I'm responsible for delivering a secure scalable multi-tenant product that is deployed on AWS. I love AWS and my preference is to use AWS managed services everywhere I can.
AWS has a Cognito service which is a fully managed service that provides authentication, authorization, and user management.
However, for a multi-tenant SaaS product, I would go for Keycloak. And in this short article, I will tell you why. I will compare AWS Cognito with Keycloak and show you why Keycloak is still a better choice for me.
User pool in AWS Cognito is not multi-tenant. In order to create a multi-tenant system, you have to have a dedicated user pool per tenant. If you are a SaaS product then your tenant provisioning logic would have to be extended to automate the following actions:
- Create user pool: CreateUserPool
- Create user pool client: CreateUserPoolClient
- Create user pool domain: CreateUserPoolDomain
- Optional, to set up a more user-friendly domain that will host the sign-up and sign-in web pages, you need Route53 API calls as well
That's a lot.
Now compare it with how easy it is to add a new Keycloak tenant and client from my video. Adding a new tenant and a new client are 2 really simple calls in Keycloak.
OK, you can set up SMS MFA very easily in AWS Cognito. When a user registers, the verification of the phone (via SMS) is provided out of the box: the web pages and verification logic is provided by AWS Cognito.
But when you actually want to use software tokens MFA (TOTP) then you have to do the following:
- Add a special OAuth scope "aws.cognito.signin.user.admin" to the app client
- Pass user's JWT access token to AssociateSoftwareToken API call
- Generate QR code
- Once user sets up MFA on the phone, pass the user code to VerifySoftwareToken API call
I was surprised that SMS verification is supported out of the box, but for software token you have to write your own integration.
That's a shame really when you compare this with Keycloak MFA. You just set it up as a part of a single user journey with all the web pages, QR code generation, and verification logic provided by Keycloak.
Again, for reference see my video where I set up and test software tokens MFA in Keycloak:
AWS Cognito isn't too flexible when it comes to some of its settings. For example, these are the settings that you cannot change after you create a user pool: sign-in options, user attributes.
AWS Cognito also has a limit of 1000 user pools per AWS account. That's actually very little for a multi-tenant applications.
Before I wrap up, I would like to say that AWS Cognito is still a great choice for many apps. Its strong points are:
- hands-free fully managed service
- support for many events which can trigger custom Lambda functions
- great support for mobile apps (Android and iOS SDKs available)
- integration with AWS STS which can exchange Cognito tokens for temporary AWS credentials
- integration with AWS API Gateway using Cognito User Pool Authorizer
- great choice for single-tenant applications