Authenticating users for a mobile app with Cognito User Pools
TypeScriptWhen you're building a mobile app, one of the critical features you'll likely need to implement is user authentication. Amazon Cognito provides a way to add user sign-up and sign-in to your mobile app while handling things like user authentication, account recovery, and user synchronization across devices. With Amazon Cognito User Pools, you get a secure user directory that scales to hundreds of millions of users. It also supports sign-in with social identity providers such as Apple, Google, Facebook, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
In the following TypeScript program, we will set up a Cognito User Pool using Pulumi to manage user authentication for a mobile app. We will define the user pool with policies such as password length and the attributes we want to collect from users. Additionally, we will create a User Pool Client which is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not require a user to be signed in).
Here's the code you need to define a User Pool and a User Pool Client:
import * as aws from "@pulumi/aws"; // Create an Amazon Cognito User Pool. const userPool = new aws.cognito.UserPool("myUserPool", { // Specify the name for your user pool name: "myapp-userpool", // Define password policy passwordPolicy: { minimumLength: 8, requireLowercase: true, requireUppercase: true, requireNumbers: true, requireSymbols: true, }, // Define which attributes should be marked as required // These attributes will be needed when new users register autoVerifiedAttributes: ["email"], // Customize the user invitation message adminCreateUserConfig: { inviteMessageTemplate: { emailSubject: "Your temporary password for MyApp", emailMessage: "Please use the following temporary password to login: {####}", }, }, // Define attributes you want to add to Cognito. For example: // You can include standard attributes like given name, family name, // email, phone number, or you can create custom attributes. schemas: [ { name: "email", required: true, attributeDataType: "String", developerOnlyAttribute: false, }, // ... other attributes ... ], }); // Create a User Pool Client that our mobile app can use to interact with the User Pool. const userPoolClient = new aws.cognito.UserPoolClient("myUserPoolClient", { userPoolId: userPool.id, // Set to true to enable app client to make calls // to Cognito User Pools without using the secret (recommended for public clients like mobile apps). generateSecret: false, // Define allowed Oauth flows and scopes allowedOauthFlows: ["implicit", "code"], allowedOauthFlowsUserPoolClient: true, allowedOauthScopes: ["openid", "profile", "email"], // Callback and logout URLs for your mobile app callbackUrls: ["myapp://callback"], logoutUrls: ["myapp://signout"], }); // Export the IDs of the User Pool and the User Pool Client export const userPoolId = userPool.id; export const userPoolClientId = userPoolClient.id;
In this code snippet, we define a User Pool with various attributes and policies. For example, the
passwordPolicy
ensures that the passwords must be at least 8 characters long and include uppercase letters, lowercase letters, numbers, and special symbols. We defineautoVerifiedAttributes
set toemail
, which means that Cognito will automatically verify the user’s email.Next, we define a User Pool Client, which is necessary for your mobile app to communicate with Cognito. We specify
generateSecret: false
, which is typical for public clients like a mobile app where the secret would be hard to keep secure.The
allowedOauthFlows
defines the OAuth flows that are permitted with this client;implicit
andcode
correspond to different ways the app can seamlessly authenticate users. TheallowedOauthScopes
specify what user information the app is allowed to access.Finally, the
callbackUrls
andlogoutUrls
are setup for handling authentication responses and logging out from the app.Remember that you will need to have the AWS CLI configured with the appropriate credentials, or set your secrets and access keys through environment variables or the Pulumi config system for this program to work.
Implementing the authentication in your mobile app will require additional steps, such as integrating an SDK and handling sign-up, sign-in, and user sessions. Please refer to the AWS Amplify or AWS Cognito SDK documentation to handle the front-end integration.
For detailed information about AWS Cognito User Pool and its properties, you can visit AWS Cognito User Pool documentation.