1. Answers
  2. Enabling Google Sign-In on a Multi-Tenant App

How Do I Enable Google Sign-in on a Multi-Tenant App?

In this guide, we will explore how to enable Google sign-in for a multi-tenant application using Pulumi to manage AWS Cognito resources. Multi-tenancy allows a single instance of an application to serve multiple customers or tenants. Each tenant operates in isolation, yet all share the same application resources. Integrating Google sign-in can enhance the user experience by allowing users to authenticate using their existing Google credentials. We will use Pulumi to set up an AWS Cognito User Pool, configure Google as an Identity Provider, and create a User Pool Client.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a Cognito User Pool
const userPool = new aws.cognito.UserPool("userPool", {
    name: "multiTenantUserPool",
    autoVerifiedAttributes: ["email"],
    aliasAttributes: ["email"],
    mfaConfiguration: "OFF",
    passwordPolicy: {
        minimumLength: 8,
        requireLowercase: true,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercase: true,
    },
    adminCreateUserConfig: {
        allowAdminCreateUserOnly: false,
    },
});

// Create a Cognito User Pool Domain
const userPoolDomain = new aws.cognito.UserPoolDomain("userPoolDomain", {
    domain: "multi-tenant-app",
    userPoolId: userPool.id,
});

// Create a Cognito User Pool Client
const userPoolClient = new aws.cognito.UserPoolClient("userPoolClient", {
    name: "multiTenantUserPoolClient",
    userPoolId: userPool.id,
    generateSecret: false,
    allowedOauthFlows: ["code"],
    allowedOauthScopes: ["email", "openid", "profile"],
    callbackUrls: ["https://yourapp.com/callback"],
    logoutUrls: ["https://yourapp.com/logout"],
    supportedIdentityProviders: ["COGNITO", "Google"],
});

// Configure Google as an Identity Provider
const googleIdentityProvider = new aws.cognito.IdentityProvider("googleIdentityProvider", {
    providerName: "Google",
    providerType: "Google",
    userPoolId: userPool.id,
    providerDetails: {
        client_id: "YOUR_GOOGLE_CLIENT_ID",
        client_secret: "YOUR_GOOGLE_CLIENT_SECRET",
        authorize_scopes: "openid profile email",
    },
    attributeMapping: {
        email: "email",
        username: "sub",
    },
});

// Output the User Pool Domain URL
export const userPoolDomainUrl = pulumi.interpolate`https://${userPoolDomain.domain}.auth.${aws.config.region}.amazoncognito.com`;

Detailed Steps

  1. Create a Cognito User Pool: Use Pulumi to create a User Pool where user data will be stored. This pool is configured to automatically verify user emails and enforce a strong password policy.
  2. Set Up a User Pool Domain: With Pulumi, establish a custom domain for the user pool, enabling users to access it for authentication.
  3. Create a User Pool Client: Define a User Pool Client with Pulumi, representing the application that interacts with the user pool. It supports OAuth flows and scopes required for Google sign-in.
  4. Configure Google as an Identity Provider: Use Pulumi to set up Google credentials and map attributes, allowing users to sign in using their Google accounts.

Summary

By following these steps and utilizing Pulumi, you can effectively integrate Google sign-in into your multi-tenant application using AWS Cognito. This setup simplifies user authentication and enhances security and user experience by leveraging Google’s robust authentication system.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up