Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito: Identity providers and OAuth flows are enabled by default

See original GitHub issue

❓ General Issue

Recently issue #8134 made OAuth flows be enabled by default event if your user pool had not defined identity providers before.

The Question

Is it reasonable to enable those flows by default since for example here it’s suggested that identity providers that support OAuth flows need to be enabled manually?

In my use case we have no need for these features and don’t want them to be enabled by default. Unfortunately disabling them is not as straightforward as you need to do something like this:

const userPoolClient = new UserPoolClient(this, 'UserPoolClient', {
    ...
    oAuth: {
        flows: {
            implicitCodeGrant: false,
            authorizationCodeGrant: false
        },
        scopes: []
    },
    supportedIdentityProviders: []
};

const cfnUserPoolClient = userPoolClient.node.defaultChild as CfnUserPoolClient;
cfnUserPoolClient.allowedOAuthFlowsUserPoolClient = undefined;

This is quite involved and the worst thing is that you actually need to interact with low-level cfn API to be able to disable everything.

Environment

CDK CLI Version: 1.43.0
Module Version: 1.43.0

Other information

I do recognize that this breaking change was detailed in recent release notes. I’m just wondering if these defaults are reasonable since they seem to enable quite powerful features not everyone wants to use. Or have I misunderstood something about the implications of this change?

Issue Analytics

State:
Created 3 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

3reactions

nija-atcommented, Jun 11, 2020

A fix for this is in PR https://github.com/aws/aws-cdk/pull/8496

0reactions

chalupaacommented, Jun 10, 2020

In order to not have the oauth settings enabled properly I had to specify all of the following:

            if not oauth_settings:
                client.node.default_child.allowed_o_auth_flows_user_pool_client = False
                client.node.default_child.allowed_o_auth_flows = None
                client.node.default_child.allowed_o_auth_scopes = None

Top Results From Across the Web

Configuring a user pool app client - Amazon Cognito

Enabled Identity Providers. You can choose your identity provider (IdP) to authenticate your users. This service can be performed by your user pool, ......

OpenID Connect Authorization Code Flow with AWS Cognito

Click the “Cognito User Pool” check box under Enabled Identity Providers. ... Click the “Authorization code grant” checkbox under Allowed OAuth Flows.

Enable Oauth2 authentication with Cognito

On this page, we will see how you can automatically authenticate your users to Scale-Out Computing on AWS using without having them to...

Using the Amazon Cognito hosted UI for sign-up and sign-in

The Amazon Cognito Hosted UI provides you an OAuth 2.0 compliant authorization server. It includes default implementation of end user flows such as ......

How to start using AWS Cognito - Archer Imagine

Cognito User Pool as the enabled identity providers. Since you are testing, ... Choose Implicit Grant, in Allowed OAuth Flows.