-
|
TL;DR: Can I use an allowlist of addresses for users who sign up via Google or another federated IdP? What about groups? I have a Next.js frontend and a Flask backend. I need to be able to have the user sign in on the frontend, choose a password, set up MFA, and then be unable to access anything until they've been approved by an admin. Alternatively, the admin can set up an account ahead of time and email the user a link to set their own password and MFA. I've gotten Auth0 set up using NextAuth with a pretty hacky whitelist (using an email whitelist Rule) and TOTP MFA. However, Auth0 will shortly notice that my 10 users are using MFA without paying $130/mo (!!!), and require me to start paying. So I'm looking for another solution before that happens. I've tried setting up Cognito, and the backend is hosted on AWS, so it seemed the natural solution. I got login working with NextAuth without MFA. However, I have spent a day trying to get software token MFA working, and it looks like I either have to adopt Amplify for their UI components (which seems not to work well with NextAuth), or do a bunch of work myself. I haven't found a way to enable MFA on a user without starting their auth process and getting an access token. I don't want to set up the user's MFA, that's for them to do! TBH, Cognito is mostly a nightmare to use. So I'm wondering if there's another option that I'm missing. If I allow users to sign in with Google federation, can I create an allowlist of addresses? Can I mandate MFA? How would I assign users different roles/groups? The nice thing about Auth0 and Cognito is that I don't have to host the user database, although there is a database behind my backend API which I could use if necessary. I'd welcome any insight. I may be missing something obvious, as I don't have much of a background in web dev, and even less in authentication! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
In the end, I've gotten Cognito to work using Amplify UI components, but I am no longer using NextAuth. NextAuth worked well and really seamlessly when I was using OAuth with the Cognito hosted UI. But AWS's hosted UI is quite ugly and, more importantly, it doesn't support the MFA flows at all. I would have had to implement all the fields, error checking and interaction with the Cognito IdP myself. 😵💫 I thought switching to Amplify UI components for Auth would be really disruptive, but it's actually possible to use the library and UI components without the hosting, CloudFormation and CLI octopus. Amplify would also work with federated login, just like NextAuth, although it seems like this would require some extra work with Identity Pools. Fortunately, I haven't needed that. I'm much happier keeping all the user management in one place, and outside of my database. And now that it's set up, Cognito is straightforward enough, and free for the first 50k users. |
Beta Was this translation helpful? Give feedback.
In the end, I've gotten Cognito to work using Amplify UI components, but I am no longer using NextAuth. NextAuth worked well and really seamlessly when I was using OAuth with the Cognito hosted UI. But AWS's hosted UI is quite ugly and, more importantly, it doesn't support the MFA flows at all. I would have had to implement all the fields, error checking and interaction with the Cognito IdP myself. 😵💫
I thought switching to Amplify UI components for Auth would be really disruptive, but it's actually possible to use the library and UI components without the hosting, CloudFormation and CLI octopus. Amplify would also work with federated login, just like NextAuth, although it seems like thi…