Auth

Reference doc for the `sst.aws.Auth` component.

The Auth component lets you create centralized auth servers on AWS. It deploys OpenAuth to AWS Lambda and uses Amazon DynamoDB for storage.

Create an OpenAuth server

const auth = new sst.aws.Auth("MyAuth", {
  issuer: "src/auth.handler"
});

Where the issuer function might look like this.

import { handle } from "hono/aws-lambda";
import { issuer } from "@openauthjs/openauth";
import { CodeProvider } from "@openauthjs/openauth/provider/code";
import { subjects } from "./subjects";

const app = issuer({
  subjects,
  providers: {
    code: CodeProvider()
  },
  success: async (ctx, value) => {}
});

export const handler = handle(app);

This Auth component will always use the DynamoStorage storage provider.

Learn more on the OpenAuth docs on how to configure the issuer function.

Add a custom domain

Set a custom domain for your auth server.

new sst.aws.Auth("MyAuth", {
  issuer: "src/auth.handler",
  domain: "auth.example.com"
});

Link to a resource

You can link the auth server to other resources, like a function or your Next.js app, that needs authentication.

new sst.aws.Nextjs("MyWeb", {
  link: [auth]
});

Once linked, you can now use it to create an OpenAuth client.

import { Resource } from "sst"
import { createClient } from "@openauthjs/openauth/client"

export const client = createClient({
  clientID: "nextjs",
  issuer: Resource.MyAuth.url
});

Constructor

new Auth(name, args, opts?)

Parameters

name string
args AuthArgs
opts? ComponentResourceOptions

AuthArgs

domain?

Type Input<string | Object>

aliases?
cert?
dns?
name
redirects?

Set a custom domain for your Auth server.

Automatically manages domains hosted on AWS Route 53, Cloudflare, and Vercel. For other providers, you’ll need to pass in a cert that validates domain ownership and add the DNS records.

By default this assumes the domain is hosted on Route 53.

{
  domain: "auth.example.com"
}

For domains hosted on Cloudflare.

{
  domain: {
    name: "auth.example.com",
    dns: sst.cloudflare.dns()
  }
}

domain.aliases?

Type Input<string[]>

Alias domains that should be used. Unlike the redirect option, this keeps your visitors on this alias domain.

So if your users visit app2.domain.com, they will stay on app2.domain.com in their browser.

{
  domain: {
    name: "app1.domain.com",
    aliases: ["app2.domain.com"]
  }
}

domain.cert?

Type Input<string>

The ARN of an ACM (AWS Certificate Manager) certificate that proves ownership of the domain. By default, a certificate is created and validated automatically.

The certificate will be created in the us-east-1 region as required by AWS CloudFront. If you are creating your own certificate, you must also create it in us-east-1.

To manually set up a domain on an unsupported provider, you’ll need to:

Validate that you own the domain by creating an ACM certificate. You can either validate it by setting a DNS record or by verifying an email sent to the domain owner.
Once validated, set the certificate ARN as the cert and set dns to false.
Add the DNS records in your provider to point to the CloudFront distribution URL.

{
  domain: {
    name: "domain.com",
    dns: false,
    cert: "arn:aws:acm:us-east-1:112233445566:certificate/3a958790-8878-4cdc-a396-06d95064cf63"
  }
}

domain.dns?

Type Input<false | sst.aws.dns | sst.cloudflare.dns | sst.vercel.dns>

Default sst.aws.dns

The DNS provider to use for the domain. Defaults to the AWS.

Takes an adapter that can create the DNS records on the provider. This can automate validating the domain and setting up the DNS routing.

Supports Route 53, Cloudflare, and Vercel adapters. For other providers, you’ll need to set dns to false and pass in a certificate validating ownership via cert.

Specify the hosted zone ID for the Route 53 domain.

{
  domain: {
    name: "example.com",
    dns: sst.aws.dns({
      zone: "Z2FDTNDATAQYW2"
    })
  }
}

Use a domain hosted on Cloudflare, needs the Cloudflare provider.

{
  domain: {
    name: "example.com",
    dns: sst.cloudflare.dns()
  }
}

Use a domain hosted on Vercel, needs the Vercel provider.

{
  domain: {
    name: "example.com",
    dns: sst.vercel.dns()
  }
}

domain.name

Type Input<string>

The custom domain you want to use.

{
  domain: {
    name: "example.com"
  }
}

Can also include subdomains based on the current stage.

{
  domain: {
    name: `${$app.stage}.example.com`
  }
}

domain.redirects?

Type Input<string[]>

Alternate domains to be used. Visitors to the alternate domains will be redirected to the main name.

Use this to create a www. version of your domain and redirect visitors to the apex domain.

{
  domain: {
    name: "domain.com",
    redirects: ["www.domain.com"]
  }
}

issuer?

Type Input<string | FunctionArgs>

The function that’s running your OpenAuth server.

{
  issuer: "src/auth.handler"
}

You can also pass in the full FunctionArgs.

{
  issuer: {
    handler: "src/auth.handler",
    link: [table]
  }
}

Since the issuer function is a Hono app, you want to export it with the Lambda adapter.

import { handle } from "hono/aws-lambda";
import { issuer } from "@openauthjs/openauth";

const app = issuer({
  // ...
});

export const handler = handle(app);

This Auth component will always use the DynamoStorage storage provider.

Learn more on the OpenAuth docs on how to configure the issuer function.

Properties

nodes

Type Object

issuer
router
table

The underlying resources this component creates.

If the domain is set, this is the URL with the custom domain. Otherwise, it’s the autogenerated function URL for the issuer.

SDK

Use the SDK in your runtime to interact with your infrastructure.