DISCLAIMER: This project is a code sample provided as an illustration of how to achieve and identity broker and SSO on top of Amazon Cognito. Doing this provides extra flexibility at the price of more responsibility on customer side (see section "Comparison with the Amazon Cognito Hosted UI" for a visual comparison of the responsibility shift). Most customers should use the Amazon Cognito hosted UI as a production ready solution. If you decide to use this project in production make sure you have engineering resources to maintain it as well as expertise to keep it secure.
This project demonstrates how to build a login application to authenticate several websites and mobile apps. It is based on AWS Amplify and Amazon Cognito. Authentication is based on standard JWT token and can be integrated with any application supporting Oauth2/OIDC.
Current features are:
- login flows: sign-in, sign-up, forgot password, reset-password ...
- central SSO
- is a standard OIDC Identity Provider
- 100% UI customizable (fork the project)
- i18n : languages in this demo: English and French
- Social login federation: Facebook, Twitter, Amazon, Google logins
- Corporate federation: SAML and OIDC (JWT token)
- MFA : SMS, OTP
- PKCE and Implicit Oauth2 flows : for secured web and mobile application login
- deep customization of flows
- Migration helper (transparent migration from an existing user base to this project)
- account setting page with various customer attributes
- SSO dashboard (listing apps)
- consent approbation
This is a simplified view of the scope of the project (what this repository is about):
You can sign-up, sign-in, try SSO from any of these two client application demos:
- Website 1 : https://master.dv7odw7xb73ou.amplifyapp.com (this could be myapp1.yourcompany.com)
- Website 2 : https://master.dgt79y8acfq6b.amplifyapp.com (this could be www.yoursubsidiary.com or myapp2.yourcompany.com)
In a real use case, your user will only go to the broker from a client website or app, but for reference the Broker demo url itself is:
- https://master.dw8p5s05jola3.amplifyapp.com (this could be login.yourcompany.com)
Demo Credentials
For the main app you can sign-up to create your own account (we don't use emails and phone numbers for anything else than the demo)
- AWS SSO SAML Demo User Credentials: Username: demouser Password: &7P4X^rd5fJVfd&h5h
- OIDC Demo User Credentials: Username: demo Password: P@ssw0rd
- Social login: use an account of your own
See client demo code repository
- Explains, how to deploy, how to customize the broker, how to migrate from your existing user pool system. Click here for details.
- Explains how to integrate the broker in your website or mobile application. Click here for details.
- Documentation for the contributor of this project, can be found here : PRs are welcome!
Click to expand!
This project is similar to the Amazon Cognito hosted UI by many aspects. Here is the list of similarities and differences.
Similarities
- both expose similar APIs : they are standard OIDC identity provider (with few exceptions for the current project)
- feature scope is similar (but this project has more features)
- both require very low effort to deploy
- both are managed within the AWS account of the customer
Differences
- The Hosted UI is managed, you don’t have access to the code or deployment infrastructure. This project is a code project with an simplified deployment system into a Serverless infrastructure you control.
- This project can be customized deeply. UI, languages, specific behaviors (depending on IP address, link, ...). Again since you have access to the code you can do whatever you want with it
- This project comes with some missing feature of the Hosted UI: i18n, full CSS, JS customization, consent approbation
- This project diverge a bit here and there of standard OAuth flows (because of some current restrictions). The limitation is in the way Oauth scope are injected in tokens and some oauth2 API are handled (see User Documentation). We are working on it to fill the gap.
VISUAL COMPARISON
with the Amplify Identity Broker:
with Hosted UI only:
The project architecture is the following:
See Developer Documentation to see more detailed information on every component.
Your contribution is welcome, see CONTRIBUTING for ideas of PR and for contribution guidelines.
See Security Issue Notifications for more information.
This project is licensed under the MIT License. See the LICENSE file.