Authentication Overview

Authentication Methods

StackFlow supports multiple authentication methods to accommodate different organizational requirements. All authentication flows ultimately issue a Cognito JWT token, which is validated by the API Gateway Lambda authorizer on every request. The token is short-lived (1 hour) with a refresh token valid for 30 days.

⚙️ Minimum Requirements

Cognito User Pool: us-east-1_WKK1AVJ2m with hosted UI domain stackflow-identity-373544523367.auth.us-east-1.amazoncognito.com
App Client: 570cnagpgoochn29a113du6jnt with Authorization Code + PKCE flow enabled
Lambda Authorizer: StackFlowAuth Lambda attached to API Gateway uazcuhdus2
Secrets Manager: stackflow/cognito-client-secret accessible to StackFlowAPIRole

Method	Provider	Use Case	Status
Username/Password	AWS Cognito	Internal users, service accounts	Active
Azure AD SSO	Microsoft Entra ID	Enterprise M365 users	Active
LDAP/Active Directory	On-premises AD	Legacy directory integration	Active
SAML 2.0	Any IdP	Third-party identity providers	Beta
API Keys	StackFlow	Service accounts, automation	Active

Cognito User Pool

The primary Cognito User Pool is us-east-1_WKK1AVJ2m with App Client ID 570cnagpgoochn29a113du6jnt. The hosted UI is available at https://stackflow-identity-373544523367.auth.us-east-1.amazoncognito.com and handles the OAuth 2.0 authorization code flow with PKCE.

# Get a token using Cognito hosted UI flow (after user authorizes)
curl -X POST   https://stackflow-identity-373544523367.auth.us-east-1.amazoncognito.com/oauth2/token   -H "Content-Type: application/x-www-form-urlencoded"   -d "grant_type=authorization_code&client_id=570cnagpgoochn29a113du6jnt&code=AUTH_CODE&redirect_uri=https://your-instance.stackflow-tech.com/callback&code_verifier=PKCE_VERIFIER"

Federated Identity

Azure AD federation uses the On-Behalf-Of (OBO) flow via the dedicated OBO exchange endpoint at https://606pvqo245.execute-api.us-east-1.amazonaws.com/obo/exchange. When a user authenticates with Microsoft, their Azure AD token is exchanged for a Cognito token with equivalent group claims mapped to StackFlow roles.

The Azure tenant ID is df4d171f-6cca-4c87-84cd-f299e4fca3a9. Group mapping is configured in Admin → Authentication → Azure AD and synced every 15 minutes. See Azure AD SSO for detailed configuration steps.

OBO Flow: The On-Behalf-Of exchange preserves the original user identity through the token chain, enabling StackFlow to make downstream API calls to Microsoft Graph using the user's delegated permissions — not a service account.

Token Lifecycle

Cognito issues three token types: ID token (user claims, 1 hour), Access token (API authorization, 1 hour), and Refresh token (silent renewal, 30 days). The StackFlow frontend automatically renews tokens 5 minutes before expiry using the refresh token flow. Explicit logout revokes the refresh token in Cognito's token revocation list.

# Refresh an expired access token
curl -X POST   https://stackflow-identity-373544523367.auth.us-east-1.amazoncognito.com/oauth2/token   -H "Content-Type: application/x-www-form-urlencoded"   -d "grant_type=refresh_token&client_id=570cnagpgoochn29a113du6jnt&refresh_token=REFRESH_TOKEN"

Security Policies

Password policy requires minimum 12 characters with uppercase, lowercase, number, and special character. Account lockout occurs after 5 failed attempts with a 15-minute lockout period. All authentication events are logged to CloudTrail and streamed to the stackflow-security-findings SNS topic for SIEM integration.

MFA Enforcement: MFA is strongly recommended for all administrator accounts and is enforced for accounts with ITSM Admin, Cloud Admin, or Super Admin roles. See Multi-Factor Authentication for setup instructions.

← Previous

Architecture Overview

How StackFlow is built on AWS

Cognito User Pool

AWS Cognito configuration