UserPoolClientOptions

class aws_cdk.aws_cognito.UserPoolClientOptions(*, access_token_validity=None, auth_flows=None, disable_o_auth=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)

Bases: object

Options to create a UserPoolClient.

Parameters

  • access_token_validity (Optional[Duration]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • auth_flows (Union[AuthFlow, Dict[str, Any], None]) – The set of OAuth authentication flows to enable on the client. Default: - all auth flows disabled

  • disable_o_auth (Optional[bool]) – Turns off all OAuth interactions for this client. Default: false

  • enable_token_revocation (Optional[bool]) – Enable token revocation for this client. Default: true for new user pool clients

  • generate_secret (Optional[bool]) – Whether to generate a client secret. Default: false

  • id_token_validity (Optional[Duration]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • o_auth (Union[OAuthSettings, Dict[str, Any], None]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: false

  • read_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to read. Default: - all standard and custom attributes

  • refresh_token_validity (Optional[Duration]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)

  • supported_identity_providers (Optional[Sequence[UserPoolClientIdentityProvider]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – Name of the application client. Default: - cloudformation generated name

  • write_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes

ExampleMetadata

infused

Example:

pool = cognito.UserPool(self, "Pool")
pool.add_client("app-client",
    o_auth=cognito.OAuthSettings(
        flows=cognito.OAuthFlows(
            authorization_code_grant=True
        ),
        scopes=[cognito.OAuthScope.OPENID],
        callback_urls=["https://my-app-domain.com/welcome"],
        logout_urls=["https://my-app-domain.com/signin"]
    )
)

Attributes

access_token_validity

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default

Duration.minutes(60)

See

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

auth_flows

The set of OAuth authentication flows to enable on the client.

Default

  • all auth flows disabled

See

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

disable_o_auth

Turns off all OAuth interactions for this client.

Default

false

enable_token_revocation

Enable token revocation for this client.

Default

true for new user pool clients

See

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation

generate_secret

Whether to generate a client secret.

Default

false

id_token_validity

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default

Duration.minutes(60)

See

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

o_auth

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.

Default

  • see defaults in OAuthSettings. meaningless if disableOAuth is set.

prevent_user_existence_errors

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence.

Default

false

See

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

read_attributes

The set of attributes this client will be able to read.

Default

  • all standard and custom attributes

See

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

refresh_token_validity

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

Default

Duration.days(30)

See

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token

supported_identity_providers

The list of identity providers that users should be able to use to sign in using this client.

Default

  • supports all identity providers that are registered with the user pool. If the user pool and/or

identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

user_pool_client_name

Name of the application client.

Default

  • cloudformation generated name

write_attributes

The set of attributes this client will be able to write.

Default

  • all standard and custom attributes

See

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes