404 lines
17 KiB
TypeScript
404 lines
17 KiB
TypeScript
import type { Construct } from 'constructs';
|
||
import type { ClientAttributes } from './user-pool-attr';
|
||
import type { IUserPoolResourceServer, ResourceServerScope } from './user-pool-resource-server';
|
||
import type { IRoleRef } from '../../aws-iam';
|
||
import type { CfnApp } from '../../aws-pinpoint';
|
||
import type { IResource } from '../../core';
|
||
import { Resource, Duration, SecretValue } from '../../core';
|
||
import type { IUserPoolClientRef, IUserPoolRef, UserPoolClientReference } from '../../interfaces/generated/aws-cognito-interfaces.generated';
|
||
/**
|
||
* Types of authentication flow
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
|
||
*/
|
||
export interface AuthFlow {
|
||
/**
|
||
* Enable admin based user password authentication flow
|
||
* @default false
|
||
*/
|
||
readonly adminUserPassword?: boolean;
|
||
/**
|
||
* Enable custom authentication flow
|
||
* @default false
|
||
*/
|
||
readonly custom?: boolean;
|
||
/**
|
||
* Enable auth using username & password
|
||
* @default false
|
||
*/
|
||
readonly userPassword?: boolean;
|
||
/**
|
||
* Enable SRP based authentication
|
||
* @default false
|
||
*/
|
||
readonly userSrp?: boolean;
|
||
/**
|
||
* Enable Choice-based authentication
|
||
* @default false
|
||
*/
|
||
readonly user?: boolean;
|
||
}
|
||
/**
|
||
* OAuth settings to configure the interaction between the app and this client.
|
||
*/
|
||
export interface OAuthSettings {
|
||
/**
|
||
* OAuth flows that are allowed with this client.
|
||
* @see - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
|
||
* @default {authorizationCodeGrant:true,implicitCodeGrant:true}
|
||
*/
|
||
readonly flows?: OAuthFlows;
|
||
/**
|
||
* List of allowed redirect URLs for the identity providers.
|
||
* @default - ['https://example.com'] if either authorizationCodeGrant or implicitCodeGrant flows are enabled, no callback URLs otherwise.
|
||
*/
|
||
readonly callbackUrls?: string[];
|
||
/**
|
||
* List of allowed logout URLs for the identity providers.
|
||
* @default - no logout URLs
|
||
*/
|
||
readonly logoutUrls?: string[];
|
||
/**
|
||
* OAuth scopes that are allowed with this client.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
|
||
* @default [OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.PROFILE,OAuthScope.COGNITO_ADMIN]
|
||
*/
|
||
readonly scopes?: OAuthScope[];
|
||
/**
|
||
* The default redirect URI.
|
||
* Must be in the `callbackUrls` list.
|
||
*
|
||
* A redirect URI must:
|
||
* * Be an absolute URI
|
||
* * Be registered with the authorization server.
|
||
* * Not include a fragment component.
|
||
*
|
||
* @see https://tools.ietf.org/html/rfc6749#section-3.1.2
|
||
*
|
||
* Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
|
||
*
|
||
* App callback URLs such as myapp://example are also supported.
|
||
*
|
||
* @default - no default redirect URI
|
||
*/
|
||
readonly defaultRedirectUri?: string;
|
||
}
|
||
/**
|
||
* Types of OAuth grant flows
|
||
* @see - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
|
||
*/
|
||
export interface OAuthFlows {
|
||
/**
|
||
* Initiate an authorization code grant flow, which provides an authorization code as the response.
|
||
* @default false
|
||
*/
|
||
readonly authorizationCodeGrant?: boolean;
|
||
/**
|
||
* The client should get the access token and ID token directly.
|
||
* @default false
|
||
*/
|
||
readonly implicitCodeGrant?: boolean;
|
||
/**
|
||
* Client should get the access token and ID token from the token endpoint
|
||
* using a combination of client and client_secret.
|
||
* @default false
|
||
*/
|
||
readonly clientCredentials?: boolean;
|
||
}
|
||
/**
|
||
* OAuth scopes that are allowed with this client.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
|
||
*/
|
||
export declare class OAuthScope {
|
||
/**
|
||
* Grants access to the 'phone_number' and 'phone_number_verified' claims.
