Set up Amplify Auth

This guide provides essential information to help you select and complete the activities you need for your Amplify project. We organized each section around a distinct job or decision point to help you understand your available options, steps to complete, and recommended best practices.

In this guide, you will learn how to set up Amplify Auth. This includes setting up and connecting your backend resources, determining your integration path, and enabling sign-up, sign-in, and sign-out with the Authenticator UI component. We will also provide more context on how resources are managed and created with Amplify to help you make decisions and understand any long-term impact of those decisions.

Before you begin, you will need:

Node.js v14.x or later
npm v6.14.4 or later
git v2.14.1 or later
A frontend app
If you want Amplify to set up and manage your backend resources, you need to install and configure the Amplify CLI. Make sure to also create a new Amplify project using amplify init in your terminal, or pull in an existing Amplify project to your frontend app by using amplify pull.

Set up and connect backend resources

We will review the paths to integrate Amplify Auth before you set up and integrate your backend resources and connect these resources in your frontend app to build authentication features.

Decide how to create and manage your backend resources

You can create and manage your Authentication resources with Amplify by using the Amplify CLI, Amplify Studio, or manage them yourself with tools such as CDK and CloudFormation. The path we recommend is through the Amplify CLI, which allows you to create new authentication resources or import existing ones. However, you can also use the Amplify Studio console to configure or use existing resources and directly connect them to your application using the Amplify Libraries. These tools will help you with creating and managing your resources.

With Amplify Auth, you can use a username and password as an authentication method, use a social provider such as "Sign in with Google" or "Sign in with Apple," or create a fully custom authentication flow.

Learn more

Understanding Auth high-level concepts

Amplify helps you secure your application while providing an easy sign-in experience for your users. This experience is influenced by your security strategy. This security strategy includes the authentication method, security credentials, and enabling additional verification when needed.

Authentication is a process to validate who you are (abbreviated as AuthN). The system that does this validation is referred to as an Identity Provider or IdP. This can be your own self-hosted IdP or a cloud service. Oftentimes, this IdP is a social provider such as Facebook, Google, or Amazon.
Authorization is the process of validating what you can access (abbreviated as AuthZ). This is sometimes done by looking at tokens with custom logic, predefined rules, or signed requests with policies.

Common authentication methods and associated risks include:

Username/password which is simple to set up but prone to compromise.
Social provider federation which enables easier access for your users but shares data with third parties.

You can improve security credentials and verification for these authentication methods by:

Adding password policies that ensure stronger passwords are created by your users.
Requiring additional contact information from users before they can reset passwords.
Adding multi-factor authentication (MFA) which adds a layer of security at sign-in but may also add friction for your users.

Amplify uses Amazon Cognito as the main authentication provider. Amazon Cognito is a robust user directory service that handles user registration, authentication, account recovery, and other operations. If you have not worked with Amazon Cognito before, we recommend taking a closer look at Amazon Cognito configuration options before you continue, since some of them are irreversible after your resources are created.

Learn more

Review Amazon Cognito configuration options

Amazon Cognito can be customized based on your security strategy for authentication. However, some initial configuration options cannot be changed after the backend resources are configured:

User attributes that are used to identify your individual users (such as username and email) cannot be renamed or deleted.
Sign-in methods (including username, email, and phone) cannot be added or changed after the initial configuration. This includes both defining which attributes are used to sign in and which attributes are required. Required attributes must have a value for all users once set.
Verification methods (including username and email) are the same as required attributes and cannot be removed once configured.
The sub attribute is a unique identifier within each user pool that cannot be modified and can be used to index and search users.
If MFA is set to required for all users, you will need to include MFA setup when users sign up.

See the Amazon Cognito documentation for more details on these settings, including User pool attributes and Adding MFA to a user pool.

Set up and configure Amplify Auth

In this section, you will learn how to set up your backend resources and install the Amplify Libraries to use with your application.

Set up your Auth backend resources

You can set up your backend resources with the Amplify CLI, Amplify Studio, or use existing resources.

Prerequisites: Install and configure the Amplify CLI in addition to the Amplify Libraries.

To start provisioning auth resources in the backend, go to your project directory and run the command:

1amplify add auth

1? Do you want to use the default authentication and security configuration? Default configuration
2? How do you want users to be able to sign in? Username
3? Do you want to configure advanced settings?  No, I am done.

If you have previously enabled an Amplify category that uses Auth behind the scenes (such as API category), you can run the amplify update auth command to edit your configuration if needed.

The CLI prompts will help you to customize your auth flow for your app. With the provided options, you can:

Customize sign-in/registration flow
Customize email and SMS messages for multi-factor authentication
Customize attributes for your users, such as name and email
Enable third-party social providers, such as Facebook, Twitter, Google, and Amazon

If you wish to federate with social providers, you will need to configure them first.

After configuring your Authentication options, update your backend and deploy the service by running the push command:

1amplify push

Now, the authentication service has been deployed and you can start using it. To view the deployed services in your project at any time, go to the Amplify console by running the following command:

1amplify console

In your app's entry point (specifically, App.js, index.js, _app.js, or main.js), import and load the configuration file:

1import { Amplify } from 'aws-amplify';
2import config from './amplifyconfiguration.json';
3Amplify.configure(config);

You now have set up and configured your backend resources for Amplify Auth, and connected your frontend app to your backend. You are now ready to work on your frontend application.

Determine your Auth integration path

Before you implement Auth on your frontend application, you will want to evaluate the options of using the Authenticator connected UI component or using the Amplify Library APIs directly. We recommend using the Authenticator since it creates a customizable sign-in and registration experience for your app with a few lines of code.

Compare implementation options

There are a few options to implement Auth, depending on how much customization you will need:

	Amplify Authenticator	Amplify Libraries
Description	Open source drop-in UI component for authentication	Low-level building blocks for implementing authentication
Benefits	Automatically integrates with your existing Amplify configuration and allows you to easily add the entire authentication flow to your application. You can then customize themes to adjust colors and styling as needed.	Gives you full control over the UI and logic implementation.
Constraints	Dependent on Amplify CLI for provisioning resources.	Requires the building of screens and frontend logic to enable the sign-in and registration experiences.

We recommend using the Authenticator UI component for quick and easy setup and then use the Amplify Libraries to customize the user experience and logic as needed. Once you decide which option will work for your use case, you can continue implementing authentication on your frontend application. If you prefer to work directly with the APIs, you can review the Enable sign-up, sign-in, and sign-out guide.

Build an Authentication experience using the Authenticator

Creating the sign-in flow can be quite difficult and time-consuming to get right. However, Amplify has the Authenticator UI component which you can use to quickly build the entire authentication flow for your app, using your backend configuration.

Amplify has pre-built UI components for React, Vue, Angular, React Native, Swift, Android, and Flutter. In this guide, we are focusing on those for web applications.

First, install the @aws-amplify/ui-react library as well as aws-amplify if you have not already:

1npm install aws-amplify @aws-amplify/ui-react

Next, open src/App.js and add the withAuthenticator component.

withAuthenticator

The withAuthenticator is a higher-order component (HoC) that wraps Authenticator. You will also notice that user and signOut are provided to the wrapped component.

Usage

1import { Amplify } from 'aws-amplify';
2import type { WithAuthenticatorProps } from '@aws-amplify/ui-react';
3import { withAuthenticator } from '@aws-amplify/ui-react';
4import '@aws-amplify/ui-react/styles.css';
5import config from './amplifyconfiguration.json';
6Amplify.configure(config);
7
8export function App({ signOut, user }: WithAuthenticatorProps) {
9  return (
10    <>
11      <h1>Hello {user?.username}</h1>
12      <button onClick={signOut}>Sign out</button>
13    </>
14  );
15}
16
17export default withAuthenticator(App);

Once you add the Authenticator component to your app, you can test the sign-up, sign-in, and sign-out functionality. You can also customize the Authenticator UI component to adjust colors and styling as needed.

View the created user in the AWS Console

After creating a new user, you can validate the created user in the Amazon Cognito console. To do so, you can use amplify console auth to open the AWS Console directly. Note the user's status should be CONFIRMED if you successfully verified the user; however, it can be in UNCONFIRMED if the user is not yet verified. You can also check to make sure your user attributes are updating correctly.

You now have enabled sign-up, sign-in, and sign-out for your authentication and verified its functionality with a test user.

Conclusion

Congratulations! You finished the Set up Amplify Auth guide. In this guide, you set up and connected to backend resources, compared and determined your Auth integration path, and enabled sign-up, sign-in, and sign-out.

Next steps

Now that you completed setting up Amplify Auth with username and password, you may also want to add some additional features. We recommend you learn more about:

Manage user session and credentials