AWS Cognito is a service provided by Amazon Web Services, and is available in AppSheet Business Subscriptions. It allows you to set up your own authentication source. You can provision users with explicit passwords or using one of their existing social signin accounts, and you utilize Cognito to control secure access to your AppSheet apps. There are three reasons to do this: 

  1. You would like to manage user access control at a scale that goes beyond simple whitelists.
  2. You want to be able to provision and manage the users, control password policy, and utilize other richer characteristics of an authentication source.
  3. You cannot use your corporate domain controller as an auth source, because your users come from outside your corporate domain.

Using AWS Cognito requires that you set up an AWS account. This is not part of the AppSheet service. This article explains the basics of setting up a Cognito service and configuring it to be accessible from your AppSheet account.

Step 1: Create a Cognito service with AWS

Go to http://aws.amazon.com and set up your AWS account. It provides many services. Choose the Cognito service.

Step 2: Configure a User Pool in your Cognito service 

As the name suggests, a User Pool is a way to represent a set of users. In our case, we expect to utilize a User Pool to specify the users of an AppSheet app.

Step 2a: Define an App Client

When you define an app "client" in Cognito, you are telling Cognito to expect AppSheet to interact with it to ask users to sign in. Give your App Client a name. Cognito gives it a Client Id and a Client Secret. Both of these will be essential to configure back in AppSheet. 

It is important that you do not check the second option ("Only allow ...."). This will prevent the standard OAuth2.0 authentication process from succeeding.

Step 2b: Define the App Client Settings

You also need to tell Cognito more about how to respond when AppSheet interacts with it. In particular, it is important that you copy the callback URL accurately and you set the scope options appropriately. The callback urls should be 'https://www.appsheet.com/account/ELC' and 'http://localhost:53519/account/ELC'

Step 2c: Define the Domain for your Cognito User Pool

You can assign a real domain or a fake domain (eg: 'appsheettest' in the example below). AWS makes sure to add a suffix onto the fake domain to make it unique to you. Later, you will need to use this full domain of the form https://{yourdomainname}/auth/{AWS region}/amazoncognito.com

Step 3: Configure your AppSheet account

Now that you have set up your Cognito User Pool, you need to register it in your AppSheet account. Do so from the Integrations -> Auth Domains pane on your Account page.

Step 3a: Add a new auth domain

Give your auth domain a name and select AWS Cognito as the provider

Step 3b: Configure it with the Cognito information

The client id and the client secret come from the App Client section of the Cognito User Pool definition. The domain endpoint is found in the Domain section of the Cognito User Pool definition

Step 4: Use your new domain auth source

You can now use this domain auth source in your apps. In the Security pane of the app editor, open the Domain Auth tab and enable domain-based authentication. Your newly defined Cognito User Pool will be one of the choices you can pick.

Other Cognito Options

AWS Cognito is a rich authentication service with many options you can explore. Here are some of them.

Allow users to sign up

Cognito has different modes to decide who is added to the User Pool. It can be something the admin explicitly has to do. Or the User Pool can be configured to allow users to sign themselves up automatically.

MFA (multi-factor auth) and Email Verification

We strongly recommend setting up Cognito to require user verification.

Remember a user once they sign in

Doing this significantly improves the app user experience so that they don't have to repeatedly sign in.

Did this answer your question?