|
||
* Automatically includes access to `OAuthScope.OPENID`.
|
||
*/
|
||
static readonly PHONE: OAuthScope;
|
||
/**
|
||
* Grants access to the 'email' and 'email_verified' claims.
|
||
* Automatically includes access to `OAuthScope.OPENID`.
|
||
*/
|
||
static readonly EMAIL: OAuthScope;
|
||
/**
|
||
* Returns all user attributes in the ID token that are readable by the client
|
||
*/
|
||
static readonly OPENID: OAuthScope;
|
||
/**
|
||
* Grants access to all user attributes that are readable by the client
|
||
* Automatically includes access to `OAuthScope.OPENID`.
|
||
*/
|
||
static readonly PROFILE: OAuthScope;
|
||
/**
|
||
* Grants access to Amazon Cognito User Pool API operations that require access tokens,
|
||
* such as UpdateUserAttributes and VerifyUserAttribute.
|
||
*/
|
||
static readonly COGNITO_ADMIN: OAuthScope;
|
||
/**
|
||
* Custom scope is one that you define for your own resource server in the Resource Servers.
|
||
* The format is 'resource-server-identifier/scope'.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html
|
||
*/
|
||
static custom(name: string): OAuthScope;
|
||
/**
|
||
* Adds a custom scope that's tied to a resource server in your stack
|
||
*/
|
||
static resourceServer(server: IUserPoolResourceServer, scope: ResourceServerScope): OAuthScope;
|
||
/**
|
||
* The name of this scope as recognized by CloudFormation.
|
||
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
|
||
*/
|
||
readonly scopeName: string;
|
||
private constructor();
|
||
}
|
||
/**
|
||
* Identity providers supported by the UserPoolClient
|
||
*/
|
||
export declare class UserPoolClientIdentityProvider {
|
||
/**
|
||
* Allow users to sign in using 'Sign In With Apple'.
|
||
* A `UserPoolIdentityProviderApple` must be attached to the user pool.
|
||
*/
|
||
static readonly APPLE: UserPoolClientIdentityProvider;
|
||
/**
|
||
* Allow users to sign in using 'Facebook Login'.
|
||
* A `UserPoolIdentityProviderFacebook` must be attached to the user pool.
|
||
*/
|
||
static readonly FACEBOOK: UserPoolClientIdentityProvider;
|
||
/**
|
||
* Allow users to sign in using 'Google Login'.
|
||
* A `UserPoolIdentityProviderGoogle` must be attached to the user pool.
|
||
*/
|
||
static readonly GOOGLE: UserPoolClientIdentityProvider;
|
||
/**
|
||
* Allow users to sign in using 'Login With Amazon'.
|
||
* A `UserPoolIdentityProviderAmazon` must be attached to the user pool.
|
||
*/
|
||
static readonly AMAZON: UserPoolClientIdentityProvider;
|
||
/**
|
||
* Allow users to sign in directly as a user of the User Pool
|
||
*/
|
||
static readonly COGNITO: UserPoolClientIdentityProvider;
|
||
/**
|
||
* Specify a provider not yet supported by the CDK.
|
||
* @param name name of the identity provider as recognized by CloudFormation property `SupportedIdentityProviders`
|
||
*/
|
||
static custom(name: string): UserPoolClientIdentityProvider;
|
||
/** The name of the identity provider as recognized by CloudFormation property `SupportedIdentityProviders` */
|
||
readonly name: string;
|
||
private constructor();
|
||
}
|
||
/**
|
||
* Options to create a UserPoolClient
|
||
*/
|
||
export interface UserPoolClientOptions {
|
||
/**
|
||
* Name of the application client
|
||
* @default - cloudformation generated name
|
||
*/
|
||
readonly userPoolClientName?: string;
|
||
/**
|
||
* Whether to generate a client secret
|
||
* @default false
|
||
*/
|
||
readonly generateSecret?: boolean;
|
||
/**
|
||
* The set of OAuth authentication flows to enable on the client
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html
|
||
* @default - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
|
||
*/
|
||
readonly authFlows?: AuthFlow;
|
||
/**
|
||
* Turns off all OAuth interactions for this client.
