User Pools
Userpools securely store your users and provide sign-up, sign-in, and access control for your applications.
Userpools support OAuth 2.0, SAML 2.0, and OpenID Connect standards.
Userpools can be integrated with HTTP API Gateways using authorizers to provide access only for authenticated users.
When to use
Userpools can be used almost anytime your application needs to authenticate and authorize users.
Advantages
- Pay-per-MAU - You pay for Monthly Active Users.
- Free-tier - There's a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools (not using SAML or OIDC federation).
- Serverless - You can seamlessly scale your userbase almost indefinitely.
- Secure by default - Your users are securely stored by AWS.
- Compliant - With userpools, you are HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant by default.
Disadvantages
- Not cheap for large user bases - When you have more than 50,000 MAUs or many users with SAML or OIDC federation, can get expensive.
- Not easy to understand - Similarly to almost everything related to authentication or OAUTH, understanding user pool authentication flows can be complicated.
Basic usage
- Example: Lambda function connected to HTTP API Gateway with authorizer that allows only users authenticated using
myUserPoolto access the configured path.
resources:createPost:type: functionproperties:packageConfig:filePath: src/index.tsevents:- type: http-api-gatewayproperties:httpApiGatewayName: myGatewaypath: /post/createmethod: POSTauthorizer:type: cognitoproperties:userPoolName: myUserPoolmyUserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8
API reference
No description
Type: string "user-auth-pool"
Enusures that new accounts can only be created using admin create flows
Type: boolean
- If this is disabled, users can sign themselves up.
Maximum number of days that unused accounts will be preserved
Type: number
Enforces email verification for new accounts
Type: boolean
Enforces phone number verification for new accounts
Type: boolean
Domain prefix for the hosted UI
Type: string
CSS applied to your hosted UI
Type: string
Function hooks that will be triggered on certain events that happen inside the userpool
Type: UserPoolHooks
- To better understand user pool hooks, refer to AWS Docs
Configuration for emails sent by Cognito User Pool
Type: EmailConfiguration
Configuration of invite message for new users
Type: InviteMessageConfig
Configuration of user verification type
Type: string ENUM
Possible values: email-codeemail-linknonesms
none- no verification is requiredemail-link- user recieves a link that he needs to click via an emailemail-code- user receives a code that he needs to enter via an emailsms- user receives a code that he needs to enter via a SMS
Configures the user verification message
Configures Multi-factor Authentication for this userpool
Type: MfaConfiguration
Requirements for the password
Type: PasswordPolicy
- Applies for users created using directly using cognito
No description
Type: Array of AttributeSchema
Allows phone number to be used as a username
Type: boolean
Allows email to be used as a username
Type: boolean
Duration (in seconds) until the access token expires
Type: number
- To better understand tokens used in in cognito user pools, refer to AWS docs
Duration (in seconds) until the identity token expires
Type: number
- To better understand tokens used in in cognito user pools, refer to AWS docs
Duration (in seconds) until the refresh token expires
Type: number
- To better understand tokens used in in cognito user pools, refer to AWS docs
Oauth flows allowed for this user pool
Type: Array of string ENUM
Possible values: client_credentialscodeimplicit
- To better understand Oauth flows, refer to AWS blog post
Oauth scopes allowed for this user pool
Type: Array of string
User will be redirected to this URL after a successfull authentication
Type: Array of string
User will be redirected to this URL after a logout
Type: Array of string
Configuration for external identity providers
Type: Array of IdentityProvider
Overrides one or more properties of the specified child resource.
Type: Object
- Child resouces are specified using their descriptive name (e.g.
DbInstanceorEvents.0.HttpApiRoute). - To see all configurable child resources for given Stacktape resource, use
stacktape stack-info --detailedcommand. - To see the list of properties that can be overriden, refer to AWS Cloudformation docs.
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string
No description
Type: string ENUM
Possible values: OFFONOPTIONAL
No description
Type: Array of string ENUM
Possible values: SMSSOFTWARE_TOKEN
No description
Type: number
No description
Type: boolean
No description
Type: boolean
No description
Type: boolean
No description
Type: boolean
No description
Type: number
No description
Type: string
No description
Type: string
No description
Type: boolean
No description
Type: boolean
No description
Type: boolean
No description
Type: number
No description
Type: number
No description
Type: number
No description
Type: number
No description
Type: string ENUM
Possible values: FacebookGoogleLoginWithAmazonOIDCSAMLSignInWithApple
No description
Type: string
No description
Type: string
No description
Type: Object - { string : string }
No description
Type: Array of string
No description
Type: Object - { string : any }