AuthenticateCognitoActionProps

class aws_cdk.aws_elasticloadbalancingv2_actions.AuthenticateCognitoActionProps(*, next, user_pool, user_pool_client, user_pool_domain, authentication_request_extra_params=None, on_unauthenticated_request=None, scope=None, session_cookie_name=None, session_timeout=None)

Bases: object

Properties for AuthenticateCognitoAction.

Parameters:

next (ListenerAction) – What action to execute next. Multiple actions form a linked chain; the chain must always terminate in a (weighted)forward, fixedResponse or redirect action.
user_pool (IUserPool) – The Amazon Cognito user pool.
user_pool_client (IUserPoolClient) – The Amazon Cognito user pool client.
user_pool_domain (IUserPoolDomain) – The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
authentication_request_extra_params (Optional[Mapping[str, str]]) – The query parameters (up to 10) to include in the redirect request to the authorization endpoint. Default: - No extra parameters
on_unauthenticated_request (Optional[UnauthenticatedAction]) – The behavior if the user is not authenticated. Default: UnauthenticatedAction.AUTHENTICATE
scope (Optional[str]) – The set of user claims to be requested from the IdP. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP. Default: “openid”
session_cookie_name (Optional[str]) – The name of the cookie used to maintain session information. Default: “AWSELBAuthSessionCookie”
session_timeout (Optional[Duration]) – The maximum duration of the authentication session. Default: Duration.days(7)

ExampleMetadata:

lit=test/integ.cognito.lit.ts infused

Example:

import aws_cdk.aws_cognito as cognito
import aws_cdk.aws_ec2 as ec2
import aws_cdk.aws_elasticloadbalancingv2 as elbv2
from aws_cdk.core import App, CfnOutput, Stack
from constructs import Construct
import aws_cdk.aws_elasticloadbalancingv2_actions as actions

Stack): lb = elbv2.ApplicationLoadBalancer(self, "LB",
    vpc=vpc,
    internet_facing=True
)

user_pool = cognito.UserPool(self, "UserPool")
user_pool_client = cognito.UserPoolClient(self, "Client",
    user_pool=user_pool,

    # Required minimal configuration for use with an ELB
    generate_secret=True,
    auth_flows=cognito.AuthFlow(
        user_password=True
    ),
    o_auth=cognito.OAuthSettings(
        flows=cognito.OAuthFlows(
            authorization_code_grant=True
        ),
        scopes=[cognito.OAuthScope.EMAIL],
        callback_urls=[f"https://{lb.loadBalancerDnsName}/oauth2/idpresponse"
        ]
    )
)
cfn_client = user_pool_client.node.default_child
cfn_client.add_property_override("RefreshTokenValidity", 1)
cfn_client.add_property_override("SupportedIdentityProviders", ["COGNITO"])

user_pool_domain = cognito.UserPoolDomain(self, "Domain",
    user_pool=user_pool,
    cognito_domain=cognito.CognitoDomainOptions(
        domain_prefix="test-cdk-prefix"
    )
)

lb.add_listener("Listener",
    port=443,
    certificates=[certificate],
    default_action=actions.AuthenticateCognitoAction(
        user_pool=user_pool,
        user_pool_client=user_pool_client,
        user_pool_domain=user_pool_domain,
        next=elbv2.ListenerAction.fixed_response(200,
            content_type="text/plain",
            message_body="Authenticated"
        )
    )
)

CfnOutput(self, "DNS",
    value=lb.load_balancer_dns_name
)

app = App()
CognitoStack(app, "integ-cognito")
app.synth()

Attributes

authentication_request_extra_params

The query parameters (up to 10) to include in the redirect request to the authorization endpoint.

Default:

No extra parameters

next

What action to execute next.

Multiple actions form a linked chain; the chain must always terminate in a (weighted)forward, fixedResponse or redirect action.

on_unauthenticated_request

The behavior if the user is not authenticated.

Default:: UnauthenticatedAction.AUTHENTICATE

scope

The set of user claims to be requested from the IdP.

To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.

Default:: “openid”

session_cookie_name

The name of the cookie used to maintain session information.

Default:: “AWSELBAuthSessionCookie”

session_timeout

The maximum duration of the authentication session.

Default:: Duration.days(7)

user_pool: The Amazon Cognito user pool.

user_pool_client: The Amazon Cognito user pool client.

user_pool_domain: The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.