Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cognito: Passwordless authentication support #32265

Closed
2 tasks
ataylorme opened this issue Nov 24, 2024 · 14 comments · Fixed by #32369
Closed
2 tasks

Cognito: Passwordless authentication support #32265

ataylorme opened this issue Nov 24, 2024 · 14 comments · Fixed by #32369
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3

Comments

@ataylorme
Copy link

Describe the feature

Support Cognito managed passwordless login as described in this doc

Use Case

I would like to configure Cognito to manage passwordless authentication in my AWS CDK project.

I am stuck on the PoliciesProperty not supporting SignInPolicy

This type is generated from the CloudFormation user pools policy type which is in turn generated from the create user pool request

The create user pool request type is updated but the generated CloudFormation and CDK types stemming from it are not updated.

This seems to be a new feature released on November 22nd, 2024.

I expect auto generated types to be updated 24 hours later.

Proposed Solution

Update Cognito CDK to support the new Congito passwordless authentication features.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

NodeJS aws-cdk-lib 2.170.0

Environment details (OS name and version, etc.)

Node 22
@ataylorme ataylorme added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Nov 24, 2024
@ataylorme
Copy link
Author

I might be missing something in the chain that goes from Cognito API requests to CDK. It looks like the AWS JavaScript SDK method for createUserPool doesn't have the passwordless fields either

I can create things in the console but this negates the benefits of Infrastructure as Code

@ataylorme ataylorme mentioned this issue Nov 25, 2024
Closed
@pahud
Copy link
Contributor

pahud commented Nov 25, 2024

Thank you for your feature request. To support that, we'll first need CloudFormation support.

Just checked https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html but unfortunately I can't find relevant support.

Please help the CFN team prioritize by create a feature request at cloudformation-coverage-roadmap, as soon as CFN rolls out the support, CDK should be ready to get it supported as well.

@pahud pahud added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2024
@ataylorme
Copy link
Author

I opened #2200 there but I would request that AWS collaborate on support across teams internally.

The burden for starting the process of updating CloudFormation and CDK after Cognito API changes shouldn't fall to users. If anything, AWS can improve internal collaboration so support is launched along side new features, not lagging behind

@ataylorme ataylorme mentioned this issue Nov 25, 2024
Open
2 tasks
@BwL1289
Copy link

BwL1289 commented Nov 27, 2024
edited
Loading

+1. Adding a link to https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/main/cdk/lib/cognito-passwordless.ts for more context.

@Tietew
Copy link
Contributor

Tietew commented Nov 28, 2024

CloudFormation support seems to be shipped.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html

L1 construct will be updated in a few days.

@github-actions github-actions bot mentioned this issue Dec 1, 2024
Closed
@Tietew Tietew mentioned this issue Dec 3, 2024
Merged
1 task
@BwL1289
Copy link

BwL1289 commented Dec 8, 2024

Once L1 is merged, any ETA on L2 release?

@alexbaileyuk
Copy link

Here is an escape hatch until the PR for the L2 construct is merged written for TS:

// Escape hatch for https://github.com/aws/aws-cdk/issues/32265
const cfnPool = userPool.node.defaultChild as CfnUserPool;
cfnPool.policies = {
  ...cfnPool.policies,
  signInPolicy: {
    allowedFirstAuthFactors: ['PASSWORD', 'EMAIL_OTP'],
  }
}

@BwL1289
Copy link

BwL1289 commented Jan 13, 2025

@alexbaileyuk don't we need WEB_AUTHN as well?: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors

@BwL1289
Copy link

BwL1289 commented Jan 13, 2025
edited
Loading

FWIW, in implementing the above I'm seeing: E3002 Additional properties are not allowed ('SignInPolicy' was unexpected) in CfnLint, which is strange because it's clear that's a property that Cfn expects: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolPolicyType.html#CognitoUserPools-Type-UserPoolPolicyType-SignInPolicy.

...
Policies:
  PasswordPolicy:
    ...
  SignInPolicy:
    AllowedFirstAuthFactors:
     ...

LMK if anyone has any ideas

@alexbaileyuk
Copy link

alexbaileyuk commented Jan 14, 2025
edited
Loading

@alexbaileyuk don't we need WEB_AUTHN as well?: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors

@BwL1289 As far as I'm aware, webauthn is for pass key authentication so if you need that feature, then you should enable it. I'm not seeing that error on the CDK version I am using. Have you tried updating to the latest version?

@BwL1289
Copy link

BwL1289 commented Jan 14, 2025

@alexbaileyuk thanks - you're correct. Re E3002 Additional properties are not allowed ('SignInPolicy' was unexpected), this was resolved with an upgrade in cfnlint to latest. Cheers!

@mcetat
Copy link

mcetat commented Feb 1, 2025

Have the aws cdk samples been updated with an example of that? I can't seem to locate it.
Does anyone have a basic example I could use as a starting point?

@mergify mergify bot closed this as completed in #32369 Feb 13, 2025
@mergify mergify bot closed this as completed in 9a6e5cc Feb 13, 2025
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 13, 2025
yashkh-amzn pushed a commit to yashkh-amzn/aws-cdk that referenced this issue Feb 21, 2025
@Tietew @yashkh-amzn
feat(cognito): choice-based authentication (passwordless sign-in / pa…
efaa178 
…sskey sign-in) (aws#32369)

### Issue # (if applicable)

Closes aws#32265.

### Reason for this change

User Pool has introduced choice-based authentication, including passwordless sign-in and passkey (WebAuthn) sign-in.
For details, see [Manage authentication methods in AWS SDKs](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html).

Related PRs:
- aws#32367 - requires Essentials or higher feature plan
- aws#32273 - requires User pool client to allow USER_AUTH auth flow

### Description of changes

Added following properties:
- `allowedFirstAuthFactors` - allowed first authenticate factors
- `passkeyRelyingPartyId` - the authentication domain used as passkey relying party ID
- `passkeyUserVerification` - configure user verification to be preferred or required

### Description of how you validated changes

Added unit test and an integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cognito): choice-based authentication (passwordless sign-in / passkey sign-in) Tietew/aws-cdk
6 participants
@Tietew @pahud @ataylorme @alexbaileyuk @BwL1289 @mcetat