|
||
* @default false
|
||
*/
|
||
readonly disableOAuth?: boolean;
|
||
/**
|
||
* OAuth settings for this client to interact with the app.
|
||
* An error is thrown when this is specified and `disableOAuth` is set.
|
||
* @default - see defaults in `OAuthSettings`. meaningless if `disableOAuth` is set.
|
||
*/
|
||
readonly oAuth?: OAuthSettings;
|
||
/**
|
||
* Cognito creates a session token for each API request in an authentication flow.
|
||
* AuthSessionValidity is the duration, in minutes, of that session token.
|
||
* see defaults in `AuthSessionValidity`. Valid duration is from 3 to 15 minutes.
|
||
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
|
||
* @default - Duration.minutes(3)
|
||
*/
|
||
readonly authSessionValidity?: Duration;
|
||
/**
|
||
* Whether Cognito returns a UserNotFoundException exception when the
|
||
* user does not exist in the user pool (false), or whether it returns
|
||
* another type of error that doesn't reveal the user's absence.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html
|
||
* @default false
|
||
*/
|
||
readonly preventUserExistenceErrors?: boolean;
|
||
/**
|
||
* The list of identity providers that users should be able to use to sign in using this client.
|
||
*
|
||
* @default - supports all identity providers that are registered with the user pool. If the user pool and/or
|
||
* identity providers are imported, either specify this option explicitly or ensure that the identity providers are
|
||
* registered with the user pool using the `UserPool.registerIdentityProvider()` API.
|
||
*/
|
||
readonly supportedIdentityProviders?: UserPoolClientIdentityProvider[];
|
||
/**
|
||
* Validity of the ID token.
|
||
* Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
|
||
* @see https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token
|
||
* @default Duration.minutes(60)
|
||
*/
|
||
readonly idTokenValidity?: Duration;
|
||
/**
|
||
* Validity of the refresh token.
|
||
* Values between 60 minutes and 10 years are valid.
|
||
* @see https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token
|
||
* @default Duration.days(30)
|
||
*/
|
||
readonly refreshTokenValidity?: Duration;
|
||
/**
|
||
* Validity of the access token.
|
||
* Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.
|
||
* @see https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token
|
||
* @default Duration.minutes(60)
|
||
*/
|
||
readonly accessTokenValidity?: Duration;
|
||
/**
|
||
* Enables refresh token rotation when set.
|
||
* Defines the grace period for the original refresh token (0-60 seconds).
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html#using-the-refresh-token-rotation
|
||
* @default - undefined (refresh token rotation is disabled)
|
||
*/
|
||
readonly refreshTokenRotationGracePeriod?: Duration;
|
||
/**
|
||
* The set of attributes this client will be able to read.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
|
||
* @default - all standard and custom attributes
|
||
*/
|
||
readonly readAttributes?: ClientAttributes;
|
||
/**
|
||
* The set of attributes this client will be able to write.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes
|
||
* @default - all standard and custom attributes
|
||
*/
|
||
readonly writeAttributes?: ClientAttributes;
|
||
/**
|
||
* Enable token revocation for this client.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
|
||
* @default true for new user pool clients
|
||
*/
|
||
readonly enableTokenRevocation?: boolean;
|
||
/**
|
||
* Enable the propagation of additional user context data.
|
||
* You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.
|
||
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
|
||
* @default false for new user pool clients
|
||
*/
|
||
readonly enablePropagateAdditionalUserContextData?: boolean;
|
||
/**
|
||
* The analytics configuration for this client.
|
||
* @default - no analytics configuration
|
||
*/
|
||
readonly analytics?: AnalyticsConfiguration;
|
||
}
|
||
/**
|
||
* Properties for the UserPoolClient construct
|
||
*/
|
||
export interface UserPoolClientProps extends UserPoolClientOptions {
|
||
/**
|
||
* The UserPool resource this client will have access to
|
||
*/
|
||
readonly userPool: IUserPoolRef;
|
||
}
|
||
/**
|
||
* The settings for Amazon Pinpoint analytics configuration.
