Set up Amplify Auth
This guide provides essential information to help you select and complete the activities you need for your Amplify project. We organized each section around a distinct job or decision point to help you understand your available options, steps to complete, and recommended best practices.
In this guide, you will learn how to set up Amplify Auth. This includes setting up and connecting your backend resources, determining your integration path, and enabling sign-up, sign-in, and sign-out with the Authenticator UI component. We will also provide more context on how resources are managed and created with Amplify to help you make decisions and understand any long-term impact of those decisions.
Before you begin, you will need:
- Node.js v14.x or later
- npm v6.14.4 or later
- git v2.14.1 or later
- A frontend app
- If you want Amplify to set up and manage your backend resources, you need to install and configure the Amplify CLI. Make sure to also create a new Amplify project using
amplify init
in your terminal, or pull in an existing Amplify project to your frontend app by usingamplify pull
.
Set up and connect backend resources
We will review the paths to integrate Amplify Auth before you set up and integrate your backend resources and connect these resources in your frontend app to build authentication features.
Decide how to create and manage your backend resources
You can create and manage your Authentication resources with Amplify by using the Amplify CLI, Amplify Studio, or manage them yourself with tools such as CDK and CloudFormation. The path we recommend is through the Amplify CLI, which allows you to create new authentication resources or import existing ones. However, you can also use the Amplify Studio console to configure or use existing resources and directly connect them to your application using the Amplify Libraries. These tools will help you with creating and managing your resources.
With Amplify Auth, you can use a username and password as an authentication method, use a social provider such as "Sign in with Google" or "Sign in with Apple," or create a fully custom authentication flow.
Learn moreUnderstanding Auth high-level concepts
Amplify helps you secure your application while providing an easy sign-in experience for your users. This experience is influenced by your security strategy. This security strategy includes the authentication method, security credentials, and enabling additional verification when needed.
- Authentication is a process to validate who you are (abbreviated as AuthN). The system that does this validation is referred to as an Identity Provider or IdP. This can be your own self-hosted IdP or a cloud service. Oftentimes, this IdP is a social provider such as Facebook, Google, or Amazon.
- Authorization is the process of validating what you can access (abbreviated as AuthZ). This is sometimes done by looking at tokens with custom logic, predefined rules, or signed requests with policies.
Common authentication methods and associated risks include:
- Username/password which is simple to set up but prone to compromise.
- Social provider federation which enables easier access for your users but shares data with third parties.
You can improve security credentials and verification for these authentication methods by:
- Adding password policies that ensure stronger passwords are created by your users.
- Requiring additional contact information from users before they can reset passwords.
- Adding multi-factor authentication (MFA) which adds a layer of security at sign-in but may also add friction for your users.
Amplify uses Amazon Cognito as the main authentication provider. Amazon Cognito is a robust user directory service that handles user registration, authentication, account recovery, and other operations. If you have not worked with Amazon Cognito before, we recommend taking a closer look at Amazon Cognito configuration options before you continue, since some of them are irreversible after your resources are created.
Learn moreReview Amazon Cognito configuration options
Amazon Cognito can be customized based on your security strategy for authentication. However, some initial configuration options cannot be changed after the backend resources are configured:
- User attributes that are used to identify your individual users (such as username and email) cannot be renamed or deleted.
- Sign-in methods (including username, email, and phone) cannot be added or changed after the initial configuration. This includes both defining which attributes are used to sign in and which attributes are required. Required attributes must have a value for all users once set.
- Verification methods (including username and email) are the same as required attributes and cannot be removed once configured.
- The
sub
attribute is a unique identifier within each user pool that cannot be modified and can be used to index and search users. - If MFA is set to required for all users, you will need to include MFA setup when users sign up.
See the Amazon Cognito documentation for more details on these settings, including User pool attributes and Adding MFA to a user pool.
Set up and configure Amplify Auth
In this section, you will learn how to set up your backend resources and install the Amplify Libraries to use with your application.
Set up your Auth backend resources
You can set up your backend resources with the Amplify CLI, Amplify Studio, or use existing resources.
Prerequisites: Install and configure the Amplify CLI in addition to the Amplify Libraries.
To start provisioning auth resources in the backend, go to your project directory and run the command:
1amplify add auth
1? Do you want to use the default authentication and security configuration? Default configuration2? How do you want users to be able to sign in? Username3? Do you want to configure advanced settings? No, I am done.
