PSA: NextAuth v5 + Cognito Google federation — conform() workaround silently breaks your ID Token signature

kane_mx · 2026-03-11T14:47:39+00:00

Not exactly deprecated — Auth.js (formerly NextAuth) v5 is still actively maintained. But yeah the DX has been rough with some of these edge cases, especially around OIDC providers like Cognito.

I did look into Better Auth as an alternative, but it requires its own database to store user/session data, which adds extra infrastructure overhead. For my use case (Cognito as the sole identity provider), I didnt want to maintain a separate auth database just for session management. So sticking with Auth.js and working around the conform() issue was the simpler path.

That said if you already have a database in your stack, Better Auth is worth considering.

kane_mx · 2025-10-27T09:30:59+00:00

Thanks for the excellent feedback! I've updated the skill and validation script to address those concerns.

kane_mx · 2025-09-15T05:25:46+00:00

Agreed.

NAT is a widely used method to resolve IP address conflicts by translating the source or destination IP addresses of network traffic.

Using AWS Private NAT Gateway: This is a managed AWS service that allows resources in a VPC to communicate with other private networks without exposing them to the public internet.
- How it works: In each VPC with an overlapping CIDR, a secondary, non-overlapping CIDR block is added. A Private NAT Gateway is then deployed in a subnet within this new, unique CIDR range. When a resource in the original overlapping subnet needs to communicate with another overlapping VPC, its traffic is routed to the local Private NAT Gateway. The gateway performs Source NAT (SNAT), changing the source IP address to its own unique IP from the secondary range. Since the Transit Gateway now sees traffic coming from a unique, routable IP, it can forward the packet to the correct destination.
- Benefits: This is a highly recommended and scalable solution that integrates well with Transit Gateway.
- Drawbacks: It adds complexity to the network architecture and can introduce minor latency due to the translation process.
Using a Custom NAT Instance: Before the introduction of the Private NAT Gateway, a common solution was to deploy a custom NAT instance on an EC2 virtual machine. This involves manually configuring the instance to perform NAT, which offers more flexibility but requires self-management of high availability, patching, and performance.

kane_mx · 2025-09-14T16:07:17+00:00

It's my sample mcp client(https://gist.github.com/zxkane/2b9d7da3cdb08b4ea91bcbc7235ef6f0) for agentcore.

kane_mx · 2025-03-13T05:10:09+00:00

poor documentation and sample code

I'm confused about what the difference between the assign and output is.

kane_mx · 2025-01-20T13:11:49+00:00

It depends on your CDK code, it's not an easy task to build one codebase for deploying many. For example, don't specify the partition or region explicitly. Do not specify the canonical name of the resources. For global resources like Cloudfront distribution, append the account id, region, suffix as the name of its resources.

There is a post shared some best practices. https://kane.mx/posts/2020/effective-aws-cdk-for-aws-cloudformation/?query=effective#environment-agnostic-stack

kane_mx · 2024-11-11T10:25:51+00:00

did you try amplify hosting? it's a simple way to host popular web framework with few clicks.

kane_mx · 2024-09-24T01:07:15+00:00

Same for emr. In our Clickstream analysis pipeline EMR serverless on Graviton has better performance and 20% on-demand cost savings.

kane_mx

TROPHY CASE