You started your cloud journey with AWS and you need to authenticate your first customers, partners. You don’t want to build your own authentication service - you want to use a managed service. AWS Cognito is a great solution for you. It is easy to start with, cheap, and easy to integrate with the frontend and backend. You can start with a sample solution from AWS and workshop.

Solution Overview

It is my first attempt in around three years without AWS Cognito. My last playground,, was connected with Event Driven Design, and in the ‘background’, I used AWS Cognito. I wanted to refresh the code and play around with Identity Management.

But after a while and a couple of npm packages update, I noticed:

  • My old repo based on CDK v1 with is deprecated.
  • A lot of logic connected with Event Driven Design - will be not needed with new sandbox.

I needed to make a decision:

  • When I decided to test AWS Cognito one more time - my code-base is too old :(.
  • Need to start from scratch, with fresh code base.


There is amazing code sample from AWS: amazon-cognito-passwordless-auth and also workshop.

I work on Windows - and for me the frontend deployment and backend read configuration from file doesn’t work. Maybe there are issues connected with my Windows workstation, or perhaps I have spent too much time in the last years with C# :).

But with the sample solution from aws-samples - with the knowledge how CDK works and how to work with TypeScript is really one day to start.

A summary:

  • Easy to start with sample and workshop.
  • Cheap solution - first 50k users are free. Next 0.0025 per user (Monthly Active User).
  • Easy to integrate with the frontend - with the backend - with the other AWS services.
  • I started with local and password-less solutions.
  • AWS CDK is amazing - you can build your infrastructure as a code, test it, with the same language. I decided to use TypeScript, but can be Java or C#.
  • Sample solution shows only log in method - you need to extend the user journals with sign up, account recovery, etc.
  • Please remember - with the custom UI you can’t use OpenID Connect - check decision tree from AWS: Decision criteria matrix.
  • Also, an excellent video from AWS about identity challenges: Identity on the Front Line

What next?

  • I will try to integrate a custom domain to the Custom UI.
  • Extend the flow with the sign-up, and then maybe with account recovery.