|
||
* With an analytics configuration, your application can collect user-activity metrics for user notifications with an Amazon Pinpoint campaign.
|
||
* Amazon Pinpoint isn't available in all AWS Regions.
|
||
* For a list of available Regions, see Amazon Cognito and Amazon Pinpoint Region availability: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings.
|
||
*/
|
||
export interface AnalyticsConfiguration {
|
||
/**
|
||
* The Amazon Pinpoint project that you want to connect to your user pool app client.
|
||
* Amazon Cognito publishes events to the Amazon Pinpoint project.
|
||
* You can also configure your application to pass an endpoint ID in the `AnalyticsMetadata` parameter of sign-in operations.
|
||
* The endpoint ID is information about the destination for push notifications.
|
||
* @default - no configuration, you need to specify either `application` or all of `applicationId`, `externalId`, and `role`.
|
||
*/
|
||
readonly application?: CfnApp;
|
||
/**
|
||
* Your Amazon Pinpoint project ID.
|
||
* @default - no configuration, you need to specify either this property along with `externalId` and `role` or `application`.
|
||
*/
|
||
readonly applicationId?: string;
|
||
/**
|
||
* The external ID of the role that Amazon Cognito assumes to send analytics data to Amazon Pinpoint. More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
|
||
* @default - no configuration, you need to specify either this property along with `applicationId` and `role` or `application`.
|
||
*/
|
||
readonly externalId?: string;
|
||
/**
|
||
* The IAM role that has the permissions required for Amazon Cognito to publish events to Amazon Pinpoint analytics.
|
||
* @default - no configuration, you need to specify either this property along with `applicationId` and `externalId` or `application`.
|
||
*/
|
||
readonly role?: IRoleRef;
|
||
/**
|
||
* If `true`, Amazon Cognito includes user data in the events that it publishes to Amazon Pinpoint analytics.
|
||
* @default - false
|
||
*/
|
||
readonly shareUserData?: boolean;
|
||
}
|
||
/**
|
||
* Represents a Cognito user pool client.
|
||
*/
|
||
export interface IUserPoolClient extends IResource, IUserPoolClientRef {
|
||
/**
|
||
* Name of the application client
|
||
* @attribute
|
||
*/
|
||
readonly userPoolClientId: string;
|
||
/**
|
||
* The generated client secret. Only available if the "generateSecret" props is set to true
|
||
* @attribute
|
||
*/
|
||
readonly userPoolClientSecret: SecretValue;
|
||
}
|
||
/**
|
||
* Define a UserPool App Client
|
||
*/
|
||
export declare class UserPoolClient extends Resource implements IUserPoolClient {
|
||
/**
|
||
* Uniquely identifies this class.
|
||
*/
|
||
static readonly PROPERTY_INJECTION_ID: string;
|
||
/**
|
||
* Import a user pool client given its id.
|
||
*/
|
||
static fromUserPoolClientId(scope: Construct, id: string, userPoolClientId: string): IUserPoolClient;
|
||
readonly userPoolClientId: string;
|
||
private _generateSecret?;
|
||
private readonly userPool;
|
||
private _userPoolClientSecret?;
|
||
/**
|
||
* The OAuth flows enabled for this client.
|
||
*/
|
||
readonly oAuthFlows: OAuthFlows;
|
||
private readonly _userPoolClientName?;
|
||
get userPoolClientRef(): UserPoolClientReference;
|
||
constructor(scope: Construct, id: string, props: UserPoolClientProps);
|
||
/**
|
||
* The client name that was specified via the `userPoolClientName` property during initialization,
|
||
* throws an error otherwise.
|
||
*/
|
||
get userPoolClientName(): string;
|
||
get userPoolClientSecret(): SecretValue;
|
||
private configureAuthFlows;
|
||
private configureOAuthFlows;
|
||
private configureOAuthScopes;
|
||
private configurePreventUserExistenceErrors;
|
||
private configureIdentityProviders;
|
||
private configureAuthSessionValidity;
|
||
private configureTokenValidity;
|
||
private configureRefreshTokenRotation;
|
||
private validateDuration;
|
||
private configureAnalytics;
|
||
}
|