Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Missing Feature - UserPool client configuration (Callback URLs and scopes)

See original GitHub issue

Ability to configure a Cognito User Pool Clients including callback URLs, signout URLs, and allowed scopes.

I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
What is the current behavior? Can create UserPools and UserPool clients, however the configuration of the client is very limited. Can only specify clientName, enabledAuthFlows, and whether to create a secret or not.
What is the expected behavior (or behavior of feature suggested)? Would also like to be able to configure callback URLs, signout URLs, and allowed scopes so a complete functional UserPool can be created from scratch.
What is the motivation / use case for changing the behavior or adding this feature? Ability to create an ApiGateway secured by a cognito userpool with specific callback URLs and available scopes.
Please tell us about your environment:
- CDK CLI Version: 0.34.0
- OS: Windows 10 | Debian Stretch
- Language: TypeScript
Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc) Currently I am creating the userpool like below, I believe this to be correct but please tell me if this is the wrong way to go about this?

    const userPool = new cognito.UserPool(this, "userPool", {
      autoVerifiedAttributes: [],
      poolName: "userPool",
      signInType: cognito.SignInType.Username,
      usernameAliasAttributes: [
        cognito.UserPoolAttribute.Email,
        cognito.UserPoolAttribute.PhoneNumber
      ]
    });

    const userPoolClient = new cognito.UserPoolClient(
      this,
      "userPoolClient",
      {
        clientName: "Client",
        enabledAuthFlows: [
          cognito.AuthFlow.AdminNoSrp,
          cognito.AuthFlow.CustomFlowOnly
        ],
        userPool: userPool
      }
    );

Issue Analytics

State:
Created 4 years ago
Reactions:6
Comments:19 (6 by maintainers)

Top GitHub Comments

7reactions

dveijckcommented, Sep 26, 2019

From the CloudFormation documentation on UserPoolClient I would expect CloudFormation to support callback and logout URLS. Not sure if this was added recently by the CloudFormation team, but I thought it would be useful to post it here.

So this means that for now you could use the Cfn escape hatch as long as not all features in the CDK classes are implemented. Something like this gives you an idea:

const userPool = new UserPool(...);

...

const userPoolClient = new UserPoolClient(
    scope,
    'user-pool-client',
    {
      userPoolClientName: 'user-pool-client-name',
      userPool: userPool,
      enabledAuthFlows: [AuthFlow.USER_PASSWORD],
      generateSecret: true
    }
);
const cfnUserPoolClient = userPoolClient.node.defaultChild as CfnUserPoolClient;
cfnUserPoolClient.supportedIdentityProviders = ['COGNITO'];
cfnUserPoolClient.callbackUrLs = ['https://your_service_domain/oauth2/idpresponse'];
cfnUserPoolClient.allowedOAuthFlowsUserPoolClient = true;
cfnUserPoolClient.allowedOAuthFlows = ['code'];
cfnUserPoolClient.allowedOAuthScopes = ['openid'];

Be aware of the ‘strange’ capitalizing of the callbackUrLs and logoutUrLs methods.

I did give it a run with CDK 1.9.0 and it seemed to create the UserPoolClient with the callback URL just fine for me.

4reactions

0xdevaliascommented, Mar 19, 2020

As a followup to @dveijck’s post above replying to @misterjoshua; CDK has a really short/convenient syntax for custom resources that just need to call AWS SDK functions:

A basic example (untested for this use case exactly) derived from some similar code I wrote recently:

const describeCognitoUserPoolClient = new cr.AwsCustomResource(
      this,
      'DescribeCognitoUserPoolClient',
      {
        resourceType: 'Custom::DescribeCognitoUserPoolClient',
        onCreate: {
          region: 'us-east-1',
          service: 'CognitoIdentityServiceProvider',
          action: 'describeUserPoolClient',
          parameters: {
            UserPoolId: userPool.userPoolId,
            ClientId: userPoolClient.userPoolClientId,
          },
          physicalResourceId: cr.PhysicalResourceId.of(userPoolClient.userPoolClientId),
        },
        // TODO: can we restrict this policy more?
        policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
          resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
        }),
      }
    )

    const userPoolClientSecret = describeCognitoUserPoolClient.getResponseField(
      'UserPoolClient.ClientSecret'
    )
    new cdk.CfnOutput(this, 'UserPoolClientSecret', {
      value: userPoolClientSecret,
    })

Top Results From Across the Web

Configuring a user pool app client - Amazon Cognito

A callback URL indicates where the user will be redirected after a successful sign-in. Choose at least one callback URL. The callback URL...

aws_cognito_user_pool_client | Resources | hashicorp/aws

Create a user pool client with no SRP authentication ... Default value is 3 . callback_urls - (Optional) List of allowed callback URLs...

Providers — django-allauth 0.43.0 documentation

Go to App Integration > App Client Settings section and: Enable Cognito User Pool as an identity provider. Set the callback and sign-out...

OpenID Connect Authorization Code Flow with AWS Cognito

This section describes the AWS Cognito User Pool configuration needed for this example. ... Add http://localhost:3000/callback to the Callback URLs field.

AWS Cognito as an Oauth2 Provider for Kubernetes Apps

This includes your Callback URL(s), Sign Out Urls, what Oauth Flows are used, allowed Scopes (i.e. can a client try and retrieve via...