementation forStringAttributeProps
User pool configuration when administrators sign users up.A builder forUserInvitationConfig
An implementation forUserInvitationConfig
Define a Cognito User Pool.A fluent builder forUserPool
.Define a UserPool App Client.A fluent builder forUserPoolClient
.Identity providers supported by the UserPoolClient.Options to create a UserPoolClient.A builder forUserPoolClientOptions
An implementation forUserPoolClientOptions
Properties for the UserPoolClient construct.A builder forUserPoolClientProps
An implementation forUserPoolClientProps
Define a user pool domain.A fluent builder forUserPoolDomain
.Options to create a UserPoolDomain.A builder forUserPoolDomainOptions
An implementation forUserPoolDomainOptions
Props for UserPoolDomain construct.A builder forUserPoolDomainProps
An implementation forUserPoolDomainProps
Configure how Cognito sends emails.Result of binding email settings with a user pool.A builder forUserPoolEmailConfig
An implementation forUserPoolEmailConfig
Define a user pool group.A fluent builder forUserPoolGroup
.Options to create a UserPoolGroup.A builder forUserPoolGroupOptions
An implementation forUserPoolGroupOptions
Props for UserPoolGroup construct.A builder forUserPoolGroupProps
An implementation forUserPoolGroupProps
User pool third-party identity providers.Represents an identity provider that integrates with Login with Amazon.A fluent builder forUserPoolIdentityProviderAmazon
.Properties to initialize UserPoolAmazonIdentityProvider.A builder forUserPoolIdentityProviderAmazonProps
An implementation forUserPoolIdentityProviderAmazonProps
Represents an identity provider that integrates with Apple.A fluent builder forUserPoolIdentityProviderApple
.Properties to initialize UserPoolAppleIdentityProvider.A builder forUserPoolIdentityProviderAppleProps
An implementation forUserPoolIdentityProviderAppleProps
Represents an identity provider that integrates with Facebook Login.A fluent builder forUserPoolIdentityProviderFacebook
.Properties to initialize UserPoolFacebookIdentityProvider.A builder forUserPoolIdentityProviderFacebookProps
An implementation forUserPoolIdentityProviderFacebookProps
Represents an identity provider that integrates with Google.A fluent builder forUserPoolIdentityProviderGoogle
.Properties to initialize UserPoolGoogleIdentityProvider.A builder forUserPoolIdentityProviderGoogleProps
An implementation forUserPoolIdentityProviderGoogleProps
Represents an identity provider that integrates with OpenID Connect.A fluent builder forUserPoolIdentityProviderOidc
.Properties to initialize UserPoolIdentityProviderOidc.A builder forUserPoolIdentityProviderOidcProps
An implementation forUserPoolIdentityProviderOidcProps
Properties to create a new instance of UserPoolIdentityProvider.A builder forUserPoolIdentityProviderProps
An implementation forUserPoolIdentityProviderProps
Represents an identity provider that integrates with SAML.A fluent builder forUserPoolIdentityProviderSaml
.Metadata for a SAML user pool identity provider.Metadata types that can be used for a SAML user pool identity provider.Properties to initialize UserPoolIdentityProviderSaml.A builder forUserPoolIdentityProviderSamlProps
An implementation forUserPoolIdentityProviderSamlProps
User pool operations to which lambda triggers can be attached.Props for the UserPool construct.A builder forUserPoolProps
An implementation forUserPoolProps
Defines a User Pool OAuth2.0 Resource Server.A fluent builder forUserPoolResourceServer
.Options to create a UserPoolResourceServer.A builder forUserPoolResourceServerOptions
An implementation forUserPoolResourceServerOptions
Properties for the UserPoolResourceServer construct.A builder forUserPoolResourceServerProps
An implementation forUserPoolResourceServerProps
Configuration for Cognito sending emails via Amazon SES.A builder forUserPoolSESOptions
An implementation forUserPoolSESOptions
Triggers for a user pool.A builder forUserPoolTriggers
An implementation forUserPoolTriggers
User pool configuration for user self sign up.A builder forUserVerificationConfig
An implementation forUserVerificationConfig
The email verification style.