amplify-backend icon indicating copy to clipboard operation
amplify-backend copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

feat: add passwordless authentication support

Open ahmedhamouda78 opened this issue 2 weeks ago • 1 comments

Problem

Adds first-class support for passwordless authentication in Amplify Gen 2 backend, enabling developers to configure Email OTP, SMS OTP, and WebAuthn (passkeys) without requiring CDK overrides.

Issue number, if available:

#2276

Changes

Public API Changes:

  • Added otpLogin?: boolean property to email and phone login configurations in defineAuth
  • Added webAuthn?: WebAuthnLogin property to loginWith configuration
  • Added WebAuthnOptions type with relyingPartyId and userVerification settings

Implementation:

  • Extended auth-construct to translate passwordless configurations to Cognito User Pool settings
  • Added validation logic to prevent invalid configurations (e.g., WebAuthn-only without sign-up method, passwordless + MFA REQUIRED)
  • Implemented automatic relying party ID resolution ('AUTO' resolves to localhost in sandbox, Amplify domain in branch mode)
  • Added runtime warnings for immutable configuration changes

Testing:

  • Added tests to verify correct Cognito User Pool and User Pool Client configuration

Corresponding docs PR, if applicable: N/A

Validation

  • Unit tests added for validation logic and configuration translation
  • Tests verify:
    • Correct AllowedFirstAuthFactors configuration in User Pool (EMAIL_OTP, SMS_OTP, WEB_AUTHN)
    • ALLOW_USER_AUTH flow enabled in User Pool Client
    • WebAuthn configuration (RelyingPartyId, UserVerification) when applicable
  • Manual testing with sample app verified end-to-end passwordless flows

Checklist

  • [x] If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • [ ] If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • [ ] If this PR requires a docs update, I have linked to that docs PR above.
  • [ ] If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

ahmedhamouda78 avatar Nov 17 '25 22:11 ahmedhamouda78

🦋 Changeset detected

Latest commit: 87cb7adcc484a09ef1a6c1e6e6163c6a55272d09

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@aws-amplify/auth-construct Minor
@aws-amplify/backend-auth Minor
@aws-amplify/backend Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Nov 17 '25 22:11 changeset-bot[bot]

Overall this looks good. What kinds of environments have you manually verified with (did you manage to get a deployment with a custom relyingPartyId and one with an autogenerated one)?

I tried both and they worked.

ahmedhamouda78 avatar Nov 27 '25 15:11 ahmedhamouda78

Looks good. In a follow up PR or tracking in a backlog item, could you add passwordless as an option for seeded users?

Yes, I have this on my todo list.

ahmedhamouda78 avatar Dec 01 '25 17:12 ahmedhamouda78