Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cognito: Passwordless authentication support #32265

Open
2 tasks
ataylorme opened this issue Nov 24, 2024 · 11 comments · May be fixed by #32369
Open
2 tasks

Cognito: Passwordless authentication support #32265

ataylorme opened this issue Nov 24, 2024 · 11 comments · May be fixed by #32369
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3

Comments

@ataylorme
Copy link

Describe the feature

Support Cognito managed passwordless login as described in this doc

Use Case

I would like to configure Cognito to manage passwordless authentication in my AWS CDK project.

I am stuck on the PoliciesProperty not supporting SignInPolicy

This type is generated from the CloudFormation user pools policy type which is in turn generated from the create user pool request

The create user pool request type is updated but the generated CloudFormation and CDK types stemming from it are not updated.

This seems to be a new feature released on November 22nd, 2024.

I expect auto generated types to be updated 24 hours later.

Proposed Solution

Update Cognito CDK to support the new Congito passwordless authentication features.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

NodeJS aws-cdk-lib 2.170.0

Environment details (OS name and version, etc.)

Node 22

@ataylorme ataylorme added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Nov 24, 2024
@ataylorme
Copy link
Author

I might be missing something in the chain that goes from Cognito API requests to CDK. It looks like the AWS JavaScript SDK method for createUserPool doesn't have the passwordless fields either

I can create things in the console but this negates the benefits of Infrastructure as Code

@pahud
Copy link
Contributor

pahud commented Nov 25, 2024

Thank you for your feature request. To support that, we'll first need CloudFormation support.

Just checked https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html but unfortunately I can't find relevant support.

Please help the CFN team prioritize by create a feature request at cloudformation-coverage-roadmap, as soon as CFN rolls out the support, CDK should be ready to get it supported as well.

@pahud pahud added needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2024
@ataylorme
Copy link
Author

I opened #2200 there but I would request that AWS collaborate on support across teams internally.

The burden for starting the process of updating CloudFormation and CDK after Cognito API changes shouldn't fall to users. If anything, AWS can improve internal collaboration so support is launched along side new features, not lagging behind

@BwL1289
Copy link

BwL1289 commented Nov 27, 2024

@Tietew
Copy link
Contributor

Tietew commented Nov 28, 2024

CloudFormation support seems to be shipped.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html

L1 construct will be updated in a few days.

@BwL1289
Copy link

BwL1289 commented Dec 8, 2024

Once L1 is merged, any ETA on L2 release?

@alexbaileyuk
Copy link

Here is an escape hatch until the PR for the L2 construct is merged written for TS:

// Escape hatch for https://github.com/aws/aws-cdk/issues/32265
const cfnPool = userPool.node.defaultChild as CfnUserPool;
cfnPool.policies = {
  ...cfnPool.policies,
  signInPolicy: {
    allowedFirstAuthFactors: ['PASSWORD', 'EMAIL_OTP'],
  }
}

@BwL1289
Copy link

BwL1289 commented Jan 13, 2025

FWIW, in implementing the above I'm seeing: E3002 Additional properties are not allowed ('SignInPolicy' was unexpected) in CfnLint, which is strange because it's clear that's a property that Cfn expects: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolPolicyType.html#CognitoUserPools-Type-UserPoolPolicyType-SignInPolicy.

...
Policies:
  PasswordPolicy:
    ...
  SignInPolicy:
    AllowedFirstAuthFactors:
     ...

LMK if anyone has any ideas

@alexbaileyuk
Copy link

alexbaileyuk commented Jan 14, 2025

@alexbaileyuk don't we need WEB_AUTHN as well?: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-signinpolicy.html#cfn-cognito-userpool-signinpolicy-allowedfirstauthfactors

@BwL1289 As far as I'm aware, webauthn is for pass key authentication so if you need that feature, then you should enable it. I'm not seeing that error on the CDK version I am using. Have you tried updating to the latest version?

@BwL1289
Copy link

BwL1289 commented Jan 14, 2025

@alexbaileyuk thanks - you're correct. Re E3002 Additional properties are not allowed ('SignInPolicy' was unexpected), this was resolved with an upgrade in cfnlint to latest. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p3
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants