Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cognito): support for ALLOW_USER_AUTH explicit auth flow #32273

Merged
merged 4 commits into from
Dec 4, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@
"ALLOW_ADMIN_USER_PASSWORD_AUTH",
"ALLOW_CUSTOM_AUTH",
"ALLOW_USER_SRP_AUTH",
"ALLOW_USER_AUTH",
"ALLOW_REFRESH_TOKEN_AUTH"
],
"GenerateSecret": true,
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const client = userpool.addClient('myuserpoolclient', {
custom: true,
userPassword: true,
userSrp: true,
user: true,
},
generateSecret: true,
oAuth: {
Expand Down
3 changes: 3 additions & 0 deletions packages/aws-cdk-lib/aws-cognito/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -699,6 +699,9 @@ Custom authentication protocols can be configured by setting the `custom` proper
functions for the corresponding user pool [triggers](#lambda-triggers). Learn more at [Custom Authentication
Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow).

Choice-based authentication can be configured by setting the `user` property under `authFlow`. This enables the
`USER_AUTH` authentication flow. Learn more at [Choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).

In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for
authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more
about the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749) and [Cognito user pool's
Expand Down
7 changes: 7 additions & 0 deletions packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ export interface AuthFlow {
* @default false
*/
readonly userSrp?: boolean;

/**
* Enable Choice-based authentication
* @default false
*/
readonly user?: boolean;
}

/**
Expand Down Expand Up @@ -525,6 +531,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
if (props.authFlows.user) { authFlows.push('ALLOW_USER_AUTH'); }

// refreshToken should always be allowed if authFlows are present
authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ describe('User Pool Client', () => {
custom: true,
userPassword: true,
userSrp: true,
user: true,
},
});

Expand All @@ -264,6 +265,7 @@ describe('User Pool Client', () => {
'ALLOW_ADMIN_USER_PASSWORD_AUTH',
'ALLOW_CUSTOM_AUTH',
'ALLOW_USER_SRP_AUTH',
'ALLOW_USER_AUTH',
'ALLOW_REFRESH_TOKEN_AUTH',
],
});
Expand All @@ -281,6 +283,7 @@ describe('User Pool Client', () => {
custom: false,
userPassword: false,
userSrp: false,
user: false,
},
});

Expand Down
Loading