UserPoolClientOptions

class aws_cdk.aws_cognito.UserPoolClientOptions(*, access_token_validity=None, auth_flows=None, disable_o_auth=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)

Bases: object

Options to create a UserPoolClient.

Parameters:

  • access_token_validity (Optional[Duration]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • auth_flows (Union[AuthFlow, Dict[str, Any], None]) – The set of OAuth authentication flows to enable on the client. Default: - all auth flows disabled

  • disable_o_auth (Optional[bool]) – Turns off all OAuth interactions for this client. Default: false

  • enable_token_revocation (Optional[bool]) – Enable token revocation for this client. Default: true for new user pool clients

  • generate_secret (Optional[bool]) – Whether to generate a client secret. Default: false

  • id_token_validity (Optional[Duration]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • o_auth (Union[OAuthSettings, Dict[str, Any], None]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: false

  • read_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to read. Default: - all standard and custom attributes

  • refresh_token_validity (Optional[Duration]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)

  • supported_identity_providers (Optional[Sequence[UserPoolClientIdentityProvider]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – Name of the application client. Default: - cloudformation generated name

  • write_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes

ExampleMetadata:

infused

Example:

pool = cognito.UserPool(self, "Pool")
pool.add_client("app-client",
    o_auth=cognito.OAuthSettings(
        flows=cognito.OAuthFlows(
            authorization_code_grant=True
        ),
        scopes=[cognito.OAuthScope.OPENID],
        callback_urls=["https://my-app-domain.com/welcome"],
        logout_urls=["https://my-app-domain.com/signin"]
    )
)

Attributes

access_token_validity

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default:

Duration.minutes(60)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

auth_flows

The set of OAuth authentication flows to enable on the client.

Default:

  • all auth flows disabled

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

disable_o_auth

Turns off all OAuth interactions for this client.

Default:

false

enable_token_revocation

Enable token revocation for this client.

Default:

true for new user pool clients

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation

generate_secret

Whether to generate a client secret.

Default:

false

id_token_validity

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default:

Duration.minutes(60)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

o_auth

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.

Default:

  • see defaults in OAuthSettings. meaningless if disableOAuth is set.

prevent_user_existence_errors

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence.

Default:

false

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

read_attributes

The set of attributes this client will be able to read.

Default:

  • all standard and custom attributes

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

refresh_token_validity

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

Default:

Duration.days(30)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token

supported_identity_providers

The list of identity providers that users should be able to use to sign in using this client.

Default:

  • supports all identity providers that are registered with the user pool. If the user pool and/or

identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

user_pool_client_name

Name of the application client.

Default:

  • cloudformation generated name

write_attributes

The set of attributes this client will be able to write.

Default:

  • all standard and custom attributes

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes