OAuthScope

class aws_cdk.aws_cognito.OAuthScope(*args: Any, **kwargs)

Bases: object

OAuth scopes that are allowed with this client.

See

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

ExampleMetadata

infused

Example:

pool = cognito.UserPool(self, "Pool")

read_only_scope = cognito.ResourceServerScope(scope_name="read", scope_description="Read-only access")
full_access_scope = cognito.ResourceServerScope(scope_name="*", scope_description="Full access")

user_server = pool.add_resource_server("ResourceServer",
    identifier="users",
    scopes=[read_only_scope, full_access_scope]
)

read_only_client = pool.add_client("read-only-client",
    # ...
    o_auth=cognito.OAuthSettings(
        # ...
        scopes=[cognito.OAuthScope.resource_server(user_server, read_only_scope)]
    )
)

full_access_client = pool.add_client("full-access-client",
    # ...
    o_auth=cognito.OAuthSettings(
        # ...
        scopes=[cognito.OAuthScope.resource_server(user_server, full_access_scope)]
    )
)

Attributes

COGNITO_ADMIN = <aws_cdk.aws_cognito.OAuthScope object>
EMAIL = <aws_cdk.aws_cognito.OAuthScope object>
OPENID = <aws_cdk.aws_cognito.OAuthScope object>
PHONE = <aws_cdk.aws_cognito.OAuthScope object>
PROFILE = <aws_cdk.aws_cognito.OAuthScope object>
scope_name

The name of this scope as recognized by CloudFormation.

See

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes

Return type

str

Static Methods

classmethod custom(name)

Custom scope is one that you define for your own resource server in the Resource Servers.

The format is ‘resource-server-identifier/scope’.

Parameters

name (str) –

See

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

Return type

OAuthScope

classmethod resource_server(server, scope)

Adds a custom scope that’s tied to a resource server in your stack.

Parameters
Return type

OAuthScope