interface OAuthSettings
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Cognito.OAuthSettings |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awscognito#OAuthSettings |
 Java | software.amazon.awscdk.services.cognito.OAuthSettings |
 Python | aws_cdk.aws_cognito.OAuthSettings |
 TypeScript (source) | aws-cdk-lib » aws_cognito » OAuthSettings |
OAuth settings to configure the interaction between the app and this client.
Example
const pool = new cognito.UserPool(this, 'Pool');
const readOnlyScope = new cognito.ResourceServerScope({ scopeName: 'read', scopeDescription: 'Read-only access' });
const fullAccessScope = new cognito.ResourceServerScope({ scopeName: '*', scopeDescription: 'Full access' });
const userServer = pool.addResourceServer('ResourceServer', {
identifier: 'users',
scopes: [ readOnlyScope, fullAccessScope ],
});
const readOnlyClient = pool.addClient('read-only-client', {
// ...
oAuth: {
// ...
scopes: [ cognito.OAuthScope.resourceServer(userServer, readOnlyScope) ],
},
});
const fullAccessClient = pool.addClient('full-access-client', {
// ...
oAuth: {
// ...
scopes: [ cognito.OAuthScope.resourceServer(userServer, fullAccessScope) ],
},
});
Properties
| Name | Type | Description |
|---|---|---|
| callback | string[] | List of allowed redirect URLs for the identity providers. |
| default | string | The default redirect URI. Must be in the callbackUrls list. |
| flows? | OAuth | OAuth flows that are allowed with this client. |
| logout | string[] | List of allowed logout URLs for the identity providers. |
| scopes? | OAuth[] | OAuth scopes that are allowed with this client. |
callbackUrls?
Type:
string[]
(optional, default: ['https://example.com'] if either authorizationCodeGrant or implicitCodeGrant flows are enabled, no callback URLs otherwise.)
List of allowed redirect URLs for the identity providers.
defaultRedirectUri?
Type:
string
(optional, default: no default redirect URI)
The default redirect URI. Must be in the callbackUrls list.
A redirect URI must:
- Be an absolute URI
- Be registered with the authorization server.
- Not include a fragment component.
See also: [https://tools.ietf.org/html/rfc6749#section-3.1.2
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.](https://tools.ietf.org/html/rfc6749#section-3.1.2
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.)
flows?
Type:
OAuth
(optional, default: {authorizationCodeGrant:true,implicitCodeGrant:true})
OAuth flows that are allowed with this client.
See also: [ - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html]( - the 'Allowed OAuth Flows' section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html)
logoutUrls?
Type:
string[]
(optional, default: no logout URLs)
List of allowed logout URLs for the identity providers.
scopes?
Type:
OAuth[]
(optional, default: [OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.PROFILE,OAuthScope.COGNITO_ADMIN])
OAuth scopes that are allowed with this client.
See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html