If you have previously enabled an Amplify category that uses Auth behind the scenes (such as API category), you can run the
amplify update auth
command to edit your configuration if needed.
The CLI prompts will help you to customize your auth flow for your app. With the provided options, you can:
- Customize sign-in/registration flow
- Customize email and SMS messages for multi-factor authentication
- Customize attributes for your users, such as name and email
- Enable third-party social providers, such as Facebook, Twitter, Google, and Amazon
If you wish to federate with social providers, you will need to configure them first.
After configuring your Authentication options, update your backend and deploy the service by running the push
command:
1amplify push
Now, the authentication service has been deployed and you can start using it. To view the deployed services in your project at any time, go to the Amplify console by running the following command:
1amplify console
In your app's entry point (specifically, App.js, index.js, _app.js, or main.js), import and load the configuration file:
1import { Amplify } from 'aws-amplify';2import config from './amplifyconfiguration.json';3Amplify.configure(config);
You now have set up and configured your backend resources for Amplify Auth, and connected your frontend app to your backend. You are now ready to work on your frontend application.
Determine your Auth integration path
Before you implement Auth on your frontend application, you will want to evaluate the options of using the Authenticator connected UI component or using the Amplify Library APIs directly. We recommend using the Authenticator since it creates a customizable sign-in and registration experience for your app with a few lines of code.
Compare implementation options
There are a few options to implement Auth, depending on how much customization you will need:
Amplify Authenticator | Amplify Libraries | |
---|---|---|
Description | Open source drop-in UI component for authentication | Low-level building blocks for implementing authentication |
Benefits | Automatically integrates with your existing Amplify configuration and allows you to easily add the entire authentication flow to your application. You can then customize themes to adjust colors and styling as needed. | Gives you full control over the UI and logic implementation. |
Constraints | Dependent on Amplify CLI for provisioning resources. | Requires the building of screens and frontend logic to enable the sign-in and registration experiences. |
We recommend using the Authenticator UI component for quick and easy setup and then use the Amplify Libraries to customize the user experience and logic as needed. Once you decide which option will work for your use case, you can continue implementing authentication on your frontend application. If you prefer to work directly with the APIs, you can review the Enable sign-up, sign-in, and sign-out guide.
Build an Authentication experience using the Authenticator
Creating the sign-in flow can be quite difficult and time-consuming to get right. However, Amplify has the Authenticator UI component which you can use to quickly build the entire authentication flow for your app, using your backend configuration.
Amplify has pre-built UI components for React, Vue, Angular, React Native, Swift, Android, and Flutter. In this guide, we are focusing on those for web applications.
First, install the @aws-amplify/ui-react
library as well as aws-amplify
if you have not already:
1npm install aws-amplify @aws-amplify/ui-react
Next, open src/App.js and add the withAuthenticator
component.
withAuthenticator
The withAuthenticator
is a higher-order component (HoC) that wraps Authenticator
. You will also notice that user
and signOut
are provided to the wrapped component.
Usage
1import { Amplify } from 'aws-amplify';2import type { WithAuthenticatorProps } from '@aws-amplify/ui-react';3import { withAuthenticator } from '@aws-amplify/ui-react';4import '@aws-amplify/ui-react/styles.css';5import config from './amplifyconfiguration.json';6Amplify.configure(config);7
8export function App({ signOut, user }: WithAuthenticatorProps) {9 return (10 <>11 <h1>Hello {user?.username}</h1>12 <button onClick={signOut}>Sign out</button>13 </>14 );15}16
17export default withAuthenticator(App);
Once you add the Authenticator component to your app, you can test the sign-up, sign-in, and sign-out functionality. You can also customize the Authenticator UI component to adjust colors and styling as needed.
View the created user in the AWS Console
After creating a new user, you can validate the created user in the Amazon Cognito console. To do so, you can use amplify console auth
to open the AWS Console directly. Note the user's status should be CONFIRMED
if you successfully verified the user; however, it can be in UNCONFIRMED
if the user is not yet verified. You can also check to make sure your user attributes are updating correctly.
You now have enabled sign-up, sign-in, and sign-out for your authentication and verified its functionality with a test user.
Conclusion
Congratulations! You finished the Set up Amplify Auth guide. In this guide, you set up and connected to backend resources, compared and determined your Auth integration path, and enabled sign-up, sign-in, and sign-out.
Next steps
Now that you completed setting up Amplify Auth with username and password, you may also want to add some additional features. We recommend you learn more about: