feat(cognito): choice-based authentication (passwordless sign-in / passkey sign-in)

[Tietew]

Issue # (if applicable)

Closes #32265.

Reason for this change

User Pool has introduced choice-based authentication, including passwordless sign-in and passkey (WebAuthn) sign-in.
For details, see Manage authentication methods in AWS SDKs.

Related PRs:

• feat(cognito): user pool feature plans #32367 - requires Essentials or higher feature plan
• feat(cognito): support for ALLOW_USER_AUTH explicit auth flow #32273 - requires User pool client to allow USER_AUTH auth flow

Description of changes

Added following properties:

• allowedFirstAuthFactors - allowed first authenticate factors
• passkeyRelyingPartyId - the authentication domain used as passkey relying party ID
• passkeyUserVerification - configure user verification to be preferred or required

Description of how you validated changes

Added unit test and an integ test.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.00%. Comparing base (b11f663) to head (b8b00ef).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32369   +/-   ##
=======================================
  Coverage   81.00%   81.00%           
=======================================
  Files         238      238           
  Lines       14269    14269           
  Branches     2492     2492           
=======================================
  Hits        11558    11558           
  Misses       2425     2425           
  Partials      286      286           

Flag	Coverage Δ
suite.unit	81.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.92% <ø> (ø)
packages/aws-cdk-lib/core	82.16% <ø> (ø)

[lpizzinidev]

👍 Sorry for the super-late review

[Tietew]

@lpizzinidev Thank you for your comments! I've pushed some modifications.

[lpizzinidev]

My idea was to enforce password: true regardless when setting allowedFirstAuthFactors. Please let me know what's your thought 👍

[lpizzinidev]

Suggested change

	/*
	* Choice-based authentication is enabled when built allowedFirstAuthFactors contains any factor but PASSWORD.
	* This check should be placed here to supply the way to disable choice-based authentication explicitly
	* by specifying `allowedFirstAuthFactors: { password: true }`.
	*/
	const isChouseBasedAuthenticationEnabled = allowedFirstAuthFactors.some((auth) => auth !== 'PASSWORD');
	if (isChouseBasedAuthenticationEnabled && props.featurePlan === FeaturePlan.LITE) {
	throw new ValidationError('To enable choice-based authentication, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.', this);
	if (props.featurePlan === FeaturePlan.LITE) {
	throw new ValidationError('To enable choice-based authentication, set `featurePlan` to `FeaturePlan.ESSENTIALS` or `FeaturePlan.PLUS`.', this);

[Tietew]

allowedFirstAuthFactors: { password: true } must allow Lite feature plan.

When the user have a user pool with choice-based authentication enabled and want to downgrade to Lite feature plan, the user must specify allowedFirstAuthFactors: { password: true } to disable choice-based authentication explicitly.
see #32369 (comment)

[Tietew]

@lpizzinidev Thank you for explanation. I misunderstood.

When Cognito supports to disable password authentication in the future,
the password option should default to false...

[lpizzinidev]

Thanks 👍

[samson-keung]

Appreciate the contribution! Thank you.

Left some comments on the design of the construct props.

[Tietew]

@samson-keung Than you for your review. I'm working on your suggestions.
Could you answer some questions I left, please?

[samson-keung]

@samson-keung Than you for your review. I'm working on your suggestions. Could you answer some questions I left, please?

Responded within the threads. Sorry I wasn't able to get to them quicker as I am in the PDT time zone. Updated my profile to reflect that :)

Pull request has been modified.

[Tietew]

@samson-keung I pushed updates. Time zone is not an issue. Thank you!

[samson-keung]

LGTM. Thank you for adding this feature!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: b8b00ef
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.