feat(cognito): choice-based authentication (passwordless sign-in / passkey sign-in) #32369
Conversation
github-actions
bot
added
admired-contributor
|
|
|
|
||
| // TODO: validate whether the feature plan is not Lite | ||
|
|
||
| const allowedFirstAuthFactors = ['PASSWORD']; |
There was a problem hiding this comment.
When 'PASSWORD' is missing, CloudFormations fails with following error:
Resource handler returned message: "Invalid request provided: PASSWORD should be configured as one of the allowed first auth factors."
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32369 +/- ##
=======================================
Coverage 80.79% 80.79%
=======================================
Files 232 232
Lines 14106 14106
Branches 2452 2452
=======================================
Hits 11397 11397
Misses 2429 2429
Partials 280 280
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Tietew
force-pushed
the
cognito-userpool-passwordless
branch
from
0d5449e to
53ffbfb
Compare
Tietew
changed the title
### Issue # (if applicable) N/A ### Reason for this change Amazon Cognito introduces the feature plans which replaces the Advanced Security Mode. See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html Related to #32369 - passwordless sign-in requires Essentials or higher feature plan. ### Description of changes - Add new `featurePlan` property and `FeaturePlan` enum to specify user pool feature plan. - Deprecate `advancedSecurityMode` property and `AdvancedSecurityMode` enum. Note that the previous AWS document about Advanced Security Mode is now redirected to [Advanced security with threat protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html). ### Description of how you validated changes Added new unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
aws-cdk-automation
added
the
pr/needs-community-review
| @@ -5,7 +5,7 @@ import { Role, ServicePrincipal } from '../../aws-iam'; | |||
| import * as kms from '../../aws-kms'; | |||
| import * as lambda from '../../aws-lambda'; | |||
| import { CfnParameter, Duration, Stack, Tags } from '../../core'; | |||
| import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, FeaturePlan } from '../lib'; | |||
| import { AccountRecovery, Mfa, NumberAttribute, StringAttribute, UserPool, UserPoolIdentityProvider, UserPoolOperation, VerificationEmailStyle, UserPoolEmail, AdvancedSecurityMode, LambdaVersion, FeaturePlan, PasskeyUserVerification } from '../lib'; | |||
There was a problem hiding this comment.
Is this line correctly formatted? 🤔
There was a problem hiding this comment.
I think it's ok because eslint passes.
| @@ -1322,6 +1388,28 @@ export class UserPool extends UserPoolBase { | |||
| }); | |||
| } | |||
|
|
|||
| private configureSignInPolicy(props: UserPoolProps): CfnUserPool.SignInPolicyProperty | undefined { | |||
| if (!props.allowedFirstAuthFactors) { | |||
There was a problem hiding this comment.
How should we handle allowedFirstAuthFactors: {}?
With the current implementation AllowedFirstAuthFactors: ['PASSWORD'] will be set explicitly by the CDK.
Maybe it's better to return undefined and let CFN handle the default?
There was a problem hiding this comment.
I've updated to return undefined explicitly.
aws-cdk-automation
removed
the
pr/needs-community-review
|
@lpizzinidev Thank you for your comments! I've pushed some modifications. |
| if (allowedFirstAuthFactors.length === 1) { | ||
| return undefined; | ||
| } |
There was a problem hiding this comment.
This could introduce subtle bugs in case the number of required auth methods changes for some reason.
Let's check !Object.keys(allowedFirstAuthFactors).length at L1417 instead.
There was a problem hiding this comment.
Thank you for your suggestion.
But I'll revert this because:
- Create a stack with a user pool including
SignInPolicy: { AllowedFirstAuthFactors: ['PASSWORD','WEB_AUTHN'] } - Remove the
SignInPolicythen update the stack - Management console shows the user pool still enables choice-based sign-in with Password and Passkey
- Set
SignInPolicy: { AllowedFirstAuthFactors: ['PASSWORD'] }then update the stack again - Management console shows the user pool disables choice-based sign-in.
Therefore, we should provide the way to disable choice-based sign-in explicitly by specifying allowedFirstAuthFactors: {}.
There was a problem hiding this comment.
Similar issue: #30796
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@lpizzinidev |
Issue # (if applicable)
Closes #32265.
Reason for this change
User Pool has introduced choice-based authentication, including passwordless sign-in and passkey (WebAuthn) sign-in.
For details, see Manage authentication methods in AWS SDKs.
Related PRs:
Description of changes
Added following properties:
allowedFirstAuthFactors- allowed first authenticate factorspasskeyRelyingPartyId- the authentication domain used as passkey relying party IDpasskeyUserVerification- configure user verification to be preferred or requiredDescription of how you validated changes
Added unit test and an integ test.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license