Show InfoMapper accounts for User Pool differentiation on the Sign In page

[Nightsphere]

The need is to list available User Pools during the login process.

OWF has decided to use the User-pool-based multi-tenancy approach for Cognito. Since each organization/personal/community account will be its own User Pool, there needs to be something on the sign in page where a user can choose the name of the account they'd like to sign into so that their login can be authenticated. The current prototype sign in page looks like the following:

The idea is that before a user is authenticated, the application will reach out to AWS, get all User Pools, and list them in the InfoMapper Account dropdown (or provide an ability to match a user pool based on what the user types in the form). This will have the User Pool Id, so when the user provides their credentials, it will authenticate to the correct User Pool.

OWF has been using the AWS Amplify Toolkit for development. OWF attempted to use the AWS SDK JavaScript V3 because it is provided directly by Amazon. However, the V3 documentation and examples are lacking. Therefore Amplify will most likely be used going forward, possibly using the V3 API directly when Amplify API is lacking in functionality.

The following are options to list the User Pools in order from most to least desired:

1. Use the Amplify API to list User Pools with a service account:
   • The Amplify API does not seem to provide this functionality.
   • The service account would be predefined and have strict policy constraints to only list user pools relevant to the application.
2. Use the AWS JavaScript V3 SDK:
   • We have been unable to determine the necessary API, which is why Amplify is being used for logins.
   • This might be the ideal solution because it would be using the richest API, but online resources point to using Amplify for web applications with logins.
   • This article helpfully describes differences between options, and when you should use each. It recommends Amplify to build client-side applications, which is what we're attempting. This sounds like a good option. It recommends the AWS SDK to "access protected Cognito APIs that require developer credentials". Is that what we're trying to do when we list all user pools? Would this be a better choice than Amplify?
   • Are there good, nontrivial examples using the different AWS provided encapsulated npm packages together, such as the Cognito and S3 clients. Examples seem to be lacking for version 3.
3. Use a Lambda function before user authentication to list the User Pools.
   • This requires new development and may result in other technical issues.
   • Need to experiment to determine how does this work including defining a service account.
   • Which AWS services would the Lambda function use to perform its job?
   • How would it access other services?
   • Are there examples?
4. Create an anonymous Cognito user in the code (no Cognito user creation required), with its access restricted to the reading of one file in an S3 bucket. This file would contain a list of the User Pool names to display in the login dialog, and the User Pool Id to use when authenticating the user when a sign in is attempted.
   • This is not very elegant or scalable, especially if we allow users to create their own organizations and users.
   • Requires automated updates to the S3 file, or use a lambda function (see previous option) to update the file.
   • If an anonymous user is created in the code, is this a security risk? The restrictive policy can be predefined so hopefully can lock down the service account.
   • Is it safe to have the Identity Pool Id, User Pool Id, and User Pool App Client Id in the code?
   • Is it okay to have User Pool Ids publicly available?

[Nightsphere]

Found an article that utilizes DynamoDB to hold User Pool credentials, and is dubbed the "Tenant Master".

https://boottechnologies-ci.medium.com/multi-tenancy-architecture-using-aws-cognito-part-2-a1bc468d3812

Are there other options?